HPE Community
Operating System - HP-UX
1834602 Members
4421 Online
110069 Solutions
New Discussion

Re: Fully secured Ignite server ? Your comments....

 
Christian Tremblay
Trusted Contributor

‎05-14-2007 04:32 AM

‎05-14-2007 04:32 AM

Fully secured Ignite server ? Your comments....

Hello all !

Having an Ignite server on the network is an invaluable tool to recover systems, to deploy software bundles or install custom made “golden images”.

However, in these days of enhanced security awareness, more and more security departments will prohibit the installation and use of an Ignite server, on the prod network at least, because it relies on unsecure protocols for it’s operation namely: bootp, tftp, nfs and the Unix “r commands” which are not allowed on secure production networks.

Many deployment projects that were originally designed to use Ignite as a mean of building/deploying servers are currently on hold because of those security concerns.

I have gathered that from Ignite version 6.8 upwards, at least one of these concerns has been addressed as bootsys can now be used in a ssh tunnel with key exchange to remotely boot a client.

Does anybody know if there is a way to work around these security limitations by substituting secure alternatives to tftp and nfs ? Like scp instead of tftp and Samba shares over ssh instead of NFS exports ?

I doubt this can be done without rewriting the Ignite server code but maybe HP will soon announce the new “Secured Ignite Server” product ? ( Wishful thinking here)

Any comments are welcome…

Chris
0 Kudos
Reply
4 REPLIES 4
Steven E. Protter
Exalted Contributor

‎05-14-2007 04:57 AM

‎05-14-2007 04:57 AM

Re: Fully secured Ignite server ? Your comments....

Shalom Chris,

Five years ago I had the conversation with HP support. At HP World 2002, same conversation.

Yes, this is a difficult job, but it should be done. I used to work at a place with a secure network. I helped set the network standards and to keep the Ignite server secure, I had to edit inetd.conf and restart the daemon before and after Ignite transfers.

Yes, it should use scp/openssh. NFS can now be encryped with 11.31 and NFS v4 so that is not such a huge issue.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Novonil Choudhuri
Frequent Advisor

‎05-14-2007 05:01 PM

‎05-14-2007 05:01 PM

Re: Fully secured Ignite server ? Your comments....

Yes It is a good idea to make Ignite a secure product.. because in an Infrastructure Env , customers always prefer security in all the deployed products..

I faced a similar concern in Symantec developement center saying that they need security for HP Ignite server.. but still finding a way to make it secure :)

Any ideas how to do that is welcome..I am using the latest Ignite bundle
0 Kudos
Reply
Tor-Arne Nostdal
Trusted Contributor

‎05-18-2007 08:01 AM

‎05-18-2007 08:01 AM

Re: Fully secured Ignite server ? Your comments....

Thanks for addressing this problem Christian.

As of today we need to address the security to our LAN/WAN guys and only allow Ignite on our LAN's in our computer room(s).

The same kind of problem applies to the LAN-console which uses telnet instead of ssh.
(alternative to use external web-consoles).

Our current strategy is to use authenticated/secure tunnels into our computer room LAN, and then uses these insecure protocols/services strictly in the computer room LAN's.

Nevertheless it is becoming more and more focus on securing each individual host... Finally we'll have to make each host a Bastion.

P.S.
HP should definitely take this seriously as Linux is having a much stricter default policy in most of their setups. So... to keep the good things going...

/Tor-Arne
I'm trying to become President of the state I'm in...
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎05-18-2007 07:38 PM

‎05-18-2007 07:38 PM

Re: Fully secured Ignite server ? Your comments....

Ignite uses NFS, which is not exactly firewall-friendly: it requires several ports, and the port numbers may change if the NFS daemons are restarted and/or the system is rebooted.

Fortunately, there is now a patch to make it possible to nail down the port numbers used by rpc.statd, rpc.lockd and rpc.mountd. See this thread for more info:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1122465

While this has no direct effect on security, it allows the firewall administrators make tighter rules for NFS access, which makes security-minded people happier.

MK
MK
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.