Manualshelf

HP Integrated Lights-Out Security, 7th edition

ManualsBrandsHP ManualsSoftwareInsight Software
12345678910
2
Introduction
HP Integrated Lights-Out (iLO) has been widely accepted as the standard for remotely managing the
servers in data centers. Most HP ProLiant and Integrity servers include an autonomous iLO
management processor on the system board. The iLO processor and firmware let you securely
configure and monitor a server locally or remotely over a management network.
This brief addresses a key concern of data center management: security. iLO ensures that your server
hardware, firmware, communication interfaces, and deployment capabilities are secure. This brief
describes the utilities and services providing access points into iLO or its host system. It also describes
how iLO’s design protects against access risks.
This brief covers the following versions:
iLO 3 v1.0 and 1.05
iLO 2 v1.60
iLO v1.91
It does not apply to the LO-100 processors in ProLiant 100-series servers.
Protected access to iLO and sensitive information
The iLO user interface includes multi-layer security: authentication, authorization, data integrity, and
privacy.
iLO firmware is digitally signed with a private key. Unauthorized code, including anti-virus software,
may not be allowed to execute.
Authentication determines who is at the other end of the network connection. iLO authenticates users
with 128-bit Secure Socket Layer (SSL) encryption.
Authorization determines whether the user attempting to perform a specific action has the right to do
it. Using local accounts, you can define up to 12 separate iLO users and vary their server access
rights. Using directory services, you maintain network user accounts and security policies in a central,
scalable database that supports thousands of users and system management roles.
Data integrity verifies that no one has altered incoming commands or data. iLO uses digital signatures
and trusted Java™ and ActiveX applets (used by the Integrated Remote Console) to verify data
integrity.
Privacy refers to confidentiality of sensitive data and transactions. iLO protects privacy through the
128-bit SSL encryption of web pages and the RC4 encryption of remote console and virtual serial port
data.
The following sections describe the protection schemes iLO uses to guard against unauthorized access
such as phlashing and other attacks.
iLO resistance against phlashing
Phlashing is a permanent denial of service attack (PDOS). PDOS attacks could theoretically take
advantage of vulnerabilities during updates of network-based firmware. Rogue firmware installed
through a PDOS attack could lead to unauthorized server access or permanent hardware damage.
iLO is not at risk from these vulnerabilities because it offers protection against the following risks:
Attacks during flash updates iLO firmware images are digitally signed with a 1024-bit RSA
public/private key. The boot block checks the digital signature every time iLO comes out of reset.