background image

Security Audits 

Recent legislation may mandate periodic security audits. iLO maintains an event log containing date- 

and time-stamped information pertaining to events that occurred in the iLO configuration and 

operation. This log can be accessed manually through the System Status tab of the iLO browser 
interface. An automated examination and parsing is available for extraction through XML commands. 

The log can be parsed by date/time and authenticated user for information relating to security events. 

General security

 

recommendations  

For more complete information about iLO security, consult the 

HP Integrated Lights-Out User Guide,

 

the 

HP Integrated Lights-Out 2 User Guide

, and or the 

Planning and configuration recommendations 

for Integrated Lights-Out processors. 

These documents are available at these HP web sites 

respectively: 

http://h20000.www2.hp.com/bc/docs/support/SupportManual/c00209014/c00209014.pdf

http://h20000.www2.hp.com/bc/docs/support/SupportManual/c00553302/c00553302.pdf

http://h20000.www2.hp.com/bc/docs/support/SupportManual/c00257375/c00257375.pdf

 respectively.  

HP recommends that customers observe the following security practices, stated here in abbreviated 

form:  

 

Use a separate management network.

 For security and performance reasons, HP recommends that 

customers establish a private management network separate from their data network and that only 

administrators be given access to that management network. 

 

Do not connect iLO directly to the Internet.

 The iLO processor is designed as a management and 

administration tool, not as an Internet gateway. Typically, customers would connect to the Internet 

using a corporate VPN that provides firewall protection.  

 

If using local accounts, change

 

passwords frequently.

 The default iLO password should be changed 

immediately to a more relevant password. Administrators should change the iLO management 
passwords with the same frequency and according to the same guidelines as the server 

administrative passwords. Passwords should include at least three of these four characteristics:  

numeric character, special character, lowercase character, and uppercase character.  

 

Implement directory services.

 This allows authentication and authorization using the same login 

process employed throughout the rest of the network. It provides a way to control multiple iLO 

devices simultaneously. Directories provide role-based access to iLO with very specific roles and 

privileges based on time and location.  

 

Implement two-factor authentication. 

This provides additional security, especially when connections 

can be made remotely or outside the local network. 

 

Restrict access to remote console port

. To provide tighter security, a user with supervisor rights can 

restrict access to the remote console port and can turn on encryption. For maximum security when 

the remote console is enabled, HP recommends that the administrator turn on the remote console 
encryption. For maximum security for customers who do not require the remote console feature, HP 

recommends disabling the remote console port. 

 

Protect SNMP traffic

. Administrators should reset the community strings according to the same 

guidelines as the administrative passwords. Administrators should also set firewalls or routers to 

accept only specific source and destination addresses. If SNMP is not desired, administrators can 
disable this feature at the host. Administrators can also disable the iLO SNMP pass-through. 

Conclusion 

The design of the iLO processor allows customers to deploy their ProLiant servers without worry that 

the management processor will allow non-secure actions. The iLO processor uses strong 

authentication, highly configurable user privileges with strong authorization processes, and encryption 

34

 

Содержание AB500A - Integrated Lights-Out Advanced

Страница 1: ...cess using directory services with HP schema extensions 13 Login process using directory services with HP default schema 14 Calculating current privileges 15 Login process using two factor authentication 16 Login process for remote console and virtual serial port 18 Single Sign On SSO 20 Authentication and authorization processes for CLI access 23 Encryption 23 Secure Sockets Layer SSL 24 AES encr...

Страница 2: ...PONCFG 30 CPQLODOS 31 Terminal services 31 Specific IT infrastructure concerns 31 Operating iLO servers in the DMZ 31 Lights Out Management Integration with Rapid Deployment Pack 33 Communication between iLO and server blades 33 Security Audits 34 General security recommendations 34 Conclusion 34 Appendix A Digital certificates 36 Appendix B SSH 2 support 38 Appendix C LDAP LDAPS definitions 40 Ap...

Страница 3: ...e iLO processor and feature sets for particular iLO 2 and iLO products is available on the HP website at www hp com go iLO A glossary in the appendix includes some common computing acronyms not defined in the text Introduction Information technology IT administrators must plan for security across the IT infrastructure Because Integrated Lights Out iLO management processors have such powerful capab...

Страница 4: ... iLO processor automatically enforces generation of new unique and site specific keys used by SSL once a customer deploys the server HP cannot determine these site specific keys The iLO management processor does not transmit these keys or any other information to HP from a customer location Comparing the iLO processor to other service processors The iLO management processor and feature set have be...

Страница 5: ... failures as well as successful access to the device SSH access and failed attempts alike are logged Using the SSH key mode of authentication makes brute force attacks even less likely to be successful And iLO offers 2 factor authentication which provides an additional layer of security No awareness of attacks in progress iLO captures all login activity successful or not Additionally iLO implement...

Страница 6: ...k searches memory for a viable image that contains a recognizable header If a viable image is found the iLO boot block decrypts the signed SHA1 hash using the RSA public key The boot block then computes the SHA1 hash over the entire image If the two SHA1 hashes are equivalent the image is valid and the boot block passes control to the iLO main image to begin executing During the firmware flash pro...

Страница 7: ...neral registers which the host server can access through the PCI bus These PCI registers contain only non sensitive information The iLO processor does not secure or try to hide these registers from the host server Protected registers in which the iLO device can lock the write access These registers restrict unwanted behavior such as flashing rogue firmware but they do not restrict information Thes...

Страница 8: ...ailable for most ProLiant servers with the iLO processor Even though network traffic and iLO management traffic both flow through the same port it is impossible for management data to flow to the host data stream To ensure that all packets travel to the appropriate destination the shared network port contains two separate Media Access Control MAC addresses inside the NIC one for the iLO traffic an...

Страница 9: ...ized to make changes or access a requested environment Finally is it possible for data being sent through iLO to remain confidential The following sections identify the three essential techniques that iLO has or an iLO administrator can use to verify trust Authentication and authorization Encryption Disabling ports and changing port locations Every function of iLO such as the remote console virtua...

Страница 10: ...it SSL encryption and the accompanying digital certificates to encrypt web pages HTTP data transmitted across the network SSL encryption ensures that all information and commands issued through the web pages are private An integral part of SSL is a digital certificate see Appendix A Digital certificates The iLO management processor creates its own self signed certificate by default Administrators ...

Страница 11: ...n At the client browser the user enters his login credentials and the browser generates a unique cookie 4 called hp iLO Login The web server within iLO uses this cookie for authentication and authorization Figure 4 The browser encodes both the username and the password using a base 64 hash function and incorporates it into the cookie The cookie also includes the unique session ID and the random se...

Страница 12: ...edentials Erase SSO proxy credentials Match as SSO No Yes Directory integration Yes No No Attempt directory authentication Authenticated to directory iLO security override switch set No Yes No Login as security override login name Exit error No Yes No Login as Local user Login as SSO user Login as Directory user Yes Yes Yes Yes Record login event Record login failure Log the event Yes No Exit succ...

Страница 13: ... directory services is available from the HP website at http h18004 www1 hp com products servers management directorysupp index html Using directory services the login process includes the steps illustrated in Figure 7 After the web browser sends the cookie to iLO the iLO processor extracts the user credentials from the cookie and accesses the directory service to determine which roles are availab...

Страница 14: ...s login credentials user name and password get session information from iLO and combine these into a security cookie iLO then uses this cookie to ensure that the user has access to the pages and resources he or she is trying to use If ActiveX is disabled in the browser or the call fails and the name used for login is a DN then the login script will work The login script will also work if this name...

Страница 15: ...ces but authorized to access the system only between 8 a m and 5 p m XML scripts could alter privileges administrators could delete a user account directory settings could change and time or address based restrictions could apply Therefore every time a user makes a request iLO re evaluates the user s privileges see the flowchart in Figure 8 If the evaluation is successful the user s request procee...

Страница 16: ...et Explorer only This authentication scheme involves using two factors of authentication The user is authenticated by providing both of these factors 1 Something the user knows a password or PIN 2 Something the user possesses the private key for their digital certificate Users have the ability to store their digital certificates and private keys wherever they choose It is likely however that smart...

Страница 17: ...ss access to the following ports is automatically disabled SSH Port 22 Telnet Port 23 SSL Port 443 XML traffic only all other traffic remains unaffected If the user wishes the SSH and or Telnet ports can be selectively re enabled through manual intervention It is important to know that the XML port CPQLOCFG access cannot be enabled while two factor authentication is enabled Performing group admini...

Страница 18: ...serial port The iLO remote console server monitors the remote console port for connections from the remote console and virtual serial port applets and possibly Telnet Figure 10 shows the steps in establishing a remote console session 1 The user launches the Java applet by clicking on a link in the client browser 2 The link opens a separate browser window 18 ...

Страница 19: ...mote console session 6 Comparison of applet and user name permits l Figure 11 shows schematically how iLO constructs the one time login token 1 The original browser session contains a 40 character random session key Programming code stored in the remote console applet generates a 40 character random secret The random session key is concatenated with the random secret 2 The iLO device performs an M...

Страница 20: ...s open as long as the server receives a heartbeat once every 30 seconds If the server does not receive a heartbeat within one minute the connection will be closed The iLO v1 91 and iLO 2 v1 30 and later releases include the Remote Console Computer Lock feature With Remote Console Computer Lock the operating system console self locks when the session is closed or is timed out Even though the sessio...

Страница 21: ...dding the BladeSystem Integrated Manager 2 4 or later exposes SSO capability for iLO processors in blades The SIM SSO provides the following capabilities Importing one or more SIM certificates Automatic certificate importation to ease initial setup Manual SSO certificate importation Support for certificate revocation SIM role to user privilege mapping Redirect to the SIM console for SSO Modificati...

Страница 22: ...ent replay attacks 4 HP SIM builds a signed link incorporating the resource secret user and HP SIM 5 Client browser redirects to the link at the Integrated Lights Out processor 6 iLO validates the request based on the request contents iLO configuration secret and HP SIM source Authenticated requests receive the resource SIM SSO does not affect the local iLO user SSO trust is iLO based and can be d...

Страница 23: ... for exchanging the public and private keys during the SSH protocol negotiation 3 The protocol negotiation task completes the key exchange 4 The protocol negotiation task then spawns a task for checking authentication timeout and another task for performing the authentication The authentication task is also used for reading from the SSH port once authentication completes successfully 5 The task fo...

Страница 24: ...ommunication and the LDAP server provides server side communication Popular AES cipher strengths are supported through the web browser XML and SSH Remote console and virtual serial port data encryption The iLO processor uses the RC4 streaming cipher algorithm a variable key size stream cipher with byte oriented operations to encrypt the remote console and virtual serial port sessions Unlike a bloc...

Страница 25: ...s These new keys are used to create a new set of RC4 data The server sends a signal to the client indicating that it has generated the new RC4 data and will begin communicating using the new cipher The client will perform the same operation when it sees the signal It then sends a signal to the server indicating that it is using the new RC4 data The signal is implemented with a byte insertion proto...

Страница 26: ...ntication is enabled for web browser access access to the following ports is automatically disabled SSH Port 22 Telnet Port 23 XML Port 443 If desired the user can selectively re enable the SSH and or Telnet ports Table 1 Default port locations for iLO Port Number Protocol Can Port Number be Changed Supports Enabled by default 22 SSH Yes SSH Connections Yes 23 Telnet Yes Remote graphical console R...

Страница 27: ...hat only administrators be granted access to that network This not only improves performance by reducing traffic load across the main network it also acts as the first line of defense against security attacks A separate network allows administrators to physically control which workstations are connected to the network Figure 14 The iLO processor relative to the network and host server Web browser ...

Страница 28: ...he Disabled mode no application including the remote console or virtual serial port applet can connect to port 23 Finally any potential security risk of the Telnet port across the network is reduced because the remote console and virtual serial port applets have strong authentication and authorization processes Multi user Integrated Remote Console IRC Beginning with the iLO v1 91 and iLO 2 v1 30 r...

Страница 29: ... allow inbound SNMP traffic into the host server only if it comes from a predetermined management workstation Administrators can also set the passwords community strings according to the same guidelines as administrative passwords Finally administrators can disable SNMP entirely Systems Insight Manager Systems Insight Manager checks for an iLO presence by starting an HTTP session The default port ...

Страница 30: ...e server The iLO driver enables the other iLO integration services such as RBSU Terminal Services pass through HPONCFG and the agents RBSU RBSU allows users to initially configure iLO and iLO user accounts Every time the server boots RBSU is available to anyone with access to the server console Therefore RBSU requires strong security Administrators can configure RBSU to require valid user credenti...

Страница 31: ...that any active security measures are established between the Microsoft terminal services client and Microsoft s RDP service The Terminal Services port is the second of two ports in iLO that allow traffic to be passed to the host OS through the iLO driver Administrators can disable the Terminal Services Pass Through port Specific IT infrastructure concerns Customers have questioned security issues...

Страница 32: ...an initial line of defense Behind this router is a firewall system There is no direct connection from the Internet or the external router to the internal network All traffic to or from the internal network must pass through the firewall system An additional router which filters packets destined for the public services in the DMZ protects the internal network from public access The firewall is a mu...

Страница 33: ... Altiris eXpress Deployment Solution and the ProLiant Integration Module The ProLiant Integration Module consists of software optimizations including the SmartStart Scripting Toolkit Configuration Events for leading industry standard operating systems sample unattended files and ProLiant Support Packs containing software drivers management agents and important documentation Servers can be deployed...

Страница 34: ...hould be changed immediately to a more relevant password Administrators should change the iLO management passwords with the same frequency and according to the same guidelines as the server administrative passwords Passwords should include at least three of these four characteristics numeric character special character lowercase character and uppercase character Implement directory services This a...

Страница 35: ...rver traffic A networked environment has inherent security risks The iLO processor mitigates many of these risks through authorization authentication and encryption Administrators can further decrease the chance of attacks by following security recommendations being aware of access points to the iLO devices and their host servers and configuring their networks to eliminate any unnecessary services...

Страница 36: ... authority wJD3Wsm8VqCQSjK YpwOcVCcCG Ai drsqz4E Name of issuing certificate authority CA DN o ACME c US A digital signature typically uses the sophisticated encryption of the RSA encryption algorithm rather than a simple hashing signature Figure A 1 The RSA algorithm developed by Rivest Shamir and Adleman is widely used for encrypting data using a public key private key system Also known as asymm...

Страница 37: ...Figure A 1 Example of how a digital signature works 37 ...

Страница 38: ...fish192 cbc Optional Not supported twofish128 cbc Recommended Not supported aes256 cbc Optional Not supported aes192 cbc Optional Not supported aes128 cbc Recommended Supported serpent256 cbc Optional Not supported serpent192 cbc Optional Not supported serpent128 cbc Optional Not supported Arcfour Optional Not supported idea cbc Optional Not supported cast128 cbc Optional Not supported None Option...

Страница 39: ...al Not supported Spki sign dss certificates Optional Not supported Pgp sign rsa certificates Optional Not supported Pgp sign dss certificates Optional Not supported Client User Authentication Method None Must not be listed Public key Required Not supported Host based Optional Not supported Password Supported Client User authentication parameters Default authentication timeout 10 minutes recommende...

Страница 40: ...sting operations Schema is published in the directory for use by clients The LDAP protocol is used to read from and write to Active Directory By default LDAP traffic is transmitted unsecured System administrators can make LDAP traffic confidential and secure by using SSL Transport Layer Security TLS technology Administrators can enable LDAP over SSL LDAPS by installing a properly formatted certifi...

Страница 41: ...s a sublayer of the data link layer in the OSI model of network communication In the Ethernet standard every network connection must support a unique MAC value NIC Network interface controller NVRAM Non volatile random access memory This is memory that maintains data across power cycles OSI model OSI stands for Open System Interconnection a seven layer protocol model for defining a networking fram...

Страница 42: ...blic wires the Internet to connect nodes These systems use encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted Source www webopedia com XML Extensible markup language HTML and RIBCL are subsets of XML ...

Страница 43: ...tml Software and drivers for lights out processors www hp com go ilo Lights out supported servers www hp com servers ilo supportedservers Information about iLO 2 Advanced licenses www hp com servers iloadv2 Call to action Send comments about this paper to TechCom HP com 2004 2006 2007 2008 Hewlett Packard Development Company L P The information contained herein is subject to change without notice ...

Отзывы: