Posted on 2019/07/24
The Intelligent Platform Management Interface - (IPMI) is a crucial resource for server administrative control. It is a powerful tool that can monitor a range of server parameters including sensor arrays, power usage, event logs. It can also be used to remote power on/off as well as fully controlling the server via remote KVM.
IPMI runs on a separate hardware subsystem directly attached to a motherboard. This hardware is referred to as a Baseboard Management Controller (BMC). The BMC manages the interface between system management software (such as Supermicro's IPMI View) and platform hardware. Here at Boston, most of our servers feature IPMI management and as such these powerful features are available for server administrators.
As the BMC is such a powerful utility, it is very important to secure not only the access to the IPMI system, but also to follow general guidelines to ensure it cannot be compromised. At Boston Labs, we have some recommendations for what you should do to secure IPMI.
Secure the password and users
The default username and password for IPMI should immediately be changed to something secure and also using strong passwords. IPMI on our servers also allow for multiple users accounts, these have different access levels ranging from a basic user up full administrator rights. Consider setting up limited user accounts for those that do not need to have access to the full extent of the BMC’s server control.
IP Access Control and Network Setup
Another feature of IPMI is that you can setup IP access control. This way you can ensure that only selected server(s) can connect and remotely manage the server. You could have a dedicated management server which is the only machine allowed to connect to the BMC’s of servers in the datacentre.
For IPMI connectivity there is usually a dedicated LAN port. Perhaps the most important security tip is to not connect IPMI LAN port to an internet facing connection. It is vital to the security and integrity of your datacentre to not allow any outside world traffic onto the network interface that the IPMI port uses. This could be also be configured at the network switch level with firewall configurations to restrict inbound/outbound traffic on the BMC interface.
Further network best security practises are to re-configure the ports that the BMC uses to non-default ones. But also, if certain functionality is not required then certain ports can also be disabled. This would of course have to be done at the network switch/router level.
Keep IPMI up to date
Firmware updates for IPMI are routinely released as and when security fixes or feature updates are added. We recommend to periodically check for updates. You can even update IPMI without having to reboot the server because it is running on its own dedicated hardware (BMC), and update multiple servers at once. As CVE’s (Common Vulnerabilities and Exposures) may be found at any time and fixes will be released to plug these security holes, it would be wise to check and apply updates as part of routine maintenance windows.
These key steps will help to keep your systems secure from those with malicious intent but be wary – new weaknesses and methods of attack are being discovered every day. It’s best to follow the industry news and try to keep ahead of the hackers.
Supermicro publish in-depth security considerations relating to common vulnerabilities at their website here. We recommend checking back regularly and getting the latest information.
If you’re interested in IPMI and would like to know more, we’d recommend the following pages. They contain essential details on how to get started with IPMI and some of the advanced software features.
As always, our team of sales and technical engineers are standing by to help with all your IT challenges.
Email: [email protected]
Phone: 01727 876 100