Manualshelf

HP Integrated Lights-Out Security, 7th edition

ManualsBrandsHP ManualsSoftwareInsight Software
21222324252627282930
23
We recommend that you keep iLO management traffic on a separate management network and grant
access only to administrators. This improves performance by reducing the traffic load across the main
network and defends against security attacks.
Figure 13. Linkages of the iLO processor to the network and host server
NOTE: iLO 3 does not use telnet.
Web browser
The browser encrypts the data stream using 128-bit SSL to provide privacy and integrity. iLO accepts
digital certificates, so users can import certificates from a guaranteed certificate authority to prevent
anyone from placing a Trojan horse server on the network. Administrators can change the default port
location for the web browser. Finally, user access privileges and the strong authentication process
restrict access to iLO through the web browser.
Telnet, remote console, and virtual serial port (iLO v1.30 and iLO 2 only)
Because telnet is not an inherently secure protocol, administrators may be reluctant to use it. This
section describes iLO support for secure telnet access. The remote console and virtual serial port
functions use the standard telnet port to connect to iLO. Although telnet itself is not encrypted, invoking
the remote console applet enables encryption. This forces iLO to connect using the remote console
applet rather than a standard telnet session for a text-based console session. iLO maintains exclusive
control over the port.
You can configure the telnet port to allow only the remote console and virtual serial port functions―
the “automatic” setting for port 23. This means that iLO disables the port except when it senses the
remote console or virtual serial port applets starting. iLO refuses any other connection attempt to port
23, so the server will be inaccessible through a standard telnet application.
A standard telnet application can connect to the server in two ways. The first occurs after the user
clicks on the remote console or virtual serial port but before the applet connects to iLO. If you enable
encryption, iLO will close the connection as soon as it realizes the client has not sent valid information
to begin the encrypted communication. The second way is if a client terminates abnormally: iLO will
not close the socket until it realizes that no keep-alive signal has arrived during the specified one-
minute interval.