From owner-freebsd-hackers@FreeBSD.ORG Sat Apr 5 15:00:30 2014 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8AA67155 for ; Sat, 5 Apr 2014 15:00:30 +0000 (UTC) Received: from cdptpa-oedge-vip.email.rr.com (cdptpa-outbound-snat.email.rr.com [107.14.166.232]) by mx1.freebsd.org (Postfix) with ESMTP id 50926A91 for ; Sat, 5 Apr 2014 15:00:29 +0000 (UTC) Received: from [74.73.125.121] ([74.73.125.121:52503] helo=janus.anserinae.net) by cdptpa-oedge02 (envelope-from ) (ecelerity 3.5.0.35861 r(Momo-dev:tip)) with ESMTP id 95/82-29374-C8A10435; Sat, 05 Apr 2014 15:00:28 +0000 Received: from JANUS.anserinae.net ([fe80::192c:4b89:9fe9:dc6d]) by janus.anserinae.net ([fe80::192c:4b89:9fe9:dc6d%11]) with mapi id 14.03.0174.001; Sat, 5 Apr 2014 11:00:27 -0400 From: Kamil Choudhury To: "freebsd-hackers@freebsd.org" Subject: Securing baseboard managers Thread-Topic: Securing baseboard managers Thread-Index: Ac9Q2ke/fqCmNY6oT52vpa4iQl8flw== Date: Sat, 5 Apr 2014 15:00:26 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [192.168.0.21] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-RR-Connecting-IP: 107.14.168.130:25 X-Cloudmark-Score: 0 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Apr 2014 15:00:30 -0000 First, a quick story.=20 A new motherboard I just bought has one of those out of band management=20 Ethernet ports. When I connected it into my cable router, despite the=20 cord being plugged into the non-baseboard Ethernet port, the baseboard=20 grabbed my public IP (I use this box as a router) instead of FreeBSD.=20 So. I exposed the baseboard's janky operating system running god knows=20 what ancient version of Linux to the internet, and momentarily gave all=20 comers (the credentials were, of course, admin/admin) the power to=20 remotely reboot my computer. Yikes.=20 The stakes here were low: I was at home, and there's really nothing all=20 that valuable on my network. But at the end of the day, these baseboard controllers are running unmanaged, unaudited code on our networks, and=20 that scares me.=20 So...my questions:=20 1/ How do you protect yourself against this kind of vulnerability? Am I paranoid for even thinking this is a problem?=20 2/ While out of band management is useful, I just can't bring myself to=20 trust software that seems to have been written by poo-flinging monkeys (seriously, you need to see the browser-based UI they provide: frames! ! Java applets!). Is there any way to replace the vendor provided=20 solution with something more auditable and configurable? Maybe a teeny-tiny= =20 BSD-based distribution?=20 I spend my days doing application development, so I am probably missing=20 a lot of perspective that more systems-oriented people have. If my=20 questions are ridiculous, feel free to tell me so and send me on my way! Thanks in advance,=20 Kamil