主頁 » 部落格
Posted on September 6, 2013 by Gento
A University of Michigan team has published their research on IPMI and BMC security issues. Entitled “Illuminating the Security Issues Surrounding Lights-Out Server Management,” this article follows up on the IPMI/BMC security issues highlighted by Dan Farmer and HD Moore as summarized in my previous blog on this subject. The Department of Homeland Security’s US-CERT team has posted an alert on the IPMI security risks.
The researchers provide an introduction to the issues, note the previous research, define IPMI/BMC security risks and analyze a particular implementation and describe their successful attack on this implementation. They found “blatant textbook vulnerabilities” and concluded that the implementations “suggest either incompetence or indifference towards customer security.” They then determine the number of publicly (Internet) accessible IPMI devices, which they determine to be more than 105,000. They provide some defenses and lessons and indicate areas for future work. The Washington Post has published an article on the paper and interviewed one of the authors, who criticizes the embedded device community for their security practices.
Customers who make use of BMC and IPMI based remote management cards and systems need to be aware of these issues and take the proper steps to safeguard their implementations. Given the severity of these issues, they should consider alternative remote management solutions such as KVM-over-IP switches, which can avoid most of these risks.
Posted on August 12, 2013 by Gento
The US Computer Emergency Readiness Team (US-CERT) issued an alert (TA13-207A) on IPMI usage on July 26th, with recommendations for IT departments. This is based on the work of Dan Farmer and HD Moore that I summarized in my previous blog on this topic.
The US-CERT alert summarizes many of the risks and issues, and provides recommended solutions for administrators. Solutions include: restrict IPMI to internal networks, utilize strong passwords, require authentication, sanitize flash memory at and of life, and identify affected products. A list of BMC’s are provided, although this is not a complete list of these devices and the servers utilizing them.
While these solutions are a step in the right direction, they are not sufficient to address all of the security issues listed by Farmer and Moore. For example, using IPMI on internal networks allows it to be attacked by viruses or worms that may exist on these networks. And if strong passwords are not enforced by systems, then some passwords may not be strong. Furthermore, authentication should be sufficiently strong, and for government and military organizations, FIPS 140-2 encryption is required along with two-factor authentication (e.g. CAC).
These solutions do not address many of the structural issues with BMC’s and IPMI including direct access to the server’s motherboard, storage of clear text passwords, virtually unlimited server control, and access to the BMC from a compromised server.
IT administrators and security officers should directly consult Farmer’s and Moore’s work to understand the specific dangers to their environment and take the appropriate actions. Administrators should follow the security best practices as defined by the server manufacturer and ensure that their servers have the latest BMC firmware, such that the latest security patches are applied. Its a good idea to make sure your security scanner audits these devices for vulnerabilities.
Posted on May 22, 2013 by Gento
Managing an IT infrastructure is complex, expensive and critical to a company’s success. Many IT and lab managers use CommandCenter® Secure Gateway (CC-SG) management solution for secure and consolidated remote IP access from a variety of desktop and mobile clients to KVM and power management solutions, blades, virtualized servers, and serial devices.
IT infrastructure management solutions only work effectively if they evolve along with the IT and computing systems they support. To address recent security issues and decrease vulnerabilities, many IT and lab managers have recently updated their IT and computing systems. To support this evolution and the needs of our customers, Raritan has introduced Release 5.4.
With this latest release, CC-SG provides IT and lab infrastructure support for:
With CC-SG IT and lab managers can be responsive to changing needs while reducing downtime, increasing security and reducing costs. Upgrade now to continue to be responsive and keep your IT infrastructure running.
To learn more about CC-SG Release 5.4 download our data sheet or take a free test drive.
Posted on March 21, 2013 by Gento
Looking for fast and dependable at-the-rack access to your servers for deployment, administration and maintenance activities? Now with Raritan’s T1700-LED Console Drawer, with a LED-backlight LCD display, you can get consolidated access to multiple servers from a single location and get energy savings.
Connecting to your existing analog or digital KVM switches, Raritan’s T1700-LED combines video, keyboard and touchpad functionality to enable the use of a single workstation to manage a rack, or multiple racks of servers.
Raritan’s T1700-LED is designed with an Energy Efficient LED-backlight LCD display which reduces energy consumption up to 20-50%, over current LCD cold cathode fluorescent (CCFL) back-lit technology. The LED-backlight technology provides for better contrast and brightness, greater color range, and more rapid response to changes in scene and more accurate image rendering for a clean, crisp display.
Download our spec sheet or visit http://www.raritan.com/products/console-drawers/T1700-LED-Console-Drawer to learn more.
Posted on March 11, 2013 by Gento
DoD Public-Key Infrastructure (PKI) is a critical enabling technology for Information Assurance. PKI supports the secure transmission of information across both Non-classified Internet Protocol Router Networks (NIPRNET) and Secure Internet Protocol Networks (SIPRNET), as well as securing local data storage. It is made up of commercial grade hardware and software solutions, and applications developed by the National Security Agency (NSA).
The DoD PKI will enable the Department of Defense and other authorized users to enable network-centric operations to securely access, process, store, transport and use information, applications, and networks regardless of technology, division, or geographic location.
As testing and deployment plans for the new PKI SIPRNet token continue, the requirement for system administrators to adopt and use PKI to access classified systems in the data center quickly becomes a reality, and a significant challenge.
A proven solution to access these classified systems would be a KVM switch with an approved SIPRNet Card Reader. This KVM solution would not only allow the different divisions in the DOD to become compliant with the new PKI directive, but it will also allow users to securely locate, access and control remote systems.