Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 6 Apr 2014 16:36:33 +0200
From:      Achim Patzner <ap@bnc.net>
To:        Kamil Choudhury <Kamil.Choudhury@anserinae.net>
Cc:        "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org>
Subject:   Re: Securing baseboard managers
Message-ID:  <B479C45C-0F92-44D6-B614-471ADF229EEE@bnc.net>
In-Reply-To: <F9A7386EC2A26E4293AF13FABCCB32B301519A6260@janus.anserinae.net>
References:  <F9A7386EC2A26E4293AF13FABCCB32B301519A6260@janus.anserinae.net>
index | next in thread | previous in thread | raw e-mail 

[-- Attachment #1 --]

Am 05.04.2014 um 17:00 schrieb Kamil Choudhury <Kamil.Choudhury@anserinae.net>:

> A new motherboard

You might have told us a bit more about that mainboard if you wanted some hints

> I just bought has one of those out of band management 
> Ethernet ports. When I connected it into my cable router, despite the 
> cord being plugged into the non-baseboard Ethernet port, the baseboard 
> grabbed my public IP (I use this box as a router) instead of FreeBSD.

 because it is using DHCP and probably up and running before FreeBSD even starts thinking about booting. Nothing wrong there. You might take a look at the firmware configuration and just turn it off if you dont need it. Or use another NIC for your outside connection.

> 1/ How do you protect yourself against this kind of vulnerability? Am I
> paranoid for even thinking this is a problem? 

Usually by reading the manual and configuring the hardware or turning the thing off if it is not needed. Or removing the microcontroller from my mainboard (eg. on Intel server boards)

> 2/ While out of band management is useful, I just can't bring myself to 
> trust software that seems to have been written by poo-flinging monkeys
> (seriously, you need to see the browser-based UI they provide: frames!
> <blink>! Java applets!).

If youre that much better than those programmers you might lend them a hand. But remember: Your tools have to be running on everything on this planet including FreeBSD boxes running a browser in a Linux emulation. And on my Android phone, of course.

> Is there any way to replace the vendor provided 
> solution with something more auditable and configurable? Maybe a teeny-tiny 
> BSD-based distribution?

Of course. Just write it. But keep in mind that the inner workings of those remote management modules are quite a bit more complex than their block diagrams.


Achim
[-- Attachment #2 --]
0	*H
010	+0	*H
i0e0My0
	*H
0y10U
Root CA10Uhttp://www.cacert.org1"0 UCA Cert Signing Authority1!0	*H
	support@cacert.org0
130102094515Z
150102094515Z0310U
Achim Patzner10	*H
	
ap@bnc.net0"0
	*H
0

Xt>6$AqMALB~H4:S#s%Iރ-jܳ[\w2<㍆&@`^
9;3r9HS
e֐>9|Ժ
N~q%px9c/h7@$
>.ߍ]4D'E
URXS)^]
:Y;8J`hFb;JڌDuĨͨ	j5хIHo˯"M:060U00V	`HB
IGTo get your own certificate for FREE head over to http://www.CAcert.org0U0@U%907++
+7

+7
	`HB02+&0$0"+0http://ocsp.cacert.org01U*0(0&$" http://crl.cacert.org/revoke.crl0U0
ap@bnc.net0
	*H
ɋ)jh~3qӈx<;43tmˈWvB0M2e	]D<OtI͘;lZG8l__Q}4Ku7/H<CٴIE٩minMPq+rD	F!-fƪNZ>h;JD5V	LEY}[o2zws,)Ol=B/Q;t\MViyW*b%j؂x@9J[0y0!k}y^6℅K)
@;zKNVx׃}	i*d5}
MdboWs8~s
zq2NӥL5"K&Z;U:>^0FR1cTN}߫[)+S53 C{Y(KT?gdO}Kqfz8WxmU)d=.EL/\idn130/00y10U
Root CA10Uhttp://www.cacert.org1"0 UCA Cert Signing Authority1!0	*H
	support@cacert.orgy0	+0	*H
	1	*H
0	*H
	1
140406143634Z0#	*H
	1LOD]g^3M"0	+7100y10U
Root CA10Uhttp://www.cacert.org1"0 UCA Cert Signing Authority1!0	*H
	support@cacert.orgy0*H
	10y10U
Root CA10Uhttp://www.cacert.org1"0 UCA Cert Signing Authority1!0	*H
	support@cacert.orgy0
	*H
-3dDZO^ެф(VMF+!YLX)2n}.hH b
ozh=I:e%#nxh\]-\rČre^碼"1<U1%J#|Nˈ=.mAs6RS
V'C6sns9l2k`Z\	MIG,
u^EG`Rֻ߮Wɑ.∓XN|bMn
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B479C45C-0F92-44D6-B614-471ADF229EEE>