nanog mailing list archives
Re: ipmi access
From: shawn wilson <ag4ve.us () gmail com>
Date: Mon, 2 Jun 2014 21:05:54 -0400
On Mon, Jun 2, 2014 at 7:42 PM, Jimmy Hess <mysidia () gmail com> wrote:
On Mon, Jun 2, 2014 at 8:21 AM, shawn wilson <ag4ve.us () gmail com> wrote: [snip]So, kinda the same idea - just put IPMI on another network and use ssh forwards to it. You can have multiple boxes connected in this fashion but the point is to keep it simple and as secure as possible (and IPMI security doesn't really count here :) ).About that "as secure as possible" bit. If just one server gets compromised that happens to have its IPMI port plugged into this private network; the attacker may be able to pivot into the IPMI network and start unloading IPMI exploits.
Generally, I worry about workstations with access being compromised more than I do about a server running sshd and routing traffic. But obviously, if someone gets access, they can cause play foosball with your stuff.
So caution is definitely advised, about security boundaries: in case a shared IPMI network is used, and this is a case where a Private VLAN (PVLAN-Isolated) could be considered, to ensure devices on the IPMI LAN cannot communicate with one another --- and only devices on a separate dedicated IPMI Management station subnet can interact with the IPMI LAN.
I can't really argue against the proper use of vlans (and that surely wasn't my point). I was merely saying that you can use ssh as a simpler solution (and possibly a more secure one since there's not a conduit to broadcast to/from) than a vpn. That's it.
Current thread:
- Re: ipmi access, (continued)
- Re: ipmi access Paul S. (Jun 02)
- Re: ipmi access Jeroen Massar (Jun 02)
- Re: ipmi access Paul S. (Jun 02)
- Re: ipmi access Brian Rak (Jun 02)
- Re: ipmi access Paul S. (Jun 02)
- Re: ipmi access Randy Bush (Jun 02)
- Re: ipmi access Andrew Latham (Jun 02)
- Re: ipmi access coy . hile (Jun 02)
- Re: ipmi access shawn wilson (Jun 02)
- Re: ipmi access Chris Adams (Jun 02)
- Re: ipmi access Jimmy Hess (Jun 02)
- Re: ipmi access shawn wilson (Jun 02)
- Re: ipmi access Peter Kristolaitis (Jun 02)
- Re: ipmi access Randy Bush (Jun 02)
- Re: ipmi access Christopher Morrow (Jun 02)
- Re: ipmi access shawn wilson (Jun 02)
- Re: ipmi access Blake Hudson (Jun 02)
- Re: ipmi access Christopher Morrow (Jun 02)
- Re: ipmi access Nikolay Shopik (Jun 02)