Re: WaPo writes about vulnerabilities in Supermicro IPMIs

[Jay Ashworth <jra () baylink com>]

----- Original Message -----
> From: "Brandon Martin" <lists.nanog () monmotha net>

> As to why people wouldn't put them behind dedicated firewalls, imagine
> something like a single-server colo scenario. Most such providers don't
> offer any form of lights-out management aside from maybe remote reboot
> (power-cycle) nor do they offer any form of protected/secondary network
> to their customers. So, if you want to save yourself from a trip, you
> chuck the thing raw on a public IP and hope you configured it right.

Well, *I* would firewall eth1 from eth0 and cross-over eth1 to the ILO jack;
let the box be the firewall.  Sure, it's still as breakable as the box 
proper, but security-by-obscurity isn't *bad*, it's just *not good enough*.

It's another layer of tape.

Whether it's teflon or Gorilla is up to you.

Cheers,
-- jra
-- 
Jay R. Ashworth                  Baylink                       jra () baylink com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
St Petersburg FL USA               #natog                      +1 727 647 1274