background image

Abstract 

HP Integrated Lights-Out (iLO) is the autonomous management processor that resides on the system 

board of ProLiant and Integrity host servers. HP built security features into iLO using multiple layers 

that encompass the hardware, firmware, communication interfaces, and deployment capabilities. The 

intent of this technology brief is to inform readers about the design of iLO itself and how it ensures 
security. This paper describes the mechanisms that iLO uses to ensure authorization, authentication, 

privacy, and data integrity. Also described here are the utilities or services providing access points 

into iLO or its host system, and how the iLO design mitigates access risks. A brief summary of specific 

security recommendations can be found at the end of the paper. 

The intended audience for this paper is engineers and system administrators familiar with Lights-Out 

technology. The iLO security features described in this paper reflect the release of iLO 2 v1.60 and 

iLO v1.91. This document supports both iLO devices; however, certain functions described herein 

may only be supported on one and not the other. A designation of “iLO only” or “iLO 2 only” 
indicates that the function is exclusive to that device. iLO firmware is backward-compatible. For 

example, the latest versions of iLO 2 firmware support any iLO 2 processor. For consistency and best 

feature support, HP recommends using the latest version of iLO 2. If no designation is present, then 

the function is supported on both devices.  The paper is not applicable to the LO-100 processors 
found in ProLiant 100-series servers.  

Additional information about the iLO processor and feature sets for particular iLO 2 and iLO products 

is available on the HP website at 

www.hp.com/go/iLO

. A glossary in the appendix includes some 

common computing acronyms not defined in the text.  

Introduction 

Information technology (IT) administrators must plan for security across the IT infrastructure. Because 

Integrated Lights-Out (iLO) management processors have such powerful capabilities to modify a 
computer setup, it is important to have strong security surrounding the iLO device. HP carefully 

considered security requirements of the enterprise and designed iLO to include authentication, 

authorization, data integrity, and privacy. 
Authentication is determining who is at the other end of the network connection. The iLO processor 
incorporates authentication techniques through 128-bit Secure Socket Layer (SSL) encryption.  
Authorization refers to determining whether the user attempting to perform a specific action has the 

right to perform that action. Using local accounts, the iLO processor offers administrators the ability to 

define up to 12 separate users and to vary the server access rights of each. The directory services 
capabilities of iLO allow administrators to maintain network user accounts and security policies in a 

central, scalable database that supports thousands of users, devices, and management roles. 
Data integrity refers to verifying that no one has altered incoming commands or data. The iLO 

processor incorporates digital signatures and trusted Java™ and ActiveX applets (used by the 
Integrated Remote Console) to verify the integrity of data. 
Privacy refers to confidentiality of sensitive data and transactions. Examples of the privacy protection 

used in iLO are the 128-bit SSL encryption of web pages and the RC4 encryption of remote console 

and virtual serial port data.  

3

 

Содержание AB500A - Integrated Lights-Out Advanced

Страница 1: ...cess using directory services with HP schema extensions 13 Login process using directory services with HP default schema 14 Calculating current privileges 15 Login process using two factor authentication 16 Login process for remote console and virtual serial port 18 Single Sign On SSO 20 Authentication and authorization processes for CLI access 23 Encryption 23 Secure Sockets Layer SSL 24 AES encr...

Страница 2: ...PONCFG 30 CPQLODOS 31 Terminal services 31 Specific IT infrastructure concerns 31 Operating iLO servers in the DMZ 31 Lights Out Management Integration with Rapid Deployment Pack 33 Communication between iLO and server blades 33 Security Audits 34 General security recommendations 34 Conclusion 34 Appendix A Digital certificates 36 Appendix B SSH 2 support 38 Appendix C LDAP LDAPS definitions 40 Ap...

Страница 3: ...e iLO processor and feature sets for particular iLO 2 and iLO products is available on the HP website at www hp com go iLO A glossary in the appendix includes some common computing acronyms not defined in the text Introduction Information technology IT administrators must plan for security across the IT infrastructure Because Integrated Lights Out iLO management processors have such powerful capab...

Страница 4: ... iLO processor automatically enforces generation of new unique and site specific keys used by SSL once a customer deploys the server HP cannot determine these site specific keys The iLO management processor does not transmit these keys or any other information to HP from a customer location Comparing the iLO processor to other service processors The iLO management processor and feature set have be...

Страница 5: ... failures as well as successful access to the device SSH access and failed attempts alike are logged Using the SSH key mode of authentication makes brute force attacks even less likely to be successful And iLO offers 2 factor authentication which provides an additional layer of security No awareness of attacks in progress iLO captures all login activity successful or not Additionally iLO implement...

Страница 6: ...k searches memory for a viable image that contains a recognizable header If a viable image is found the iLO boot block decrypts the signed SHA1 hash using the RSA public key The boot block then computes the SHA1 hash over the entire image If the two SHA1 hashes are equivalent the image is valid and the boot block passes control to the iLO main image to begin executing During the firmware flash pro...

Страница 7: ...neral registers which the host server can access through the PCI bus These PCI registers contain only non sensitive information The iLO processor does not secure or try to hide these registers from the host server Protected registers in which the iLO device can lock the write access These registers restrict unwanted behavior such as flashing rogue firmware but they do not restrict information Thes...

Страница 8: ...ailable for most ProLiant servers with the iLO processor Even though network traffic and iLO management traffic both flow through the same port it is impossible for management data to flow to the host data stream To ensure that all packets travel to the appropriate destination the shared network port contains two separate Media Access Control MAC addresses inside the NIC one for the iLO traffic an...

Страница 9: ...ized to make changes or access a requested environment Finally is it possible for data being sent through iLO to remain confidential The following sections identify the three essential techniques that iLO has or an iLO administrator can use to verify trust Authentication and authorization Encryption Disabling ports and changing port locations Every function of iLO such as the remote console virtua...

Страница 10: ...it SSL encryption and the accompanying digital certificates to encrypt web pages HTTP data transmitted across the network SSL encryption ensures that all information and commands issued through the web pages are private An integral part of SSL is a digital certificate see Appendix A Digital certificates The iLO management processor creates its own self signed certificate by default Administrators ...

Страница 11: ...n At the client browser the user enters his login credentials and the browser generates a unique cookie 4 called hp iLO Login The web server within iLO uses this cookie for authentication and authorization Figure 4 The browser encodes both the username and the password using a base 64 hash function and incorporates it into the cookie The cookie also includes the unique session ID and the random se...

Страница 12: ...edentials Erase SSO proxy credentials Match as SSO No Yes Directory integration Yes No No Attempt directory authentication Authenticated to directory iLO security override switch set No Yes No Login as security override login name Exit error No Yes No Login as Local user Login as SSO user Login as Directory user Yes Yes Yes Yes Record login event Record login failure Log the event Yes No Exit succ...

Страница 13: ... directory services is available from the HP website at http h18004 www1 hp com products servers management directorysupp index html Using directory services the login process includes the steps illustrated in Figure 7 After the web browser sends the cookie to iLO the iLO processor extracts the user credentials from the cookie and accesses the directory service to determine which roles are availab...

Страница 14: ...s login credentials user name and password get session information from iLO and combine these into a security cookie iLO then uses this cookie to ensure that the user has access to the pages and resources he or she is trying to use If ActiveX is disabled in the browser or the call fails and the name used for login is a DN then the login script will work The login script will also work if this name...

Страница 15: ...ces but authorized to access the system only between 8 a m and 5 p m XML scripts could alter privileges administrators could delete a user account directory settings could change and time or address based restrictions could apply Therefore every time a user makes a request iLO re evaluates the user s privileges see the flowchart in Figure 8 If the evaluation is successful the user s request procee...

Страница 16: ...et Explorer only This authentication scheme involves using two factors of authentication The user is authenticated by providing both of these factors 1 Something the user knows a password or PIN 2 Something the user possesses the private key for their digital certificate Users have the ability to store their digital certificates and private keys wherever they choose It is likely however that smart...

Страница 17: ...ss access to the following ports is automatically disabled SSH Port 22 Telnet Port 23 SSL Port 443 XML traffic only all other traffic remains unaffected If the user wishes the SSH and or Telnet ports can be selectively re enabled through manual intervention It is important to know that the XML port CPQLOCFG access cannot be enabled while two factor authentication is enabled Performing group admini...

Страница 18: ...serial port The iLO remote console server monitors the remote console port for connections from the remote console and virtual serial port applets and possibly Telnet Figure 10 shows the steps in establishing a remote console session 1 The user launches the Java applet by clicking on a link in the client browser 2 The link opens a separate browser window 18 ...

Страница 19: ...mote console session 6 Comparison of applet and user name permits l Figure 11 shows schematically how iLO constructs the one time login token 1 The original browser session contains a 40 character random session key Programming code stored in the remote console applet generates a 40 character random secret The random session key is concatenated with the random secret 2 The iLO device performs an M...

Страница 20: ...s open as long as the server receives a heartbeat once every 30 seconds If the server does not receive a heartbeat within one minute the connection will be closed The iLO v1 91 and iLO 2 v1 30 and later releases include the Remote Console Computer Lock feature With Remote Console Computer Lock the operating system console self locks when the session is closed or is timed out Even though the sessio...

Страница 21: ...dding the BladeSystem Integrated Manager 2 4 or later exposes SSO capability for iLO processors in blades The SIM SSO provides the following capabilities Importing one or more SIM certificates Automatic certificate importation to ease initial setup Manual SSO certificate importation Support for certificate revocation SIM role to user privilege mapping Redirect to the SIM console for SSO Modificati...

Страница 22: ...ent replay attacks 4 HP SIM builds a signed link incorporating the resource secret user and HP SIM 5 Client browser redirects to the link at the Integrated Lights Out processor 6 iLO validates the request based on the request contents iLO configuration secret and HP SIM source Authenticated requests receive the resource SIM SSO does not affect the local iLO user SSO trust is iLO based and can be d...

Страница 23: ... for exchanging the public and private keys during the SSH protocol negotiation 3 The protocol negotiation task completes the key exchange 4 The protocol negotiation task then spawns a task for checking authentication timeout and another task for performing the authentication The authentication task is also used for reading from the SSH port once authentication completes successfully 5 The task fo...

Страница 24: ...ommunication and the LDAP server provides server side communication Popular AES cipher strengths are supported through the web browser XML and SSH Remote console and virtual serial port data encryption The iLO processor uses the RC4 streaming cipher algorithm a variable key size stream cipher with byte oriented operations to encrypt the remote console and virtual serial port sessions Unlike a bloc...

Страница 25: ...s These new keys are used to create a new set of RC4 data The server sends a signal to the client indicating that it has generated the new RC4 data and will begin communicating using the new cipher The client will perform the same operation when it sees the signal It then sends a signal to the server indicating that it is using the new RC4 data The signal is implemented with a byte insertion proto...

Страница 26: ...ntication is enabled for web browser access access to the following ports is automatically disabled SSH Port 22 Telnet Port 23 XML Port 443 If desired the user can selectively re enable the SSH and or Telnet ports Table 1 Default port locations for iLO Port Number Protocol Can Port Number be Changed Supports Enabled by default 22 SSH Yes SSH Connections Yes 23 Telnet Yes Remote graphical console R...

Страница 27: ...hat only administrators be granted access to that network This not only improves performance by reducing traffic load across the main network it also acts as the first line of defense against security attacks A separate network allows administrators to physically control which workstations are connected to the network Figure 14 The iLO processor relative to the network and host server Web browser ...

Страница 28: ...he Disabled mode no application including the remote console or virtual serial port applet can connect to port 23 Finally any potential security risk of the Telnet port across the network is reduced because the remote console and virtual serial port applets have strong authentication and authorization processes Multi user Integrated Remote Console IRC Beginning with the iLO v1 91 and iLO 2 v1 30 r...

Страница 29: ... allow inbound SNMP traffic into the host server only if it comes from a predetermined management workstation Administrators can also set the passwords community strings according to the same guidelines as administrative passwords Finally administrators can disable SNMP entirely Systems Insight Manager Systems Insight Manager checks for an iLO presence by starting an HTTP session The default port ...

Страница 30: ...e server The iLO driver enables the other iLO integration services such as RBSU Terminal Services pass through HPONCFG and the agents RBSU RBSU allows users to initially configure iLO and iLO user accounts Every time the server boots RBSU is available to anyone with access to the server console Therefore RBSU requires strong security Administrators can configure RBSU to require valid user credenti...

Страница 31: ...that any active security measures are established between the Microsoft terminal services client and Microsoft s RDP service The Terminal Services port is the second of two ports in iLO that allow traffic to be passed to the host OS through the iLO driver Administrators can disable the Terminal Services Pass Through port Specific IT infrastructure concerns Customers have questioned security issues...

Страница 32: ...an initial line of defense Behind this router is a firewall system There is no direct connection from the Internet or the external router to the internal network All traffic to or from the internal network must pass through the firewall system An additional router which filters packets destined for the public services in the DMZ protects the internal network from public access The firewall is a mu...

Страница 33: ... Altiris eXpress Deployment Solution and the ProLiant Integration Module The ProLiant Integration Module consists of software optimizations including the SmartStart Scripting Toolkit Configuration Events for leading industry standard operating systems sample unattended files and ProLiant Support Packs containing software drivers management agents and important documentation Servers can be deployed...

Страница 34: ...hould be changed immediately to a more relevant password Administrators should change the iLO management passwords with the same frequency and according to the same guidelines as the server administrative passwords Passwords should include at least three of these four characteristics numeric character special character lowercase character and uppercase character Implement directory services This a...

Страница 35: ...rver traffic A networked environment has inherent security risks The iLO processor mitigates many of these risks through authorization authentication and encryption Administrators can further decrease the chance of attacks by following security recommendations being aware of access points to the iLO devices and their host servers and configuring their networks to eliminate any unnecessary services...

Страница 36: ... authority wJD3Wsm8VqCQSjK YpwOcVCcCG Ai drsqz4E Name of issuing certificate authority CA DN o ACME c US A digital signature typically uses the sophisticated encryption of the RSA encryption algorithm rather than a simple hashing signature Figure A 1 The RSA algorithm developed by Rivest Shamir and Adleman is widely used for encrypting data using a public key private key system Also known as asymm...

Страница 37: ...Figure A 1 Example of how a digital signature works 37 ...

Страница 38: ...fish192 cbc Optional Not supported twofish128 cbc Recommended Not supported aes256 cbc Optional Not supported aes192 cbc Optional Not supported aes128 cbc Recommended Supported serpent256 cbc Optional Not supported serpent192 cbc Optional Not supported serpent128 cbc Optional Not supported Arcfour Optional Not supported idea cbc Optional Not supported cast128 cbc Optional Not supported None Option...

Страница 39: ...al Not supported Spki sign dss certificates Optional Not supported Pgp sign rsa certificates Optional Not supported Pgp sign dss certificates Optional Not supported Client User Authentication Method None Must not be listed Public key Required Not supported Host based Optional Not supported Password Supported Client User authentication parameters Default authentication timeout 10 minutes recommende...

Страница 40: ...sting operations Schema is published in the directory for use by clients The LDAP protocol is used to read from and write to Active Directory By default LDAP traffic is transmitted unsecured System administrators can make LDAP traffic confidential and secure by using SSL Transport Layer Security TLS technology Administrators can enable LDAP over SSL LDAPS by installing a properly formatted certifi...

Страница 41: ...s a sublayer of the data link layer in the OSI model of network communication In the Ethernet standard every network connection must support a unique MAC value NIC Network interface controller NVRAM Non volatile random access memory This is memory that maintains data across power cycles OSI model OSI stands for Open System Interconnection a seven layer protocol model for defining a networking fram...

Страница 42: ...blic wires the Internet to connect nodes These systems use encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted Source www webopedia com XML Extensible markup language HTML and RIBCL are subsets of XML ...

Страница 43: ...tml Software and drivers for lights out processors www hp com go ilo Lights out supported servers www hp com servers ilo supportedservers Information about iLO 2 Advanced licenses www hp com servers iloadv2 Call to action Send comments about this paper to TechCom HP com 2004 2006 2007 2008 Hewlett Packard Development Company L P The information contained herein is subject to change without notice ...

Отзывы: