IPMI

It seems that the overall conclusion of the article is that IPMI systems tend to be badly written and contain numerous flaws, and that access should be restricted.

CERT warned. "It is important to restrict IPMI access to specific management IP addresses within an organization and preferably separated into a separate LAN segment.
Click to expand...

In all honesty, if anybody needed a report to work that out, then they probably shouldn't be managing servers. It's fairly obvious that these systems don't have the sort of scrutiny or hardened development that is required for anything publicly accessible, and that quite simply, services like IPMI should be locked down to a management network.

Some lower end servers share the IPMI port with one of the main ethernet ports. If there are flaws that allow remote access to the IPMI via a end use accessible address assigned to the ethernet, then that would clearly be a serious issue. I don't know if any flaw like that exists though. Higher end servers tend to have a completely stand alone IPMI port.

Personally I have no issue using IPMI when connected to a private network. I wouldn't be surprised if servers in very high security situations either have IPMI on an air-gapped network that can only be accessed on-site, or disabled entirely. I don't consider that necessary for your average office file server though. I'd rather be able to support a system remotely, instantly (via VPN or similar) than have to make a round trip in person because I went over the top with security hardening.
 
I couldn't do my job properly without IPMI. It has saved me numerous times from having to drive to the co-location in order to press a frigging button or fix a non-booting server.

That said, I typically configure a specific management network for this that's been sealed off and only allows access via a VPN.
 
You must log in or register to reply here.
Back
Top