From owner-freebsd-hackers@FreeBSD.ORG Sat Apr 5 20:27:31 2014 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 15EFCA3B for ; Sat, 5 Apr 2014 20:27:31 +0000 (UTC) Received: from cargobay.net (cargobay.net [162.220.58.155]) by mx1.freebsd.org (Postfix) with ESMTP id E40E8AB1 for ; Sat, 5 Apr 2014 20:27:30 +0000 (UTC) Received: from [10.73.134.107] (mobile-198-228-209-240.mycingular.net [198.228.209.240]) by cargobay.net (Postfix) with ESMTPSA id DBF96B98; Sat, 5 Apr 2014 20:19:10 +0000 (UTC) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (1.0) Subject: Re: Securing baseboard managers From: "Chad J. Milios" X-Mailer: iPhone Mail (11D167) In-Reply-To: Date: Sat, 5 Apr 2014 13:20:57 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <319928A2-C5FE-4BCA-A217-341DFD319FA7@ccsys.com> References: To: Kamil Choudhury X-Mailman-Approved-At: Sat, 05 Apr 2014 20:51:16 +0000 Cc: "freebsd-hackers@freebsd.org" X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Apr 2014 20:27:31 -0000 > On Apr 5, 2014, at 8:00 AM, Kamil Choudhury wrote: >=20 > First, a quick story.=20 >=20 > A new motherboard I just bought has one of those out of band management=20= > Ethernet ports. When I connected it into my cable router, despite the=20 > cord being plugged into the non-baseboard Ethernet port, the baseboard=20 > grabbed my public IP (I use this box as a router) instead of FreeBSD.=20 >=20 > So. I exposed the baseboard's janky operating system running god knows=20 > what ancient version of Linux to the internet, and momentarily gave all=20= > comers (the credentials were, of course, admin/admin) the power to=20 > remotely reboot my computer. Yikes.=20 >=20 > The stakes here were low: I was at home, and there's really nothing all=20= > that valuable on my network. But at the end of the day, these baseboard > controllers are running unmanaged, unaudited code on our networks, and=20 > that scares me.=20 >=20 > So...my questions:=20 >=20 > 1/ How do you protect yourself against this kind of vulnerability? Am I > paranoid for even thinking this is a problem?=20 >=20 > 2/ While out of band management is useful, I just can't bring myself to=20= > trust software that seems to have been written by poo-flinging monkeys > (seriously, you need to see the browser-based UI they provide: frames! > ! Java applets!). Is there any way to replace the vendor provided=20= > solution with something more auditable and configurable? Maybe a teeny-tin= y=20 > BSD-based distribution?=20 >=20 > I spend my days doing application development, so I am probably missing=20= > a lot of perspective that more systems-oriented people have. If my=20 > questions are ridiculous, feel free to tell me so and send me on my way! >=20 > Thanks in advance,=20 > Kamil There is likely a setting in the mainboard's BIOS which makes the baseboard'= s NIC fail-over to sharing a mainboard port only when the baseboard's dedica= ted port lacks a link (default). Shared-always and dedicated-only are option= s. At any rate, the baseboard has it's own MAC address. Most baseboards can b= e configured with a VLAN tag as well. The default setting can be problematic when that port is hooked up to the WA= N because the baseboard is in almost every case initialized first and might e= ven be set to poll DHCP.=