Thu Jul 2 16:30:47 UTC 2015
Paul Heinlein <heinlein at madboa.com>

On Thu, 2 Jul 2015, Chris Olson wrote:

> We have recently been asked to evaluate some computing machinery for 
> a new project. This particular end user has very limited experience 
> with the stated security requirements in a lights-out environment. 
> Their primary work (as well as mine) in the past has been with very 
> small, simple networks of desktop machines and a few servers with 
> extremely limited access.  For the most part, their admins 
> haverefused to use any maintenance connectivity to servers other 
> than the primary serial ports.
> There is a concern about system security primarily driven by recent 
> information searches performed by end user admins and included 
> below. [...snip...]
> My initial recommendation was to use a totally separate network for 
> any service processors within the servers that implement IPMI/BMC 
> capabilities. This has been standard practice in most systems I have 
> worked on in the past, and has allowed certification with 
> essentially no problems. The BIOS concern seems to be another issue 
> to be addressed separately.

+1 to network separation for OOB management. I assume you mean 
"non-routable LAN," but that segment's connectivity is an interesting 
question in itself. I like having access to management consoles via 
VPN, but others dislike any off-LAN access whatsoever.

If your admins are comfortable with serial consoles, a concentrator 
like those available from Digi or WTI can offer fairly robust access 
controls; they can also be set to honor SSH keys rather than 
passwords, which may help increase security.

WTI:  https://www.wti.com/c-4-console-server.aspx
Digi: http://www.digi.com/products/consoleservers/

I've had an easier time working with the Digi firmware, but either 
will do the job.

Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/