[172192] in North American Network Operators' Group
Re: ipmi access
daemon@ATHENA.MIT.EDU (shawn wilson)
Mon Jun 2 21:06:23 2014
X-Original-To: nanog@nanog.org
In-Reply-To: <CAAAwwbWWjhUZwZXEcmDB7P+RrVh+ci++E7j5NLaKyAwtcDfU8g@mail.gmail.com>
From: shawn wilson <ag4ve.us@gmail.com>
Date: Mon, 2 Jun 2014 21:05:54 -0400
To: Jimmy Hess <mysidia@gmail.com>
Cc: North American Network Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Mon, Jun 2, 2014 at 7:42 PM, Jimmy Hess <mysidia@gmail.com> wrote:
> On Mon, Jun 2, 2014 at 8:21 AM, shawn wilson <ag4ve.us@gmail.com> wrote: [snip]
>> So, kinda the same idea - just put IPMI on another network and use ssh
>> forwards to it. You can have multiple boxes connected in this fashion
>> but the point is to keep it simple and as secure as possible (and IPMI
>> security doesn't really count here :) ).
>
> About that "as secure as possible" bit. If just one server gets
> compromised that happens to have its IPMI port plugged into this
> private network; the attacker may be able to pivot into the IPMI
> network and start unloading IPMI exploits.
>
Generally, I worry about workstations with access being compromised
more than I do about a server running sshd and routing traffic. But
obviously, if someone gets access, they can cause play foosball with
your stuff.
> So caution is definitely advised, about security boundaries: in case
> a shared IPMI network is used, and this is a case where a Private
> VLAN (PVLAN-Isolated) could be considered, to ensure devices on
> the IPMI LAN cannot communicate with one another --- and only
> devices on a separate dedicated IPMI Management station subnet can
> interact with the IPMI LAN.
>
I can't really argue against the proper use of vlans (and that surely
wasn't my point). I was merely saying that you can use ssh as a
simpler solution (and possibly a more secure one since there's not a
conduit to broadcast to/from) than a vpn. That's it.
