On Thu, 2 Jul 2015, Chris Olson wrote:
We have recently been asked to evaluate some computing machinery for
a new project. This particular end user has very limited experience
with the stated security requirements in a lights-out environment.
Their primary work (as well as mine) in the past has been with very
small, simple networks of desktop machines and a few servers with
extremely limited access. For the most part, their admins
haverefused to use any maintenance connectivity to servers other
than the primary serial ports.
There is a concern about system security primarily driven by recent
information searches performed by end user admins and included
below. [...snip...]
My initial recommendation was to use a totally separate network for
any service processors within the servers that implement IPMI/BMC
capabilities. This has been standard practice in most systems I have
worked on in the past, and has allowed certification with
essentially no problems. The BIOS concern seems to be another issue
to be addressed separately.
+1 to network separation for OOB management. I assume you mean
"non-routable LAN," but that segment's connectivity is an interesting
question in itself. I like having access to management consoles via
VPN, but others dislike any off-LAN access whatsoever.
If your admins are comfortable with serial consoles, a concentrator
like those available from Digi or WTI can offer fairly robust access
controls; they can also be set to honor SSH keys rather than
passwords, which may help increase security.
WTI: https://www.wti.com/c-4-console-server.aspx
Digi: http://www.digi.com/products/consoleservers/
I've had an easier time working with the Digi firmware, but either
will do the job.
--
Paul Heinlein <> heinlein@xxxxxxxxxx <> http://www.madboa.com/
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
