Nutanix IPMI Security Rules in Data center

Nutanix IPMI BMC Network Security Rules

Nutanix partner OEMs like Supermicro, Dell, Lenovo, IBM and Fujitsu etc. recommends to secure the BMC sub-system interface like IPMI, iDRAC, iLO, IMM, ILOM and iRMC must be secure with best practice rules for network and firewall ports in network.

Baseboard Management controllers: BMC with IPMI, iDRAC or iLO is commonly used to manage servers and need security rule in data center to make hardware management more secure.

Most Supermicro server, Dell or Lenovo models support IPMI, iDRAC or iLO management interface either through a dedicated management interface or through a shared LAN.

IPMI 2.0 enabled that provides security through encryption algorithms.

BMC provides powerful remote debugging capabilities in the data centers but at the same time if not configured properly, causes unwarranted access to BMCs from Internet or within the company and can compromise the security of your machines.

Hardware vendor like supermicro, dell, Lenevo and other OEMs recommends the following steps that datacenters need to consider while using IPMI, iDRAC or iLO to manage your machines.

All OEM vendor has its own name for server management technologies to mange BMC as following

Supermicro : IPMI
HP : Integrated Lights Out (iLO)
Dell : iDRAC
IBM : Remote Supervisor Adapter
IBM : IMM
Sun : ILOM
Fujitsu : iRMC

IPMI Best Practices Security Rules

There are many factors to implement the best practice security rules on Nutanix IPMI sub-system interface of BMC chip as following.

IPMI Network Security Configuration

Implement Nutanix IPMI network security configuration as per best practice rules are described below:

Restrict inbound traffic over internet directly to BMCs. Logon to a secure management server in data center and manage all BMCs from the management server.

Reserve special IP address range (private subnets) to BMC management interfaces and management servers. Don’t use reserved IP subnets with LAN interfaces of the managed machines.

Configure the firewall to restrict outbound traffic from BMC including alerts within the reserved IP range.

Use dedicated management interfaces for managing BMCs. If dedicated management interfaces are absent and have to use shared LAN, then configure separate VLANs for BMC traffic.

Use encryption enabled IPMI, iDRAC, iLO Management interface

If IPMI on Public network then block the BMC MAC address for limited access on local VLAN only.

Assign it a non-routable IP address in an address range you will never use for anything else.

Read more : How To Reset / Change Nutanix IPMI Password

BMC Best Practice Configuration

Customize the BMC service port as per best practice to prevent the accessing information on the BMC to your data center specifications.
For example; you can configure http port to 57880 instead of 80.

Change the IPMI default password during installation and use strong passwords

Create user policies and roles on BMC

Use the IP Access Policy to enable access rules to BMC from management servers.

BMC’s typically support service network services.  Disable all unused services on the BMC.

Read more : Top 10 Nutanix IPMI Commands Part 1

Additional measures

Monitor for unusual traffic between BMC and other machines in the network

Pay attention to firmware release notes (especially related to security fixes) and plan upgrades of the firmware during maintenance cycles.

Manufacturer recommendations for sanitizing passwords on MBC chip-set after replacement ( Flash Memory at End of Life ) or destroy the flash chip, motherboard, or other areas the IPMI password may be stored.

Nutanix BMC Firmware Upgrade

Nutanix release the BMC firmware releases on supported OEMs ( basically firmware are exported by OEMs to Nutanix ) to deploy through Life Cycle Management ( LCM ) framework to upgrade BMC firmware in Nutanix cluster without any interruption or downtime.

Read more : How Nutanix LCM Framework Works ?

Conclusion

Nutanix and Nutanix’s OEM partners has almost common security rule as shared in this post it recommended to consider the rule to make secure your hardware management network based on BMC chip-set and its interfaces i.e like IPMI, iDRAC, iLO, IMM, ILOM and iRMC as per the best practice.

Thanks to being on Hyper HCI BLOG.!
Being hyper to learn at least one thing or something daily @ Hyperhci. 🙂