We have recently been asked to evaluate some computing machinery for a new project. This particular end user has very limited experience with the stated security requirements in a lights-out environment. Their primary work (as well as mine) in the past has been with very small, simple networks of desktop machines and a few servers with extremely limited access. For the most part, their admins haverefused to use any maintenance connectivity to servers other thanthe primary serial ports. There is a concern about system security primarily driven by recent information searches performed by end user admins and included below. IPMI/BMC Security Issues ------------------------ https://en.wikipedia.org/wiki/Intelligent_Platform_Management_Interface http://www.google.com Search: IPMI "Security Holes" -- Hits: 14,500 http://www.google.com Search: IPMI BMC "Security Holes" -- Hits: 4950 BIOS Security Issues -------------------- https://en.wikipedia.org/wiki/BIOS http://www.google.com Search: BIOS "Security Holes" -- Hits: 342,000 My initial recommendation was to use a totally separate network for any service processors within the servers that implement IPMI/BMC capabilities. This has been standard practice in most systems I have worked on in the past, and has allowed certification with essentially no problems. The BIOS concern seems to be another issue to be addressed separately. Any connectivity and access to a system brings security issues. The list from these searches is huge. Are there specific things that must always be addressed for system security besides keeping junior admins off the server supporting the maintenance network? Thanks in advance for any feedback and best regards.