IPMI Best Practices

Oct 10, 2019

IPMI Best Practices
The rate of security incidents involving the Intelligent Platform Management Interface (IPMI) and Baseboard Management Controller (BMC) has increased in recent years. These incidents exposed IPMI and BMC interfaces to the Internet without the system administrator’s knowledge. In some cases, system administrators weren’t even aware that their servers had IPMI interfaces. UNICOM Engineering has identified specific vulnerabilities with these interfaces and developed best practices for minimizing the risks they pose.

IPMI

IPMI is a set of interface specifications for computer subsystems. It provides management and monitoring capabilities that are independent of the host system’s other resources, including the Central Processing Unit (CPU), Basic Input Output System (BIOS), an operating system (OS). System administrators can use IPMI to access system consoles during a subsystem failure of the primary network, commonly known as out-of-band monitoring. For example, an IPMI allows an administrator to manage a computer that’s powered off by using a network connection instead of an OS or login shell.

The remote installation of an OS is another common use of IPMI, which allows an administrator to mount an image of the OS, simulate an installer DVD, and perform the installation normally. Without IPMI, an administrator typically needs to be physically present to manually insert the OS installation media, and use the computer’s own monitor and keyboard to complete the installation.

BMC

A BMC is a specialized microcontroller on the motherboard of a computer, typically a server. It provides IPMI architecture with intelligence by managing the interface between system-management software and platform hardware. A BMC receives signals from sensors built into the computer, allowing it to monitor parameters like temperature, fan speeds, and power status. It can also send an alert to an administrator when one of these parameters falls outside a pre-set range, which could indicate a potential system failure. The administrator can then instruct the BMC to take corrective action such as power cycling the server.

Various hardware devices can serve as physical interfaces for BMCs, including Intelligent Platform Management Buses (IPMBs), RS-232 serial consoles, and SMBuses. These devices allow a BMC to accept request messages from the server’s IPMI management controllers. Direct connections to a BMC are secure, so they don’t require communications to be encrypted. However, LAN connections to a BMC may require encrypted communications depending on its security requirements.

Security Vulnerabilities

Many hardware vendors support IPMI, especially those that offer out-of-brand or lights-out management suites. Devices with IPMI have the potential to be completely compromised at the BMC level, allowing an intruder to perform actions such as rebooting the system, installing a new OS, bypassing OS controls, and accessing data. IPMI may also permit an intruder to access the console remotely and modify the BIOS. IPMIs typically have default passwords, although some have no password at all. Furthermore, an intruder can obtain an IPMI password from a root-compromised server, which can then be used to gain access to other hosts in the IPMI managed group.

A BMC has almost total access and control over the server’s resources, including, memory, power, and storage. It supports the remote boot of the server from a CD or network and runs a set of network services in addition to monitoring the server environment. A BMC also provides remote debugging capabilities that could allow unauthorized access to the server from the Internet if it isn’t properly configured.

Best Practices

UNICOM Engineering has developed best practices to mitigate the potential security risks of IPMI and BMCs. We recommend that data centers implement these practices when using IPMI to manage their machines.

  1. Change the default password when you install IPMI devices and use strong passwords. Disable the “cipher 0” option and anonymous logins during installation as well. IPMI devices often enable cipher 0 by default, which allows users to bypass authentication and send their own IPMI commands.
  2. Reserve an IP address range to use for private subnets to BMC management interfaces and management servers. Configure your firewall to restrict outbound traffic as BMC alerts within this range. Don’t use this range for other purposes, especially LAN interfaces for BMC-managed machines.
  3. Manage BMCs with dedicated management interfaces if available. If you have to manage your BMCs with a shared LAN, you should at least configure a separate VLAN for your BMC traffic. You should also restrict IPMI traffic to trusted internal networks, preferably a VLAN segment with strong network controls.
  4. Enable encryption on your IPMI interface, if possible. Your user manual should provide instructions on how to do this for your IPMI device.
  5. Manage all your BMCs from secure management servers that require a login. Enable the access rules to BMC with your IP access policy.
  6. Disable IPMI in the web console if you aren’t using it.
  7. Block TCP port 625 to disable IPMI services. Customize the service ports on BMCs to meet your datacenter’s requirements.
  8. Create policies and roles for BMC users.
  9. Monitor the traffic between BMCs and other machines in your network for suspicious activity.
  10. Review firmware release notes as they’re published, especially those related to security fixes. Plan firmware upgrades around regular maintenance cycles.

Affected Products

BMC and IPMI are server technologies, so these security issues generally affect only servers. Laptops don’t use them at all, although end-user workstations do in rare cases. The following server management technologies use IPMI:

  • Dell Integrated Dell Remote Access Controller (iDRAC)
  • HP Integrated Lights Out (iLO)
  • Intel IPMI/Remote Management Module (RMM)
  • Lenovo XClarity Controller (XCC)
  • Supermicro IPMI
  • Summary

IMPI is essential for managing servers, as virtually all server management technologies now use it. However, the control that IPMI has over a server also means it can pose a significant security risk. You can mitigate much of this risk by implementing some general security procedures in addition to those that are specific to IPMI and BMCs.

UNICOM Engineering is dedicated to providing customers useful and timely information, especially as it pertains to the security of your server. We hope that you found these best practices valuable. You can learn more about other technologies and developments by reading our latest informative blog posts.



Tags: Security, IPMI
Category: Security


Archive