Securing FX2200 OOB Management Ports

Securing FX2200 OOB Management Ports 

The FX2200 appliance has an out-of-band (OOB) management port, also known as Baseboard Management Controller (BMC) or Intelligent Platform Management Interface (IPMI). The network services on this port do not implement modern security measures such as strong cryptography or extensive access control. Note that network access to the port is equivalent to having physical console access to the device, but it does not allow you to physically tamper with the appliance. Fortanix highly recommends taking strong network security measures outside the appliance to limit access to the OOB management port, such as:

  • Only connect the port to the network when OOB management functionality is required.
  • Put the port on a physically or logically separate network.
  • Implement “port isolation” or “private VLAN” for the subnet the port is connected to.
  • Only allow network access to the port by a restricted set of authorized users.
  • Only allow inbound connections targeting the OOB management port, do not allow connections initiated from the port.
  • Ensure that only cipher suite 17 is enabled on the IPMI interface.

Fortanix recommends implementing as many of these measures as possible; IPMI 2.0 suffers from a weak authentication protocol that leaks credential hashes to the client, and any unnecessary exposure of the IPMI interface adds the risk of compromise through this interface.

Ensuring That Only Cipher 17 is Enabled

By default, IPMI supports multiple weak cipher suite configurations. Some of these allow for trivial traffic interception and subsequent administrator session takeover. It is recommended to only enable cipher suite 17, which is the strongest cipher suite supported by IPMI. To achieve this, follow the below instructions:

  1. Run the following command (substituting username and password as necessary) to disable this feature.
    ipmitool -H IPMI_IP -U USERNAME -P USERPASSWORD lan set 1 cipher_privs XXXXXXXXXXXaXXX
  2. To connect through ipmitool using cipher suite 17, run the following command:
    ipmitool -I lanplus -U USERNAME -H IPMI -C17 sol info
    You must note that using the regular command may result in the following error:
    root@us-west-eqsv2-cslab-1: ipmitool -I lanplus -U admin -H 10.197.192.58 sol info
    Password:
    Error in open session response message: no matching cipher suite
    Error: Unable to establish IPMI v2 / RMCP+ session
    Solution: No fixes are available for this issue within the IPMI protocol. The recommended course of action is to block or restrict access to IPMI port 623.
    

For more FAQs related to security implementation see https://support.fortanix.com/hc/en-us/sections/4407712463636-Security.

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful