nanog mailing list archives
Re: ipmi access
From: Jimmy Hess <mysidia () gmail com>
Date: Mon, 2 Jun 2014 18:42:36 -0500
On Mon, Jun 2, 2014 at 8:21 AM, shawn wilson <ag4ve.us () gmail com> wrote: [snip]
So, kinda the same idea - just put IPMI on another network and use ssh forwards to it. You can have multiple boxes connected in this fashion but the point is to keep it simple and as secure as possible (and IPMI security doesn't really count here :) ).
About that "as secure as possible" bit. If just one server gets compromised that happens to have its IPMI port plugged into this private network; the attacker may be able to pivot into the IPMI network and start unloading IPMI exploits. So caution is definitely advised, about security boundaries: in case a shared IPMI network is used, and this is a case where a Private VLAN (PVLAN-Isolated) could be considered, to ensure devices on the IPMI LAN cannot communicate with one another --- and only devices on a separate dedicated IPMI Management station subnet can interact with the IPMI LAN. -- -JH
Current thread:
- Re: ipmi access, (continued)
- Re: ipmi access Andrew Latham (Jun 02)
- Re: ipmi access Paul S. (Jun 02)
- Re: ipmi access Jeroen Massar (Jun 02)
- Re: ipmi access Paul S. (Jun 02)
- Re: ipmi access Brian Rak (Jun 02)
- Re: ipmi access Paul S. (Jun 02)
- Re: ipmi access Randy Bush (Jun 02)
- Re: ipmi access Andrew Latham (Jun 02)
- Re: ipmi access coy . hile (Jun 02)
- Re: ipmi access shawn wilson (Jun 02)
- Re: ipmi access Chris Adams (Jun 02)
- Re: ipmi access Jimmy Hess (Jun 02)
- Re: ipmi access shawn wilson (Jun 02)
- Re: ipmi access Andrew Latham (Jun 02)
- Re: ipmi access Peter Kristolaitis (Jun 02)
- Re: ipmi access Randy Bush (Jun 02)
- Re: ipmi access Christopher Morrow (Jun 02)
- Re: ipmi access shawn wilson (Jun 02)
- Re: ipmi access Blake Hudson (Jun 02)
- Re: ipmi access Christopher Morrow (Jun 02)