Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 6 Apr 2014 16:55:12 +0200
From:      Achim Patzner <ap@bnc.net>
To:        Jordan Hubbard <jkh@ixsystems.com>
Cc:        Kamil Choudhury <Kamil.Choudhury@anserinae.net>, "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org>
Subject:   Re: Securing baseboard managers
Message-ID:  <793A8C91-A1FB-4A83-A9D7-F8BFDF87EB1B@bnc.net>
In-Reply-To: <CA2101BB-A627-4FED-BBB8-05803F771EA8@ixsystems.com>
References:  <F9A7386EC2A26E4293AF13FABCCB32B301519A6260@janus.anserinae.net> <CA2101BB-A627-4FED-BBB8-05803F771EA8@ixsystems.com>
index | next in thread | previous in thread | raw e-mail 

[-- Attachment #1 --]

Am 05.04.2014 um 17:54 schrieb Jordan Hubbard <jkh@ixsystems.com>:

> On Apr 5, 2014, at 8:00 PM, Kamil Choudhury <Kamil.Choudhury@anserinae.net> wrote:
> 
>> I spend my days doing application development, so I am probably missing 
>> a lot of perspective that more systems-oriented people have. If my 
>> questions are ridiculous, feel free to tell me so and send me on my way!
> 
> All IPMI implementations suck.

You missed the point  he was probably talking about the rest of the package, not about the IPMI part. And looking at the latest incarnation of the Intel RMM (RMM4) I cant even share that feeling. Besides: In emergencies even IPMI is quite a good tool to deal with a machine hanging some 1000 km away without having to send a trained monkey (who wont even find the reset button) there. But you dont have to use it as most serious hardware is offering this via web pages.

We had (PDP11-based) Console Processors on the first VAX systems so people should maybe consider getting used to this concept. In regards to security they are at least as trustworthy as most of the operating systems people are using every day.

> To remotely render an interactive console in someones browser, where said browser could be any one of 6 different flavors, you have to lean pretty heavily on the client side - especially if you want to offer tricks like virtual CD-to-local-ISO mapping (which is pretty handy).

Now _these_ are the parts which are not difficult at all. At least in those implementations I know the hardware doesnt even have to capture a video signal off a VGA connector (like some KVM switches) as it is directly connected to the video hardware (i. e. this is more like streaming a movie). Doing the block device over IP is even simpler (on the server side  but who cares how the RMM is doing its job?).

> From the security side, most reasonable motherboards dont feature NIC sharing as the only option.

Some boards do (but those will offer you VLAN support, setting static IP addresses and similar goodies); some engineers have a weird fetish to build complete servers on nanoATX boards, running out of room for connectors.


Achim
[-- Attachment #2 --]
0	*H
010	+0	*H
i0e0My0
	*H
0y10U
Root CA10Uhttp://www.cacert.org1"0 UCA Cert Signing Authority1!0	*H
	support@cacert.org0
130102094515Z
150102094515Z0310U
Achim Patzner10	*H
	
ap@bnc.net0"0
	*H
0

Xt>6$AqMALB~H4:S#s%Iރ-jܳ[\w2<㍆&@`^
9;3r9HS
e֐>9|Ժ
N~q%px9c/h7@$
>.ߍ]4D'E
URXS)^]
:Y;8J`hFb;JڌDuĨͨ	j5хIHo˯"M:060U00V	`HB
IGTo get your own certificate for FREE head over to http://www.CAcert.org0U0@U%907++
+7

+7
	`HB02+&0$0"+0http://ocsp.cacert.org01U*0(0&$" http://crl.cacert.org/revoke.crl0U0
ap@bnc.net0
	*H
ɋ)jh~3qӈx<;43tmˈWvB0M2e	]D<OtI͘;lZG8l__Q}4Ku7/H<CٴIE٩minMPq+rD	F!-fƪNZ>h;JD5V	LEY}[o2zws,)Ol=B/Q;t\MViyW*b%j؂x@9J[0y0!k}y^6℅K)
@;zKNVx׃}	i*d5}
MdboWs8~s
zq2NӥL5"K&Z;U:>^0FR1cTN}߫[)+S53 C{Y(KT?gdO}Kqfz8WxmU)d=.EL/\idn130/00y10U
Root CA10Uhttp://www.cacert.org1"0 UCA Cert Signing Authority1!0	*H
	support@cacert.orgy0	+0	*H
	1	*H
0	*H
	1
140406145512Z0#	*H
	1>۔.KG.~0	+7100y10U
Root CA10Uhttp://www.cacert.org1"0 UCA Cert Signing Authority1!0	*H
	support@cacert.orgy0*H
	10y10U
Root CA10Uhttp://www.cacert.org1"0 UCA Cert Signing Authority1!0	*H
	support@cacert.orgy0
	*H
-hMBC!Xμ5Ю!b);;Fty|-E}hjԙ/.q82.jtb82zE<_H/1 k#)hSzdϳH1=5{ap"| B:l"b Ig$?TJojn0A+jd· d^^=+r8Qk89qhnƭ:81#q
help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?793A8C91-A1FB-4A83-A9D7-F8BFDF87EB1B>