BMC's (or the equivalent for whatever vendor you are using) should never be exposed to the internet- they shouldn't even be on the same network as the rest of the server. Generally speaking I put them on a completely separate network that has to be VPN'd into explicitly. Having BMC access is as close to having physical access as you can get without actually touching the machine.
Better said than practiced. I recently bought a Supermicro MBD-M11SDV-8CT-LN4F-O (AMD EPYC 3201 SoC). There are 5 NICs--4 Intel and 1 Realtek. The Realtek is set of by itself and obviously dedicated to the BMC controller.
However, reading around I learned that if the controller doesn't succeed in getting a DHCP address on the Realtek interface (unplugged, or apparently in Supermicro's case just a failed DHCP server), it will automatically switch to sharing the first Intel NIC.
You can disable it in the BIOS, but I've had problems in the past where I thought I disabled IPMI on the LAN but either didn't do it correctly or it reverted itself. It doesn't help that there are a ton of ambiguously named, poorly documented options.
To be on the safe side I've plugged both the Realtek and #1 Intel jack. I usually prefer to use the RS-232 serial port for management as it's more fool-proof, but unfortunately this MB doesn't have one. I could install one, but it doesn't make me any more confident that the BMC isn't (now or in the future) on the network.
I understand how useful these BMCs can be, especially for Windows machines, but they're so extremely dangerous. It sucks that they're so ubiquitous, and it sucks that SuperMicro's BMC seems to be the worst of them all in terms of security and bugginess. Unfortunately, a SuperMicro motherboard and case is the only way to get a low-power AMD EPYC server into a small, 1U, short-depth form factor. There are a few more options for Intel, but SuperMicro is still your best bet for do-it-yourself server hardware.
I really love my three PC Engines APUs. Simple serial connection, coreboot firmware, and other than AMD's PSP chip and perhaps the Intel NIC controller, no hidden vectors for remote access. And it has an RS-232 serial port, which because there's no GPU (or at least no video port) both the BIOS and most BSD and Linux distros will automatically use by default.
It'd be awesome if PC Engines built something using EPYC or even Ryzen, stripping everything down like they did for the APU and ALIX. But their niche is low-powered, passively cooled x86 devices using older, more reliable, cheaper, well-documented SoCs. Soekris tried to go upmarket with the net6501 and ended up folding. (They still sell custom DAC hardware from their EU outfit.) There's not enough of a market to make it worthwhile to take the risk. Lots of people love the idea in theory, but what people end up doing is sticking with traditional server suppliers, or in the home, hobbyist, and small business market just buying one of the many faster small form factor boxes that have flooded the market. The problem with those alternatives is that the boards are packed with too much crap, they're too diverse, and every model and family of models short-lived.
In tiny deployments, use a cheap dumb gigabit switch to connect up all the BMCs to your firewall. Give them a separate DHCP assigned subnet and allow access to it only from your management machine.
In larger deployments, you should have separate management networks anyway.
It's not that SuperMicro has the worst BMC. It's that all BMCs/IPMI/iLO/iDRAC are terrible at security, so you need to treat them just like console ports,
I think the large problem alluded to (if true), is that if DHCP fails it may switch which NIC it shares with as well. That problematic for many reasons, and many of them are still problems if you separate it to a different network.
You generally don't expect a DHCP server going down somewhere, possibly in a side-network where it may not be noticed, to cause a management system to open up on a server's publicly connected NIC when it reboots (man, I hope it requires a reboot!). That renders all your careful segregation of your control network completely useless with one service failure and a reboot. Sucks to be you if that DHCP server is on the same circuit as some other servers and they all power cycle at once, because I bet the BMC tries to DHCP an address before the DHCP server boots entirely.
To me, it seems like a very poor default behavior. I can see the benefit if you know what you're doing and want to enable it though.
Good luck with that, on many devices the BMC gets silently bridged onto the lan ports even if you make a significant effort to prevent it.
Even where you think you have it isolated and have tested, you may later find yourself thwarted when an unoverridable bridge gets triggered any time the dedicated BMC port's link is down.
> Good luck with that, on many devices the BMC gets silently bridged onto the lan ports even if you make a significant effort to prevent it.
I don't think that's true.
I can't speak for all devices, but I've worked with a lot of Dell and SuperMicro servers and they all have an option in the BIOS for this. You specify if the BMC should operate on it's own dedicated network port or share the network port used for primary network uplink.
From the network traffic logs I've gathered, I've never seen any indication of the BMC interfering with the primary LAN ports when the BMC is set to use the dedicated LAN port. Additionally, the BMC doesn't revert back to the shared port if the link is broken on the dedicated port -- the BIOS setting prevents that.
At my company we've configured all of the BMCs to use the dedicated LAN port, those LAN ports are connected to physically separate top of cabinet switches, and those switches are linked to a fully independent core router with it's own independent uplink to the internet. The BMCs are only assigned private network IPs and can only be accessed by outside users through a VPN. This is all very standard practice for the hosting industry.
> I can't speak for all devices, but I've worked with a lot of Dell and SuperMicro servers and they all have an option in the BIOS for this. You specify if the BMC should operate on it's own dedicated network port or share the network port used for primary network uplink.
They do, but on the three supermicro board types I have here, simply doing that but then leaving the BMC port disconnected results in them bridging onto the lan anyways. They obey the setting but only so long as a link is up on the BMC port.
Not when you've gone into the BIOS and configured the BMC to only operate on it's dedicated port.
I'm responsible for netsec at my company and I've never seen any indication of the BMC network activity on primary network ports after I've configured the BMC in BIOS to use it's dedicated network port.
For example your server might have 3 network ports, one is a dedicated BMC, but if it's not populated it will bridge to one of the other two, so basically you only have 1 port that is safe to use.
While this is a good best practice, most current BMCs treat the host as trusted, so if BMCs assume the management network it's trusted, you've just provided a path to pwn every machine on your network if only one of them is compromised. So while that's of course a good best practice, it isn't the be-all-end-all of C security (The same point was made during the presentation on this vulnerability at OSFC this morning).
There's a major, major hosting company whose server IPMIs all had an internet IP and used a default password for an unreasonably long time. I'm honestly not sure how this company is still around.
Can you please name and shame, or at least link to a news article about this?
I'm going to be a little blunt, but the pattern of "there's a well-known company that's done something bad, you probably use their products, but I can't tell you what company because [I don't want to be deposed in a libel lawsuit / I want to feel intellectually superior]" is really long in the tooth, and doesn't add value to the discussion other than to pique everyone's paranoia.
Eh, screw it. It was Rackspace. I worked there, and was told this by a senior member of the infrastructure staff in a one on one. It was was fixed before I got there. They still have similarly bad security flubs.
Last time I looked OVH allowed IPMI access to their servers from the internet. You click a button and it gives you a JNLP which gets you remote console, keyboard/mouse and media.
The OVH IPMI access is pretty cool - needs to be initiated from the web console, no longer requires JNLP, just straight browser access and the web console supports three different two factor authentication methods.
My only regret is that it took us so long to discover and switch to OVH - there are a few wrinkles but it’s such fantastic value compared with colo, let alone AWS/GCP/azure
