Integrity Servers
cancel
Showing results for 
Search instead for 
Did you mean: 

management processor console access security

 
SOLVED
Go to solution
support_5
Super Advisor

management processor console access security

Hi folks,

A question has been raised within our organisation relating to the security of the lan-console access to the GSP on a rx2600 box. The box will be in the DMZ behind firewalls and proxies etc, and seperated from the rest of the corporate network also via firewalls etc. Now the questions raised was if it was such a good idea plugging the GSP lan console connection into the internal corporate network or not. I think the folk raising the question saw that they were plugging in a network cable to the server but it wasn't going through a firewall and so they though that this was bypassing security because it may offer a direct connection to the internal network, bypassing the firewall. Others explained that it was virtually impossible to go out on the gsp's network port through the gsp lan-console from within the HP-UX OS itself. (Typically, all web-consoles and lan consoles are on the one internal subnet, seperate from the other networks like the ones the HP-UX servers are in.)

What are peoples thoughts on this matter? ie is it better to have the web/lan-console (which only needs to be accessed from the internal network) seperated from the internal network by a firewall, or is it quite okay to have it connected to the internal network directly knowing that it's virtually impossible to go out via this lan-console from within HP-UX itself. (since it is only connected by rs232 anyway)

Those who raised the concern are not convinced by what has been said and want the lan-consoles put out behind the firewall.

So again, what are peoples experiences with this? How do you have your lan-console /gsp console connected and organised in your network? And especially, does anyone know of any problems with the above described setup?

Thank you.

- Andrew
5 REPLIES 5
generic_1
Respected Contributor

Re: management processor console access security

One things is to password protect the GSP for starters. I am assuming you have already done that.

One problem with having the GSP on a public network is that a hacker would only have one level to go through to gain access to your system because once they gained access to the gsp they could reboot your system to single user mode. It would probably be safer to stick it behind a firewall and make the GSP lan accessable through a very limited number of servers. This way users must log into a central point before loging into the GSP network. This also leaves a varitey of options open to you for logging purposes of who is accessing the GSP network.

Also make sure what ever method you are usering to access your network from the outside world is over a secure/encrypted connection.

Hope this helps.
support_5
Super Advisor

Re: management processor console access security

Hi,

Yes, it is password protected, and we have even created certificates etc and made it as secure as possible. In practice, it is not exposed to the internet, because between it and the internet is a proxy, and firewall, and the HP-UX server it is connected to. So a hacker would have to compromise the HP-UX server before they could get access to the console.

But what I'm more interested in hearing about is whether it is possible to send packets out the lan interface on the gsp from within the HP-UX OS itself. I personally cannot see how this is even possible, but there are some who think that if the GSP and the OS are connected with wires, then it is possible.

IE, the gsp is plugged into our internal network, the hp-ux server is in a dmz area. They think that a compromised server in the DMZ could bypass the firewalls seperating the DMZ and the internal network by sending packets out the lan interface of the GSP from the HP-UX OS itself. But I don't think that is possible.

It seems obvious to me that it is not possible, but there is nothing I've found that says so (that agrees with me). What have others found? What are the thoughts of others on this issue?

Thanks

- Andrew
hydrocct
Advisor

Re: management processor console access security

I have similar concerns with respect to GSP and MP. Surprisingly, the GSP does not support SSH, which would be an acceptable compromise for our site. Otherwise, one can always use the GSP's serial port and connect that to a console server that supports SSH.
Guichet DPT
Stefan Stechemesser
Honored Contributor
Solution

Re: management processor console access security

Hi Andrew,

in the rx2600 there is absolutely no way to forward network packages between the production lan port and the MP lan port.
Although the MP card is build into the server chassis, it is independent from the rest of the server, like a small computer using the same power supply (12 V is supplied after the power connector is plugged in regardless of the power switch status).
Internal the MP interacts with the Baseboard Management Controller (BMC) on the Systemboard via a serial bus. There is no lan like connection between the GSP card and the System.
I'm not aware of any method accessing the BMC or the GSP from the operating system (OK, in theory there is one, but this would be on a firmware level and I cannot imagine that someone writes a firmware hack). And even if someone could access the MP after he hacked into your system, there is no way to access other computers from the MP except a ping with the "XD" command and a ftp read access when trying to make a MP firmware update with the "xu" command , but as I already said, there is no way accessing the MP interface from the operating system.
From my point of view the safest configuration for your DMZ computer would be:

-MP Lan connected to internal network
-disable telnet with the "sa" command
-enable webconsole SSL access via "sa"
-connect only via webinterface (SSL) to the console

If your internal lan is only used by trusted users, you can leave telnet access active.

I hope this helps

best regards

Stefan
support_5
Super Advisor

Re: management processor console access security

Hi Stefan,

I agree with you comments. The problem was convincing the security section that this wasn't a gaping security hole (which they were convinced it was). In the end we prevailed against the security team and managed to produce a setup exactly like what you recommended, and this has been working fine since. It seems that there is a high level of misunderstanding regarding the web-consoles and the security of them. For example, security were convinced that since there was a network interface on the server, that that must mean that the OS must also be able to 'see' the interface, and that it didn't matter that it was actually the GSP's interface only. It took a lot of convincing and explaining to convince them that the management interface was indeed different to a regular LAN interface. And that was only the start!

It would be nice if HP was clearer with regard to the security of the GSP interface, so that us admins can convince the obsessive-compulsive paranoid and psychotically delusional security folk of the security of the interface. How about some documents regarding the specifics of the security of the interface?

Anyway, thanks for you comments.


Hydrocct, while the console doesn't support ssh, it does support ssl, and is equally secure over the web/http interface.

Thanks again.

- Andy Gray