Securing baseboard managers

Kamil Choudhury Kamil.Choudhury at anserinae.net
Sun Apr 6 16:37:53 UTC 2014 

________________________________
From: Achim Patzner<mailto:ap at bnc.net>
Sent: ‎4/‎6/‎2014 10:36
To: Kamil Choudhury<mailto:Kamil.Choudhury at anserinae.net>
Cc: freebsd-hackers at freebsd.org<mailto:freebsd-hackers at freebsd.org>
Subject: Re: Securing baseboard managers


Am 05.04.2014 um 17:00 schrieb Kamil Choudhury <Kamil.Choudhury at anserinae.net>:

> A new motherboard

You might have told us a bit more about that mainboard if you wanted some hints…

> I just bought has one of those out of band management
> Ethernet ports. When I connected it into my cable router, despite the
> cord being plugged into the non-baseboard Ethernet port, the baseboard
> grabbed my public IP (I use this box as a router) instead of FreeBSD.

… because it is using DHCP and probably up and running before FreeBSD even starts thinking about booting. Nothing wrong there. You might take a look at the firmware configuration and just turn it off if you don’t need it. Or use another NIC for your outside connection.

> 1/ How do you protect yourself against this kind of vulnerability? Am I
> paranoid for even thinking this is a problem?

Usually by reading the manual and configuring the hardware or turning the thing off if it is not needed. Or removing the microcontroller from my mainboard (eg. on Intel server boards)

> 2/ While out of band management is useful, I just can't bring myself to
> trust software that seems to have been written by poo-flinging monkeys
> (seriously, you need to see the browser-based UI they provide: frames!
> <blink>! Java applets!).

If you’re that much better than those programmers you might lend them a hand. But remember: Your tools have to be running on everything on this planet including FreeBSD boxes running a browser in a Linux emulation. And on my Android phone, of course.

> Is there any way to replace the vendor provided
> solution with something more auditable and configurable? Maybe a teeny-tiny
> BSD-based distribution?

Of course. Just write it. But keep in mind that the inner workings of those remote management modules are quite a bit more complex than their block diagrams.


Achim

More information about the freebsd-hackers mailing list