Securing baseboard managers
Achim Patzner
ap at bnc.net
Sun Apr 6 14:55:29 UTC 2014
Am 05.04.2014 um 17:54 schrieb Jordan Hubbard <jkh at ixsystems.com>:
> On Apr 5, 2014, at 8:00 PM, Kamil Choudhury <Kamil.Choudhury at anserinae.net> wrote:
>
>> I spend my days doing application development, so I am probably missing
>> a lot of perspective that more systems-oriented people have. If my
>> questions are ridiculous, feel free to tell me so and send me on my way!
>
> All IPMI implementations suck.
You missed the point – he was probably talking about the rest of the package, not about the IPMI part. And looking at the latest incarnation of the Intel RMM (RMM4) I can’t even share that feeling. Besides: In emergencies even IPMI is quite a good tool to deal with a machine hanging some 1000 km away without having to send a trained monkey (who won’t even find the reset button) there. But you don’t have to use it as most serious hardware is offering this via web pages.
We had (PDP11-based) Console Processors on the first VAX systems so people should maybe consider getting used to this concept. In regards to security they are at least as trustworthy as most of the operating systems people are using every day.
> To remotely render an interactive console in someone’s browser, where said browser could be any one of 6 different flavors, you have to lean pretty heavily on the client side - especially if you want to offer tricks like virtual CD-to-local-ISO mapping (which is pretty handy).
Now _these_ are the parts which are not difficult at all. At least in those implementations I know the hardware doesn’t even have to capture a video signal off a VGA connector (like some KVM switches) as it is directly connected to the video hardware (i. e. this is more like streaming a movie). Doing the “block device over IP” is even simpler (on the server side – but who cares how the RMM is doing its job?).
> From the security side, most reasonable motherboards don’t feature NIC sharing as the only option.
Some boards do (but those will offer you VLAN support, setting static IP addresses and similar goodies); some engineers have a weird fetish to build complete servers on nanoATX boards, running out of room for connectors.
Achim
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2266 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20140406/f324ab07/attachment.bin>
More information about the freebsd-hackers
mailing list