Securing FX2200 OOB Management Ports

The FX2200 appliance has an out-of-band (OOB) management port, also known as Baseboard Management Controller (BMC) or Intelligent Platform Management Interface (IPMI). The network services on this port do not implement modern security measures such as strong cryptography or extensive access control. Note that network access to the port is equivalent to having physical console access to the device, but it does not allow you to physically tamper with the appliance. Fortanix highly recommends taking strong network security measures outside the appliance to limit access to the OOB management port, such as:

Only connect the port to the network when OOB management functionality is required.
Put the port on a physically or logically separate network.
Implement “port isolation” or “private VLAN” for the subnet the port is connected to.
Only allow network access to the port by a restricted set of authorized users.
Only allow inbound connections targeting the OOB management port, do not allow connections initiated from the port.
Ensure that only cipher suite 17 is enabled on the IPMI interface.

Fortanix recommends implementing as many of these measures as possible; IPMI 2.0 suffers from a weak authentication protocol that leaks credential hashes to the client, and any unnecessary exposure of the IPMI interface adds the risk of compromise through this interface.

Ensuring That Only Cipher 17 is Enabled

By default, IPMI supports multiple weak cipher suite configurations. Some of these allow for trivial traffic interception and subsequent administrator session takeover. It is recommended to only enable cipher suite 17, which is the strongest cipher suite supported by IPMI. To achieve this, follow the below instructions:

Run the following command (substituting username and password as necessary) to disable this feature.
```
ipmitool -H IPMI_IP -U USERNAME -P USERPASSWORD lan set 1 cipher_privs XXXXXXXXXXXaXXX
```

To connect through ipmitool using cipher suite 17, run the following command:

ipmitool -I lanplus -U USERNAME -H IPMI -C17 sol info

You must note that using the regular command may result in the following error:

root@us-west-eqsv2-cslab-1: ipmitool -I lanplus -U admin -H 10.197.192.58 sol info
Password:
Error in open session response message: no matching cipher suite
Error: Unable to establish IPMI v2 / RMCP+ session
Solution: No fixes are available for this issue within the IPMI protocol. The recommended course of action is to block or restrict access to IPMI port 623.

For more FAQs related to security implementation see Security.

Securing FX2200 OOB Management Ports

Securing FX2200 OOB Management Ports

Ensuring That Only Cipher 17 is Enabled

PLATFORM

Key Insight

Data Security Manager™

Confidential Computing Manager

Enclave Development Platform®

Request A demo

Contact Us

Free Trial

SOLUTIONS

AWS KMS External Key Store (XKS)

Google External Key Manager

Bring Your Own Key (BYOK)

HSM Modernization

Multicloud Key Management

Post Quantum Cryptography

Code Signing

Secrets Management

Tokenization Transparent

Database Encryption

Filesystem Encryption

Confidential Data Search

Confidential AI

Healthcare

Banking & Financial Services

Fintech

Manufacturing

Web 3.0

Federal Government

RESOURCES

Blog

Whitepapers

Datasheets

Solution Briefs

Ebooks

Reports

Case Studies

Webinars

University

Media Kit

Newsletters

COMPANY

About

Careerswe’re hiring

Customers

Partners

Awards

Events

Press

News

Services

Support

FAQ

4.6