HP Integrated Lights-Out Security, 7th edition

ManualsBrandsHP ManualsSoftwareInsight Software

HP Integrated Lights-Out security

Technology brief, 7

Edition

Introduction ......................................................................................................................................... 2

Protected access to iLO and sensitive information .................................................................................... 2

iLO resistance against phlashing ........................................................................................................ 2

Security keys ................................................................................................................................... 3

Physical security ............................................................................................................................... 3

Security in hardware design.................................................................................................................. 4

Management ROM .......................................................................................................................... 4

Firewall logic ................................................................................................................................... 5

Memory .......................................................................................................................................... 5

Non-volatile data storage .................................................................................................................. 5

Network and management ports ........................................................................................................ 6

Security techniques used by iLO ............................................................................................................ 7

Authentication and authorization processes for browser access ............................................................. 7

Authentication and authorization processes for CLI access .................................................................. 18

Authentication process for IPMI-Over-LAN access ............................................................................... 19

Encryption ..................................................................................................................................... 19

Disabling and changing ports .......................................................................................................... 21

Connectivity between iLO, the server, and the network ........................................................................... 22

Network access to iLO .................................................................................................................... 22

Physical access to iLO .................................................................................................................... 25

Access to the server from iLO .......................................................................................................... 25

iLO software on server using the PCI bus ........................................................................................... 25

IT infrastructure security considerations ................................................................................................. 26

Operating iLO servers in the DMZ .................................................................................................... 26

Communication between iLO and server blades ................................................................................ 28

Security audits ............................................................................................................................... 28

General security recommendations ...................................................................................................... 29

Conclusion ........................................................................................................................................ 29

Appendix: SSH-2 support ................................................................................................................... 30

For more information .......................................................................................................................... 32

Call to action .................................................................................................................................... 32

Summary of content (32 pages)

PAGE 1
HP Integrated Lights-Out security Technology brief, 7th Edition Introduction ......................................................................................................................................... 2 Protected access to iLO and sensitive information .................................................................................... 2 iLO resistance against phlashing ........................................................................................................ 2 Security keys ..
PAGE 2
Introduction HP Integrated Lights-Out (iLO) has been widely accepted as the standard for remotely managing the servers in data centers. Most HP ProLiant and Integrity servers include an autonomous iLO management processor on the system board. The iLO processor and firmware let you securely configure and monitor a server locally or remotely over a management network. This brief addresses a key concern of data center management: security.
PAGE 3
iLO 2 and iLO 3 systems check the digital signature before allowing a firmware update to proceed. Remote flashing requires login authentication and authorization, including optional two-factor authentication. • Unencrypted ports – iLO clearly defines the port encryption status. You can disable access to any non-encrypted ports (such as telnet). Access to iLO requires a password (or an optional trusted certificate for iLO 2), unless you decide to disable the password. NOTE iLO 3 does not support telnet.
PAGE 4
• Reprogram the iLO ROM • Reprogram the boot block Security in hardware design iLO includes a 32-bit, PCI-based ASIC that contains a RISC processor core with separate instruction and data caches, a memory controller, SDRAM, NVRAM, management ROM, and NIC (Figure 1). Figure 1.
PAGE 5
During a firmware flash process, the iLO boot block performs the following steps to validate a new flash image: 1. The flash routine analyzes the incoming data stream, looking for a viable image. 2. If viable, iLO flashes the image into the Management ROM at the next available address. Normally, the iLO boot block finds the main image first, and iLO flashes it into the area just past the boot block. The flash process continues until iLO detects no more viable images in the incoming data stream.
PAGE 6
Network and management ports iLO’s firewall and bridge logic prevent any connection between the iLO management port and the server Ethernet port (Figure 1). Even by using the shared network port (SNP), iLO cannot bridge traffic between its 10/100 Ethernet port and the server Ethernet port. Therefore, attacks on the server network cannot compromise iLO and vice-versa. Shared network port Most G4 and later ProLiant ML and DL servers with iLO support SNP.
PAGE 7
Security techniques used by iLO Enabling a secure system requires trust that a specific person, computer, or device seeking access has the required authentication and level of authorization. The following sections identify the three essential iLO techniques that you can use to verify trust: • Authentication and authorization • Encryption • Disabling ports and changing port locations Every function of iLO builds on one or more of these techniques.
PAGE 8
LO imposes delays after failed login attempts (Table 1). iLO displays an information page during each delay. The delays will continue until you complete a valid login. This feature assists in defending against possible dictionary attacks against the browser login port. iLO saves a detailed log entry for failed login attempts. Table 1.
PAGE 9
Figure 4. Flowchart showing how the browser generates the login cookie used for authentication (iLO and iLO 2) The cookie is stored in the memory of the client machine while you have the browser session open. Any open browser session may preserve a cookie, including a “spawned” browser session such as the remote console window. The client browser never writes the cookie to its disk drive. Only the client session that generated the cookie can access it.
PAGE 10
Figure 5.
PAGE 11
Login process using directory services with HP schema extensions You can enable directory services to authenticate users and authorize user privileges for groups of iLO management processors. iLO directory services uses the industry-standard Lightweight Directory Access Protocol (LDAP/LDAPS). HP layers LDAP on top of SSL to transmit the directory services information securely to the directory servers. Figure 6 shows the steps for the login process using directory services. Figure 6.
PAGE 12
The username and password information in the cookie are enough for authentication and authorization using the local account database or using the directory with HP schema. Using IADsNameTranslate lets you login using NetBIOS format (domain\username) or email format. See the previous Authentication and authorization sections with local accounts for information about using SSL, session keys, and cookies.
PAGE 13
Login process using two-factor authentication with Microsoft Internet Explorer (iLO 2 v1.80 only) iLO 2 v1.80 provides an authentication scheme supporting only Microsoft® Internet Explorer. This authentication scheme involves using two factors of authentication: • Something the user knows—a password or PIN. • Something the user possesses—the private key for his digital certificate. Users can store their digital certificates and private keys wherever they choose, such as on smart cards and USB keys.
PAGE 14
Figure 8. Two-factor authentication dialogue between the client and iLO, and between iLO and the directory server Login process for remote console and virtual serial port with iLO and iLO 2 The iLO remote console server monitors the remote console port for connections from the remote console, virtual serial port applets, and possibly telnet. Initiating a remote console session involves the following steps (illustrated in Figure 9): 1.
PAGE 15
3. iLO sends a secure one-time login token to the second browser window. The token contains base-64 encoded hash values of a random secret key and a random session key. iLO sends this token securely over SSL so a LAN sniffer cannot capture it. 4. The Java applet in the second browser window (using base-64) decodes the information within the token. 5. The Java applet passes the decoded information back to the remote console applet as the username and password. 6.
PAGE 16
Figure 10. Process that iLO uses to create the one-time login token for Java applet login The result is that the applet passes the web server session ID as username and the ASCII hash as password to iLO. If iLO detects a match with the original 40-character random secret stored in firmware, iLO allows the login and matches the connection credentials with those stored in the session. Comparing the password with the stored secret destroys the secret.
PAGE 17
Single Sign-On iLO v1.90, iLO 2 and iLO 3 support Systems Insight Manager (SIM) Single Sign-On (SSO). SIM SSO allows direct access to iLO through HP SIM without requiring an extra iLO login step. The user’s HP SIM role determines the user’s iLO rights. iLO 2 will trust SIM and users authenticated by SIM. The SIM SSO implementation uses a trusted certificate model for iLO to allow authentication to users from within the SIM framework. Adding the BladeSystem Integrated Manager 2.
PAGE 18
Figure 11. Process for HP SIM Single Sign-On to iLO Authentication and authorization processes for CLI access The iLO command-line interface (CLI) is an alternate method to access critical iLO functions such as the virtual power, text-based remote console, and virtual serial port. The iLO CLI uses the industrystandard SSH protocol to encrypt the data stream and all keystrokes sent between iLO and the client.
PAGE 19
minutes. During this time, iLO response to other functionality is slow and the iLO status page displays a message indicating that key generation is in progress. 2. The iLO processor listens for a request on the SSH port. When it gets a request, it starts a protocol negotiation task for exchanging the public and private keys during the SSH protocol negotiation. 3. The protocol negotiation task completes the key exchange. 4.
PAGE 20
AES encryption iLO 2 v1.30 and iLO 3 can restrict ciphers to AES/3DES using browser settings (through the Global Settings page), XML scripting, or SM CLI. The following is a complete list of communication operations that can employ AES encryption: • Web browser (UI) – The current Mozilla browser, Firefox 2, supports AES Encryption. Internet Explorer 7 is the first Microsoft browser that supports AES encryption. • LOCFG/XML –A command line switch that lets you select AES encryption and the cipher strength.
PAGE 21
Figure 12. Remote console and virtual serial port encryption process Every 3 minutes the server will combine the pre-master secrets with the generated 128-bit keys to create new 128-bit keys. It uses these new keys to create a new set of RC4 data. The server sends a signal to the client indicating that it has generated the new RC4 data and will begin communication using the new cipher. The client performs the same operation when it sees the signal.
PAGE 22
You can also selectively disable the services you do not need in your environment. Table 2 lists default port locations and indicates port status. Table 2. Default port locations for iLO Port No.
PAGE 23
We recommend that you keep iLO management traffic on a separate management network and grant access only to administrators. This improves performance by reducing the traffic load across the main network and defends against security attacks. Figure 13. Linkages of the iLO processor to the network and host server NOTE: iLO 3 does not use telnet. Web browser The browser encrypts the data stream using 128-bit SSL to provide privacy and integrity.
PAGE 24
You can change the telnet port number to any unused port number or disable the telnet port entirely. When the remote console port is in the “Disabled” mode, no application can connect to port 23. Finally, the strong authentication and authorization processes of the remote console and virtual serial port applets reduce any potential security risk for telnet port across the network. Multi-user Integrated Remote Console iLO v1.90, iLO 2 v1.30, and iLO 3 offer IRC as an iLO Advanced and iLO Select feature.
PAGE 25
HP Systems Insight Manager HP SIM checks for an iLO presence by starting an HTTP session. Tight integration between iLO and SIM means that you can use HP Insight Management software to get server serial numbers, iLO status and serial numbers, and hardware/firmware revision data.
PAGE 26
HPONCFG The HPONCFG utility is a server-based service that can configure iLO using XML scripts. Because it is server-based, the iLO firmware ignores login credentials and assumes that the user has the rights to configure iLO. HPONCFG reduces this potential security risk by requiring a root login in Linux operating systems or administrator login in Windows operating systems to access the utility.
PAGE 27
Figure 14. Example configuration of a DMZ Internet iLO can create a separate, secondary network (iLO Net in Figure 14) parallel to the primary or production network. This dual-network architecture segregates management traffic from production network traffic. It allows system-wide server management activities, including servers inside the DMZ, while maintaining maximum security by limiting access to the production network. Figure 14 shows a packet-filtering router that acts as an initial line of defense.
PAGE 28
completely isolated from the network ports on the server. Even if the DMZ network were compromised, the iLO network would remain secure. This lets you use iLO on servers located in the DMZ or in the internal network without compromising sensitive data. Administrators create this separation by using a dedicated NIC or the SNP with its VLAN (see the section “SNP for select ProLiant servers”).
PAGE 29
General security recommendations We recommend that you observe the following security practices: • Use a separate management network. We recommend that you establish a private management network separate from your data network and that only administrators have access to that management network. • Do not connect iLO directly to the Internet. The iLO processor is a management and administration tool, not an Internet gateway. Connect to the Internet using a corporate VPN that provides firewall protection.
PAGE 30
Appendix: SSH-2 support Table A-1.
PAGE 31
Table A-1.
PAGE 32
For more information Resource description Web address Integrated Lights-Out home page www.hp.com/go/ilo Industry-standard servers technology papers www.hp.com/servers/technology Integrated Lights-Out Documentation http://h18004.www1.hp.com/products/servers/management/ilo/do cumentation.