WaPo writes about vulnerabilities in Supermicro IPMIs

Andrew Jones aj at jonesy.com.au
Fri Aug 16 02:59:47 UTC 2013


On 16.08.2013 12:46, Jay Ashworth wrote:
> ----- Original Message -----
>> From: "Brandon Martin" <lists.nanog at monmotha.net>
>
>> As to why people wouldn't put them behind dedicated firewalls, 
>> imagine
>> something like a single-server colo scenario. Most such providers 
>> don't
>> offer any form of lights-out management aside from maybe remote 
>> reboot
>> (power-cycle) nor do they offer any form of protected/secondary 
>> network
>> to their customers. So, if you want to save yourself from a trip, 
>> you
>> chuck the thing raw on a public IP and hope you configured it right.
>
> Well, *I* would firewall eth1 from eth0 and cross-over eth1 to the 
> ILO jack;
> let the box be the firewall.  Sure, it's still as breakable as the 
> box
> proper, but security-by-obscurity isn't *bad*, it's just *not good 
> enough*.

That's great until you muck up your firewall config or the kernel hangs 
etc. and you're up for a trip to the data centre.



More information about the NANOG mailing list