,

IPMI Security for Datacenters and Compute Clusters

Best Practices for managing servers with IPMI

Baseboard Management Controllers (BMC) with IPMI are commonly used to manage servers remotely. Almost 100% of Microway’s servers support IPMI either through a dedicated management port or a shared LAN port. As of 2012, all new products support IPMI 2.0 and encryption.

A BMC provides powerful remote debugging capabilities for datacenter and HPC administrators, but may allow unauthorized access from the Internet or from within an organization. If not configured properly, an IPMI BMC may compromise the security of your machines. We recommend the following steps when using IPMI to manage your machines:

Network Configuration

  • Block/Restrict inbound traffic from the Internet directly to BMCs. Log on to a secure management server in your datacenter and manage all BMCs from there.
  • Reserve special IP address ranges (private subnets) for BMC management interfaces and management servers. Don’t share IP subnets – use separate subnets for LAN, WAN and IPMI.
  • Configure the firewall to block/restrict outbound traffic from BMC, including alerts within the reserved IP range.
  • Use the dedicated management interface for each BMC. This provides physical separation of networks. If this is not possible, then your server traffic and IPMI traffic will both be using a shared LAN port – configure your network to use a separate VLAN for IPMI traffic.

BMC Configuration

  • Configure your BMCs to use custom port numbers. For example; you can set the HTTP port of the BMC to 57880 instead of 80.
  • Change the default password during installation and use strong passwords.
  • Create user policies and roles on the BMCs.
  • Use the IP Access Policy to enable access rules to BMC from management servers.

Additional Measures

  • Monitor for unusual traffic between your BMCs and other machines on the network.
  • Pay attention to firmware release notes (especially related to security fixes) and plan upgrades of the firmware during your maintenance cycles.

Adapted from Supermicro IPMI Best-Practices Guide

You May Also Like

  • Knowledge Center

    Common Maintenance Tasks (Clusters)

    The following items should be completed to maintain the health of your Linux cluster. For servers and workstations, please see Common Maintenance Tasks (Workstations and Servers). Backup non-replaceable data Remember that RAID is not a replacement for backups. If your system is stolen, hacked or started on fire, your data will be gone forever. Automate this…

  • Knowledge Center

    Detailed Specifications of the “Ice Lake SP” Intel Xeon Processor Scalable Family CPUs

    This article provides in-depth discussion and analysis of the 10nm Intel Xeon Processor Scalable Family (formerly codenamed “Ice Lake-SP” or “Ice Lake Scalable Processor”). These processors replace the previous 14nm “Cascade Lake-SP” microarchitecture and are available for sale as of April 6, 2021. The “Ice Lake SP” CPUs are the 3rd generation of Intel’s Xeon…

  • Knowledge Center

    Detailed Specifications of the AMD EPYC “Milan” CPUs

    This article provides in-depth discussion and analysis of the 7nm AMD EPYC processor (codenamed “Milan” and based on AMD’s Zen3 architecture). EPYC “Milan” processors replace the previous “Rome” processors and are available for sale as of March 15th, 2021. These new CPUs are the third iteration of AMD’s EPYC server processor family. They are compatible…