background image

Servers inside the DMZ and on the internal network can use iLO processors. Because the network 

connection to iLO is completely isolated from the network ports on the server, there is no possibility for 

data to flow from the DMZ network to the iLO network, or vice-versa. Therefore, even if the DMZ 
network is compromised, the iLO network will remain secure. This architecture permits administrators 

to use iLO on servers located in the DMZ or in the internal network without the risk of compromising 

sensitive data. This separation is accomplished by using a dedicated NIC or the Shared Network Port 

(SNP) with its VLAN (see the section “

SNP for select ProLiant servers

”). 

For best protection of the servers operating inside the DMZ, administrators should set the SNMP trap 

destinations to the loop back address and enable the SNMP pass-through in iLO so that SNMP traps 

are routed onto the iLO network. While this SNMP pass-through option does not enable all 

management functions, it allows for passing status, inventory, and fault information to HP Systems 
Insight Manager or another SNMP-capable management application. This option has the benefit of 

being very secure because the host operating system does not recognize the Lights-Out product as a 

NIC. 

Lights-Out Management Integration with Rapid Deployment Pack  

The Rapid Deployment Pack (RDP) Deployment Server Console provides secure access to the 

management features of iLO and Remote Insight Lights-Out Edition (RILOE).  

IMPORTANT: 

If Rapid Deployment Pack—Windows Edition and HP SIM will be 

installed on the same server, Rapid Deployment Pack—Windows 

Edition must be installed before HP SIM and the other products on 
the Management CD. 

The Rapid Deployment Pack combines an off-the shelf version of Altiris eXpress Deployment Solution 

and the ProLiant Integration Module. The ProLiant Integration Module consists of software 
optimizations including the SmartStart Scripting Toolkit, Configuration Events for leading industry-

standard operating systems, sample unattended files, and ProLiant Support Packs containing software 

drivers, management agents, and important documentation. Servers can be deployed through Altiris’ 

imaging feature or through scripting using the SmartStart Scripting Toolkit. For more information on 
the ProLiant Essentials Rapid Deployment Pack, visit the website at 

www.hp.com/servers/rdp-we.

Communication between iLO and server blades 

In the HP BladeSystem architecture, a single enclosure houses multiple servers. A separate power 

subsystem provides power to all server blades in that enclosure. ProLiant c-Class server blades (see the 

website at 

www.hp.com/servers/blades

) use the iLO management processor to send alerts and 

management information throughout the server blade infrastructure. However, there is a strict 
communication hierarchy among ProLiant c-Class server components. The Onboard Administrator 

(OA) management module communicates with the iLO processor on each server blade. The OA 

module provides independent IP addresses for each server blade. The iLO firmware exclusively 

controls any communication from iLO to the OA module. There is no path from an iLO processor on 
one server blade to the iLO processor on another blade. The iLO processor has information only 

about the presence of other server blades in the infrastructure, and whether there is enough amperage 

available from the power subsystem to boot the iLO host server blade.   
Within BladeSystem c-Class enclosures, the server blade iLO network connections are accessed 
through a single, physical port on the rear of the enclosure. This greatly simplifies and reduces 

cabling. Note that the iLO on a server blade maintains an independent IP address. 

33

 

Содержание AB500A - Integrated Lights-Out Advanced

Страница 1: ...cess using directory services with HP schema extensions 13 Login process using directory services with HP default schema 14 Calculating current privileges 15 Login process using two factor authentication 16 Login process for remote console and virtual serial port 18 Single Sign On SSO 20 Authentication and authorization processes for CLI access 23 Encryption 23 Secure Sockets Layer SSL 24 AES encr...

Страница 2: ...PONCFG 30 CPQLODOS 31 Terminal services 31 Specific IT infrastructure concerns 31 Operating iLO servers in the DMZ 31 Lights Out Management Integration with Rapid Deployment Pack 33 Communication between iLO and server blades 33 Security Audits 34 General security recommendations 34 Conclusion 34 Appendix A Digital certificates 36 Appendix B SSH 2 support 38 Appendix C LDAP LDAPS definitions 40 Ap...

Страница 3: ...e iLO processor and feature sets for particular iLO 2 and iLO products is available on the HP website at www hp com go iLO A glossary in the appendix includes some common computing acronyms not defined in the text Introduction Information technology IT administrators must plan for security across the IT infrastructure Because Integrated Lights Out iLO management processors have such powerful capab...

Страница 4: ... iLO processor automatically enforces generation of new unique and site specific keys used by SSL once a customer deploys the server HP cannot determine these site specific keys The iLO management processor does not transmit these keys or any other information to HP from a customer location Comparing the iLO processor to other service processors The iLO management processor and feature set have be...

Страница 5: ... failures as well as successful access to the device SSH access and failed attempts alike are logged Using the SSH key mode of authentication makes brute force attacks even less likely to be successful And iLO offers 2 factor authentication which provides an additional layer of security No awareness of attacks in progress iLO captures all login activity successful or not Additionally iLO implement...

Страница 6: ...k searches memory for a viable image that contains a recognizable header If a viable image is found the iLO boot block decrypts the signed SHA1 hash using the RSA public key The boot block then computes the SHA1 hash over the entire image If the two SHA1 hashes are equivalent the image is valid and the boot block passes control to the iLO main image to begin executing During the firmware flash pro...

Страница 7: ...neral registers which the host server can access through the PCI bus These PCI registers contain only non sensitive information The iLO processor does not secure or try to hide these registers from the host server Protected registers in which the iLO device can lock the write access These registers restrict unwanted behavior such as flashing rogue firmware but they do not restrict information Thes...

Страница 8: ...ailable for most ProLiant servers with the iLO processor Even though network traffic and iLO management traffic both flow through the same port it is impossible for management data to flow to the host data stream To ensure that all packets travel to the appropriate destination the shared network port contains two separate Media Access Control MAC addresses inside the NIC one for the iLO traffic an...

Страница 9: ...ized to make changes or access a requested environment Finally is it possible for data being sent through iLO to remain confidential The following sections identify the three essential techniques that iLO has or an iLO administrator can use to verify trust Authentication and authorization Encryption Disabling ports and changing port locations Every function of iLO such as the remote console virtua...

Страница 10: ...it SSL encryption and the accompanying digital certificates to encrypt web pages HTTP data transmitted across the network SSL encryption ensures that all information and commands issued through the web pages are private An integral part of SSL is a digital certificate see Appendix A Digital certificates The iLO management processor creates its own self signed certificate by default Administrators ...

Страница 11: ...n At the client browser the user enters his login credentials and the browser generates a unique cookie 4 called hp iLO Login The web server within iLO uses this cookie for authentication and authorization Figure 4 The browser encodes both the username and the password using a base 64 hash function and incorporates it into the cookie The cookie also includes the unique session ID and the random se...

Страница 12: ...edentials Erase SSO proxy credentials Match as SSO No Yes Directory integration Yes No No Attempt directory authentication Authenticated to directory iLO security override switch set No Yes No Login as security override login name Exit error No Yes No Login as Local user Login as SSO user Login as Directory user Yes Yes Yes Yes Record login event Record login failure Log the event Yes No Exit succ...

Страница 13: ... directory services is available from the HP website at http h18004 www1 hp com products servers management directorysupp index html Using directory services the login process includes the steps illustrated in Figure 7 After the web browser sends the cookie to iLO the iLO processor extracts the user credentials from the cookie and accesses the directory service to determine which roles are availab...

Страница 14: ...s login credentials user name and password get session information from iLO and combine these into a security cookie iLO then uses this cookie to ensure that the user has access to the pages and resources he or she is trying to use If ActiveX is disabled in the browser or the call fails and the name used for login is a DN then the login script will work The login script will also work if this name...

Страница 15: ...ces but authorized to access the system only between 8 a m and 5 p m XML scripts could alter privileges administrators could delete a user account directory settings could change and time or address based restrictions could apply Therefore every time a user makes a request iLO re evaluates the user s privileges see the flowchart in Figure 8 If the evaluation is successful the user s request procee...

Страница 16: ...et Explorer only This authentication scheme involves using two factors of authentication The user is authenticated by providing both of these factors 1 Something the user knows a password or PIN 2 Something the user possesses the private key for their digital certificate Users have the ability to store their digital certificates and private keys wherever they choose It is likely however that smart...

Страница 17: ...ss access to the following ports is automatically disabled SSH Port 22 Telnet Port 23 SSL Port 443 XML traffic only all other traffic remains unaffected If the user wishes the SSH and or Telnet ports can be selectively re enabled through manual intervention It is important to know that the XML port CPQLOCFG access cannot be enabled while two factor authentication is enabled Performing group admini...

Страница 18: ...serial port The iLO remote console server monitors the remote console port for connections from the remote console and virtual serial port applets and possibly Telnet Figure 10 shows the steps in establishing a remote console session 1 The user launches the Java applet by clicking on a link in the client browser 2 The link opens a separate browser window 18 ...

Страница 19: ...mote console session 6 Comparison of applet and user name permits l Figure 11 shows schematically how iLO constructs the one time login token 1 The original browser session contains a 40 character random session key Programming code stored in the remote console applet generates a 40 character random secret The random session key is concatenated with the random secret 2 The iLO device performs an M...

Страница 20: ...s open as long as the server receives a heartbeat once every 30 seconds If the server does not receive a heartbeat within one minute the connection will be closed The iLO v1 91 and iLO 2 v1 30 and later releases include the Remote Console Computer Lock feature With Remote Console Computer Lock the operating system console self locks when the session is closed or is timed out Even though the sessio...

Страница 21: ...dding the BladeSystem Integrated Manager 2 4 or later exposes SSO capability for iLO processors in blades The SIM SSO provides the following capabilities Importing one or more SIM certificates Automatic certificate importation to ease initial setup Manual SSO certificate importation Support for certificate revocation SIM role to user privilege mapping Redirect to the SIM console for SSO Modificati...

Страница 22: ...ent replay attacks 4 HP SIM builds a signed link incorporating the resource secret user and HP SIM 5 Client browser redirects to the link at the Integrated Lights Out processor 6 iLO validates the request based on the request contents iLO configuration secret and HP SIM source Authenticated requests receive the resource SIM SSO does not affect the local iLO user SSO trust is iLO based and can be d...

Страница 23: ... for exchanging the public and private keys during the SSH protocol negotiation 3 The protocol negotiation task completes the key exchange 4 The protocol negotiation task then spawns a task for checking authentication timeout and another task for performing the authentication The authentication task is also used for reading from the SSH port once authentication completes successfully 5 The task fo...

Страница 24: ...ommunication and the LDAP server provides server side communication Popular AES cipher strengths are supported through the web browser XML and SSH Remote console and virtual serial port data encryption The iLO processor uses the RC4 streaming cipher algorithm a variable key size stream cipher with byte oriented operations to encrypt the remote console and virtual serial port sessions Unlike a bloc...

Страница 25: ...s These new keys are used to create a new set of RC4 data The server sends a signal to the client indicating that it has generated the new RC4 data and will begin communicating using the new cipher The client will perform the same operation when it sees the signal It then sends a signal to the server indicating that it is using the new RC4 data The signal is implemented with a byte insertion proto...

Страница 26: ...ntication is enabled for web browser access access to the following ports is automatically disabled SSH Port 22 Telnet Port 23 XML Port 443 If desired the user can selectively re enable the SSH and or Telnet ports Table 1 Default port locations for iLO Port Number Protocol Can Port Number be Changed Supports Enabled by default 22 SSH Yes SSH Connections Yes 23 Telnet Yes Remote graphical console R...

Страница 27: ...hat only administrators be granted access to that network This not only improves performance by reducing traffic load across the main network it also acts as the first line of defense against security attacks A separate network allows administrators to physically control which workstations are connected to the network Figure 14 The iLO processor relative to the network and host server Web browser ...

Страница 28: ...he Disabled mode no application including the remote console or virtual serial port applet can connect to port 23 Finally any potential security risk of the Telnet port across the network is reduced because the remote console and virtual serial port applets have strong authentication and authorization processes Multi user Integrated Remote Console IRC Beginning with the iLO v1 91 and iLO 2 v1 30 r...

Страница 29: ... allow inbound SNMP traffic into the host server only if it comes from a predetermined management workstation Administrators can also set the passwords community strings according to the same guidelines as administrative passwords Finally administrators can disable SNMP entirely Systems Insight Manager Systems Insight Manager checks for an iLO presence by starting an HTTP session The default port ...

Страница 30: ...e server The iLO driver enables the other iLO integration services such as RBSU Terminal Services pass through HPONCFG and the agents RBSU RBSU allows users to initially configure iLO and iLO user accounts Every time the server boots RBSU is available to anyone with access to the server console Therefore RBSU requires strong security Administrators can configure RBSU to require valid user credenti...

Страница 31: ...that any active security measures are established between the Microsoft terminal services client and Microsoft s RDP service The Terminal Services port is the second of two ports in iLO that allow traffic to be passed to the host OS through the iLO driver Administrators can disable the Terminal Services Pass Through port Specific IT infrastructure concerns Customers have questioned security issues...

Страница 32: ...an initial line of defense Behind this router is a firewall system There is no direct connection from the Internet or the external router to the internal network All traffic to or from the internal network must pass through the firewall system An additional router which filters packets destined for the public services in the DMZ protects the internal network from public access The firewall is a mu...

Страница 33: ... Altiris eXpress Deployment Solution and the ProLiant Integration Module The ProLiant Integration Module consists of software optimizations including the SmartStart Scripting Toolkit Configuration Events for leading industry standard operating systems sample unattended files and ProLiant Support Packs containing software drivers management agents and important documentation Servers can be deployed...

Страница 34: ...hould be changed immediately to a more relevant password Administrators should change the iLO management passwords with the same frequency and according to the same guidelines as the server administrative passwords Passwords should include at least three of these four characteristics numeric character special character lowercase character and uppercase character Implement directory services This a...

Страница 35: ...rver traffic A networked environment has inherent security risks The iLO processor mitigates many of these risks through authorization authentication and encryption Administrators can further decrease the chance of attacks by following security recommendations being aware of access points to the iLO devices and their host servers and configuring their networks to eliminate any unnecessary services...

Страница 36: ... authority wJD3Wsm8VqCQSjK YpwOcVCcCG Ai drsqz4E Name of issuing certificate authority CA DN o ACME c US A digital signature typically uses the sophisticated encryption of the RSA encryption algorithm rather than a simple hashing signature Figure A 1 The RSA algorithm developed by Rivest Shamir and Adleman is widely used for encrypting data using a public key private key system Also known as asymm...

Страница 37: ...Figure A 1 Example of how a digital signature works 37 ...

Страница 38: ...fish192 cbc Optional Not supported twofish128 cbc Recommended Not supported aes256 cbc Optional Not supported aes192 cbc Optional Not supported aes128 cbc Recommended Supported serpent256 cbc Optional Not supported serpent192 cbc Optional Not supported serpent128 cbc Optional Not supported Arcfour Optional Not supported idea cbc Optional Not supported cast128 cbc Optional Not supported None Option...

Страница 39: ...al Not supported Spki sign dss certificates Optional Not supported Pgp sign rsa certificates Optional Not supported Pgp sign dss certificates Optional Not supported Client User Authentication Method None Must not be listed Public key Required Not supported Host based Optional Not supported Password Supported Client User authentication parameters Default authentication timeout 10 minutes recommende...

Страница 40: ...sting operations Schema is published in the directory for use by clients The LDAP protocol is used to read from and write to Active Directory By default LDAP traffic is transmitted unsecured System administrators can make LDAP traffic confidential and secure by using SSL Transport Layer Security TLS technology Administrators can enable LDAP over SSL LDAPS by installing a properly formatted certifi...

Страница 41: ...s a sublayer of the data link layer in the OSI model of network communication In the Ethernet standard every network connection must support a unique MAC value NIC Network interface controller NVRAM Non volatile random access memory This is memory that maintains data across power cycles OSI model OSI stands for Open System Interconnection a seven layer protocol model for defining a networking fram...

Страница 42: ...blic wires the Internet to connect nodes These systems use encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted Source www webopedia com XML Extensible markup language HTML and RIBCL are subsets of XML ...

Страница 43: ...tml Software and drivers for lights out processors www hp com go ilo Lights out supported servers www hp com servers ilo supportedservers Information about iLO 2 Advanced licenses www hp com servers iloadv2 Call to action Send comments about this paper to TechCom HP com 2004 2006 2007 2008 Hewlett Packard Development Company L P The information contained herein is subject to change without notice ...

Отзывы: