Re: ipmi access

[Peter Kristolaitis <alter3d () alter3d ca>]

On 06/02/2014 08:26 AM, Randy Bush wrote:
> > I use OpenVPN to access an Admin/sandboxed network with insecure portals,
> > wiki, and ipmi.
> hmmmm.  'cept when it is the openvpn server's ipmi.  but good hack.  i
> may use it, as i already do openvpn.  thanks.
>
> randy
What you can also do if you want to remove the dependence on the OpenVPN 
server (e.g. smaller networks where the overhead would be high, or to 
mitigate failures of the OpenVPN server) is to use your existing pattern 
of whitelisting IPs using ACLs, but instead of modifying the rules all 
the time, just run a small external server with a static IP, and allow 
that IP access through all of your ACLs.

Amazon EC2 instances are great for this.  Assign an Elastic IP (i.e. 
static IP), and turn the instance on when you need it, shut it down when 
you're done.    If there happens to be a failure at Amazon right at the 
same time you have a failure... spin up a new instance in a different 
zone and give it the Elastic IP.   No mucking about with ACLs, etc.   
Costs a few cents to run for whatever length of time it takes to fix 
your issue, and is reasonably secure (especially if you shut the box off 
when you're not using it).

- Peter