On Thu, 2 Jul 2015, Chris Olson wrote: > We have recently been asked to evaluate some computing machinery for > a new project. This particular end user has very limited experience > with the stated security requirements in a lights-out environment. > Their primary work (as well as mine) in the past has been with very > small, simple networks of desktop machines and a few servers with > extremely limited access. For the most part, their admins > haverefused to use any maintenance connectivity to servers other > than the primary serial ports. > > There is a concern about system security primarily driven by recent > information searches performed by end user admins and included > below. [...snip...] > > My initial recommendation was to use a totally separate network for > any service processors within the servers that implement IPMI/BMC > capabilities. This has been standard practice in most systems I have > worked on in the past, and has allowed certification with > essentially no problems. The BIOS concern seems to be another issue > to be addressed separately. +1 to network separation for OOB management. I assume you mean "non-routable LAN," but that segment's connectivity is an interesting question in itself. I like having access to management consoles via VPN, but others dislike any off-LAN access whatsoever. If your admins are comfortable with serial consoles, a concentrator like those available from Digi or WTI can offer fairly robust access controls; they can also be set to honor SSH keys rather than passwords, which may help increase security. WTI: https://www.wti.com/c-4-console-server.aspx Digi: http://www.digi.com/products/consoleservers/ I've had an easier time working with the Digi firmware, but either will do the job. -- Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/