Date: Sun, 6 Apr 2014 16:55:12 +0200 From: Achim Patzner <ap@bnc.net> To: Jordan Hubbard <jkh@ixsystems.com> Cc: Kamil Choudhury <Kamil.Choudhury@anserinae.net>, "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org> Subject: Re: Securing baseboard managers Message-ID: <793A8C91-A1FB-4A83-A9D7-F8BFDF87EB1B@bnc.net> In-Reply-To: <CA2101BB-A627-4FED-BBB8-05803F771EA8@ixsystems.com> References: <F9A7386EC2A26E4293AF13FABCCB32B301519A6260@janus.anserinae.net> <CA2101BB-A627-4FED-BBB8-05803F771EA8@ixsystems.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_9F77695C-54D2-41D7-B58E-EDC841F91465 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 Am 05.04.2014 um 17:54 schrieb Jordan Hubbard <jkh@ixsystems.com>: > On Apr 5, 2014, at 8:00 PM, Kamil Choudhury = <Kamil.Choudhury@anserinae.net> wrote: >=20 >> I spend my days doing application development, so I am probably = missing=20 >> a lot of perspective that more systems-oriented people have. If my=20 >> questions are ridiculous, feel free to tell me so and send me on my = way! >=20 > All IPMI implementations suck. You missed the point =96 he was probably talking about the rest of the = package, not about the IPMI part. And looking at the latest incarnation = of the Intel RMM (RMM4) I can=92t even share that feeling. Besides: In = emergencies even IPMI is quite a good tool to deal with a machine = hanging some 1000 km away without having to send a trained monkey (who = won=92t even find the reset button) there. But you don=92t have to use = it as most serious hardware is offering this via web pages. We had (PDP11-based) Console Processors on the first VAX systems so = people should maybe consider getting used to this concept. In regards to = security they are at least as trustworthy as most of the operating = systems people are using every day. > To remotely render an interactive console in someone=92s browser, = where said browser could be any one of 6 different flavors, you have to = lean pretty heavily on the client side - especially if you want to offer = tricks like virtual CD-to-local-ISO mapping (which is pretty handy). Now _these_ are the parts which are not difficult at all. At least in = those implementations I know the hardware doesn=92t even have to capture = a video signal off a VGA connector (like some KVM switches) as it is = directly connected to the video hardware (i. e. this is more like = streaming a movie). Doing the =93block device over IP=94 is even simpler = (on the server side =96 but who cares how the RMM is doing its job?). > =46rom the security side, most reasonable motherboards don=92t feature = NIC sharing as the only option. Some boards do (but those will offer you VLAN support, setting static IP = addresses and similar goodies); some engineers have a weird fetish to = build complete servers on nanoATX boards, running out of room for = connectors. Achim= --Apple-Mail=_9F77695C-54D2-41D7-B58E-EDC841F91465 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFaTCCBWUw ggNNoAMCAQICAwyteTANBgkqhkiG9w0BAQUFADB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQL ExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3Jp dHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xMzAxMDIwOTQ1MTVaFw0x NTAxMDIwOTQ1MTVaMDMxFjAUBgNVBAMTDUFjaGltIFBhdHpuZXIxGTAXBgkqhkiG9w0BCQEWCmFw QGJuYy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCemZ2gCwrtE8FYdD42ApLp AyRBcfTJHRaU5R/rTbpBTIbDQn4ESOg0697sOlMjiNlzgvuTJeGDSd6DLREb5pJqqNyzW5kTu1yN dzI8442GxyZAYImcXpQNvvA5OxH4GRwzcjlIie5TDZll1pA+OQwDfPWeosfUugHaDU6KuX6QhrJx JYdweO7ZOb9jL2iJGco3QCQKPoqbLt+NmIyV48DsB12H7oW7NI9E5CfiRQqMioVVUvkRWL2w+1MQ +ymaXl0KOqRZOzhKYJpoRmLxO/hKgBTn2MsEqtqMp5gemM3hRKF14MSo85nNqMv25AYJapkENazR hUmISG+1y6/goSJNAgMBAAGjggE6MIIBNjAMBgNVHRMBAf8EAjAAMFYGCWCGSAGG+EIBDQRJFkdU byBnZXQgeW91ciBvd24gY2VydGlmaWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93 d3cuQ0FjZXJ0Lm9yZzAOBgNVHQ8BAf8EBAMCA6gwQAYDVR0lBDkwNwYIKwYBBQUHAwQGCCsGAQUF BwMCBgorBgEEAYI3CgMEBgorBgEEAYI3CgMDBglghkgBhvhCBAEwMgYIKwYBBQUHAQEEJjAkMCIG CCsGAQUFBzABhhZodHRwOi8vb2NzcC5jYWNlcnQub3JnMDEGA1UdHwQqMCgwJqAkoCKGIGh0dHA6 Ly9jcmwuY2FjZXJ0Lm9yZy9yZXZva2UuY3JsMBUGA1UdEQQOMAyBCmFwQGJuYy5uZXQwDQYJKoZI hvcNAQEFBQADggIBAMmLFZrEKQJqqmh+r8IzcfPl04h4ArE8O+I0BTN0r22hy4izV+F2Qvkwy02g uM8ylmUdCdIFXUQ8joPVT3RJqZ/NmDsdbFq4RziDbF/C219RfTRL1nWcNxudGA4vSLbuBTxD2bSx BkmjRdmpGm3EGwRp7bLtnONuTVBxK7TDculECUbm0Bwh9RAtZr/Gqk5arj5oO0oI9vKdRDVWCUxF m1kS7gwGfVtv2DKFDh3VBqB6kXfx5nP/LOcb7Rwpu4GzBU/e1OFswha9maU9Qi/9URX07Q47dOBc pqhNh5pW12kfeZPO7lcGqfYq08Ub/mKaJcAEaoyD2ILDDhzeeOK3QDlKC56lEt8MW4swef6/MPUh +WuofauNhBXoecf5XonGNuKEhbSmSykSzwoEBdBAO6QUtnpLTlYSeO3Xg/bYfbwJCGkUnd0q+2Q1 fQpN+RxkYqQCb5XaV9Fz7cU4u36Rc/AMDXr+qXEyvOqB7OzeTgjq06VMNQ+mIrGCS9rb7OQmB1o7 8PCOVTqE8z77Du4Bh14wG/SP/kat5IJSuDFjvFT/C8ro46pOfczfq/Eb4QSktwtbD7+Qlh4p/e0B n4nyK1M1MyDnQxzv2XvmWfwoi0tUP2dkT30YtUuucWYFzRO1erg4tVd4xW0ShP1VtynFyWQcPaLT LvWc/0VML6hcaWRuMYIDMzCCAy8CAQEwgYAweTEQMA4GA1UEChMHUm9vdCBDQTEeMBwGA1UECxMV aHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNpZ25pbmcgQXV0aG9yaXR5 MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcCAwyteTAJBgUrDgMCGgUAoIIBhzAY BgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNDA0MDYxNDU1MTJaMCMG CSqGSIb3DQEJBDEWBBQ+25TBiy6AFEtHnNvzLgCqgLp+6zCBkQYJKwYBBAGCNxAEMYGDMIGAMHkx EDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UE AxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNl cnQub3JnAgMMrXkwgZMGCyqGSIb3DQEJEAILMYGDoIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAc BgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1 dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMMrXkwDQYJKoZIhvcN AQEBBQAEggEAji2BaE1CQ/Ih5ljOvBOqNbbQrgghYhWkKbDzO5/HGg8dOxGz+EbJENZ00nl80v8t sa2PRX2EwWhq1Jkviy6S+YPzcTiXMu4QxC4EanT6Yo+ZONwBCzLB/XpF3DzUX0j51uTs+4u+L6Yx 3yDGayPZKcpoU976nOfYevVkps+zGUgxvZIXEz011XthcAKoGSIffCBC3DpsE9IiywCinGIg9ZtJ xcZ/Z+PnmiSpmj9USm/Tam4wl8D9QSulamTCtyBk816DGV6UqcM9KxRy/eL9OAZR7WuSFMf2las4 OaVxg/O9ph3k4Ghu7sat/YDFOsCFONb0hLHjMe4jBpuPcYYanwAAAAAAAA== --Apple-Mail=_9F77695C-54D2-41D7-B58E-EDC841F91465--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?793A8C91-A1FB-4A83-A9D7-F8BFDF87EB1B>