A BMC (Baseboard Management Controller), which is an embedded computer that can access and control all of a server's resources, uses remote management capabilities to increase efficiency but can be hacked at any time, posing security risks.
In this blog, you'll learn what IPMI (Intelligent Platform Management Interface) is and why its security is important to safely monitor server health and control data irrespective of the operating system or location.
IPMI (Intelligent Platform Management Interface) is a set of standardized specifications for hardware-based platform management systems that makes it possible to control and monitor servers centrally.
IPMI is a form of out-of-band (OOB) management, meaning it can perform management tasks regardless of the server's location or installed operating system.
IPMI is used by the server's BMC (Baseboard Management Controller), an embedded computer used to provide OOB management. The BMC has access to and control of the server's resources, including memory, power, and storage. Additionally, it supports remote boot and server environment monitoring.
IPMI is usually implemented as a network service that runs on a dedicated Ethernet port on the server, sometimes labeled the "management port."
IPMI is a software-neutral approach that functions independently from a server's BIOS, CPU, and operating system (OS).
The main reason why IPMI is critical is its ability to effectively execute the following four features:
There are six main benefits to IPMI:
In addition to the BMC, there are four other key components that support IPMI:
Once you connect to the IPMI manager via the LAN or the internet, the manager utilizes IPMI over IP (Internet Protocol) to connect with the BMC on the server motherboard.
The BMC then uses the system bus to connect with the BIOS, CPU, OS, power supply, and sensors, allowing the administration of the CPU speeds, fan speeds, voltages, temperatures, event log, and rebooting of the server.
Devices with IPMI exposed have the potential to be completely compromised at the BMC level.
If hackers access the IPMI, they can reboot the system, install a new OS, and access data, bypassing any operating system control. Since IPMI can also allow remote console access, hackers may also be able to modify the BIOS.
IPMIs typically have default passwords, and they can be obtained from a root-compromised server. If someone gets a hold of these passwords, they can access other hosts in the IPMI managed group.
To prevent unauthorized access and protect critical data, IPMI should be restricted to private management networks only.
If IPMI is not in use and cannot be disabled on your device, or if there is no choice but to run IPMI on a public network, then block its MAC address to limit access to your virtual local access network (VLAN) only. (VLAN is a subnetwork that groups collections of devices on separate physical local area networks, or LANs.)
If you do not intend to use IPMI, assign it a non-routable IP address in an address range that is not used for anything else.
If you do intend to use it and need to do so on your campus network, get a static IP address for it.
IPMI should never be using a public address. Ethernet can also come equipped with IPMI.
Trenton Systems uses the latest IPMI utilities and has software engineers on staff to bolster our systems' security features to protect critical data at the highest level.
With a shared effort with partners like Insyde who develop the source code, we are able to make quick changes in the BIOS around IPMI and other features per customer requirements.
Want to learn more? Get in touch with our team of experts of craft a customized, USA-made, cybersecure, high-performance compute solution that enables you to ensure optimal performance across all domains of the modern battlespace, no matter where the mission leads.
Source: