HPE Community
Operating System - HP-UX
1829648 Members
8920 Online
109992 Solutions
New Discussion

GSP Securitcy Issues?

 
Eric_148
New Member

‎05-12-2003 04:46 AM

‎05-12-2003 04:46 AM

GSP Securitcy Issues?

All,

We are getting ready to upgrade from 8 k580's to 20+ 7400's and I'm trying to figure out how to arrange the terminal connections. Previously, I have had an 8 port serial switch connected to a dumb terminal. Now I'm looking at creating a standalone network for the GSPs. I'm having problems talking my security folks into it as the networks these guys are on are seperated and they are worried about a bad guy being able to bypass the firewall via the gsp cards. Anyone have any security whitepapers on these or even a better recommendation?

Thanks,
Eric
0 Kudos
Reply
5 REPLIES 5
Paula J Frazer-Campbell
Honored Contributor

‎05-12-2003 05:27 AM

‎05-12-2003 05:27 AM

Re: GSP Securitcy Issues?

Eric

Put your gsp network behind the firewall - far safer.

Paula

If you can spell SysAdmin then you is one - anon
0 Kudos
Reply
Michael Steele_2
Honored Contributor

‎05-12-2003 05:51 AM

‎05-12-2003 05:51 AM

Re: GSP Securitcy Issues?

I would agree with your network guys. Access to the GSP means access to power, HW devices, reset the servers.

An 'administrative' account and password exists for the RP7400's GSP, along with user accounts with restricted privileges, and while these accounts can remain separate from the 'root' account of the actual server they are rarely used except with vpars or npars. For example there can be an administrative GSP 'user 1' with full access and 'user 2' through 'user 20' with restricted command sets. Give read only access to user's 2 and beyond and keep user 1 to yourself and set up with update permission.

The stand alone network is the way to go. Put your LAN consoles on a separate switch, especially if you have DMZ's or publicly facing servers. You'll find you have no choice with this configuration.

You can also hide the IP addresses of the Secure Console devices by not listing them in /etc/hosts but this is sometimes a tough call since the IP now takes on the form of a password which is being kept secret.

Also, your LAN console access is often at 10BaseT instead of 100 so bear this in mind when connecting to your switch. (* Use 'linkloop MAC'. *)
Support Fatherhood - Stop Family Law
0 Kudos
Reply
John Payne_2
Honored Contributor

‎05-12-2003 07:36 AM

‎05-12-2003 07:36 AM

Re: GSP Securitcy Issues?

You should stick them on private addressing, like Paula and Michael have already said.

We used to have all our SWC's on public, (as well as the MP lans...) and a few months ago that subnet started getting scanned. For some reason the nature of the scanning took all the SWC's down. (We also had Compaq light's out cards on that subnet. I blame them for the scanning... ;) ) This happened for about 3 weeks until I had time to figure out what was really happening. Since moving to private addressing, we have not had a single issue with the GSP ports or the swc's. (And I don't expect to.)

As far as access goes, I can still get to them from anywhere through the corporate VPN. I assume your security guys provide you with VPN access, right?

Hope it helps

John
Spoon!!!!
0 Kudos
Reply
John Meissner
Esteemed Contributor

‎05-12-2003 08:27 AM

‎05-12-2003 08:27 AM

Re: GSP Securitcy Issues?

I recommend keeping your GSP on a private network. It's much safer that way. Is there a reason you would want to put them on another network? If you do create another network at least make sure it's behind a firewall of some sorts.
All paths lead to destiny
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎05-12-2003 09:34 AM

‎05-12-2003 09:34 AM

Re: GSP Securitcy Issues?

You can safely assumne that *ALL* GSP connections are NOT secure and cannot be made secure. The GSP is a simple microprocessor and is not connected in any way to HP-UX except through device files. There are no options like SSH to make these connections secure. Creating a totally private LAN with (perhaps) a very secure router with very restrictinve routes is the only choice. The GSP LAN should be viewed as a highly vulnerable security risk and any connection to the rest of the company should be highly restricted. It should never have a route to the outside Internet, even if some software vendor demands it.


Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.