Connectivity among iLO, the host server, and the network
Thus far, this paper has explained the techniques that iLO uses to ensure secure communications. To
better understand potential security risks in their environments, administrators may also want to be
aware of the points of access to and from iLO, the host server, and the client. The following sections
briefly describe how the iLO design or its configuration mitigates those risks.
Access to iLO by means of the network
As shown in Figure 14, several utilities have access to the iLO processor through the network: the web
browser, Telnet connection, SSH connection, the CPQLOCFG utility,
8
directory services, the Lights-Out
Migration Utility (for directory services), SNMP, and Systems Insight Manager or Insight Manager 7.
HP generally recommends that iLO management traffic reside on a separate management network
and that only administrators be granted access to that network. This not only improves performance
by reducing traffic load across the main network, it also acts as the first line of defense against
security attacks. A separate network allows administrators to physically control which workstations are
connected to the network.
Figure 14.
The iLO processor relative to the network and host server
Web browser
The browser encrypts the data stream using 128-bit SSL to provide privacy and integrity. The iLO
device accepts digital certificates, so users can import certificates from a guaranteed certificate
authority to prevent someone from placing a Trojan horse server on the network. Administrators can
change the default port location for the web browser. Finally, access to the iLO device is restricted
through the web browser by the user access privileges and the strong authentication process.
8
The CPQLOCFG utility allows users to configure iLO devices. It is a Windows-based utility that sends RIBCL
(XML) script files to iLO using a secure connection over the network.
27
