IPMI - Best Security Practices

Posted on 2019/07/24

The Intelligent Platform Management Interface - (IPMI) is a crucial resource for server administrative control. It is a powerful tool that can monitor a range of server parameters including sensor arrays, power usage, event logs. It can also be used to remote power on/off as well as fully controlling the server via remote KVM.

IPMI runs on a separate hardware subsystem directly attached to a motherboard. This hardware is referred to as a Baseboard Management Controller (BMC). The BMC manages the interface between system management software (such as Supermicro's IPMI View) and platform hardware. Here at Boston, most of our servers feature IPMI management and as such these powerful features are available for server administrators.

As the BMC is such a powerful utility, it is very important to secure not only the access to the IPMI system, but also to follow general guidelines to ensure it cannot be compromised. At Boston Labs, we have some recommendations for what you should do to secure IPMI.

Secure the password and users

The default username and password for IPMI should immediately be changed to something secure and also using strong passwords. IPMI on our servers also allow for multiple users accounts, these have different access levels ranging from a basic user up full administrator rights. Consider setting up limited user accounts for those that do not need to have access to the full extent of the BMC’s server control.

IP Access Control and Network Setup

Another feature of IPMI is that you can setup IP access control. This way you can ensure that only selected server(s) can connect and remotely manage the server. You could have a dedicated management server which is the only machine allowed to connect to the BMC’s of servers in the datacentre.

For IPMI connectivity there is usually a dedicated LAN port. Perhaps the most important security tip is to not connect IPMI LAN port to an internet facing connection. It is vital to the security and integrity of your datacentre to not allow any outside world traffic onto the network interface that the IPMI port uses. This could be also be configured at the network switch level with firewall configurations to restrict inbound/outbound traffic on the BMC interface.

Further network best security practises are to re-configure the ports that the BMC uses to non-default ones. But also, if certain functionality is not required then certain ports can also be disabled. This would of course have to be done at the network switch/router level.

Keep IPMI up to date

Firmware updates for IPMI are routinely released as and when security fixes or feature updates are added. We recommend to periodically check for updates. You can even update IPMI without having to reboot the server because it is running on its own dedicated hardware (BMC), and update multiple servers at once. As CVE’s (Common Vulnerabilities and Exposures) may be found at any time and fixes will be released to plug these security holes, it would be wise to check and apply updates as part of routine maintenance windows.

These key steps will help to keep your systems secure from those with malicious intent but be wary – new weaknesses and methods of attack are being discovered every day. It’s best to follow the industry news and try to keep ahead of the hackers.

Supermicro publish in-depth security considerations relating to common vulnerabilities at their website here. We recommend checking back regularly and getting the latest information.

https://www.supermicro.com/support/security_center.cfm

If you’re interested in IPMI and would like to know more, we’d recommend the following pages. They contain essential details on how to get started with IPMI and some of the advanced software features.

https://www.boston.co.uk/technical/2015/10/supermicro-ipmi-what-is-it-and-what-can-it-do-for-you.aspx

https://www.boston.co.uk/blog/2019/06/17/ipmi-user.aspx?utm_source=rss&utm_medium=syndication&utm_campaign=rss

As always, our team of sales and technical engineers are standing by to help with all your IT challenges.

Web: www.boston.co.uk
Email: [email protected]
Phone: 01727 876 100

Tags: IPMI, Security, Best Practice

RSS Feed

Sign up to our RSS feed and get the latest news delivered as it happens.

click here

Test out any of our solutions at Boston Labs

To help our clients make informed decisions about new technologies, we have opened up our research & development facilities and actively encourage customers to try the latest platforms using their own tools and if necessary together with their existing hardware. Remote access is also available

Contact us

ISC High Performance 2020

Latest Event

ISC High Performance 2020 | 21st - 25th June 2020, Messe Frankfurt, Germany

ISC is the event for high-performance computing, networking and storage.

more info