14

I am wondering if iLO is safe enough to be hung on the WAN, I looked for some articles but could not find any ?

How do you guys secure iLO ? Do you put it behind a firewall ?

Would you use a firewall that can be accessed from the WAN using iLO ?

Lucas Kauffman
  • 16,818
  • 9
  • 57
  • 92

4 Answers4

15

If your WAN is an internal network then more than likely you'll want to be able to access it over the WAN.

If by WAN you mean public facing (ie- Internet) then that's a security risk you'll have to evaluate for yourself. I personally would do nothing of the sort since iLO exposes full control of your machine. VPN into your network if you want access.

squillman
  • 37,618
  • 10
  • 90
  • 145
  • 5
    +1 You wouldn't leave the physical server console in a publicly-accessible area, would you? – EEAA Aug 26 '11 at 16:32
  • 2
    +1 We've got iLO behind a firewall, SSH into that and port forward from there. – Chris S Aug 26 '11 at 16:34
  • 2
    @Chris S That's exactly what we do, can't recommend the use of an SSH gateway enough. Much nicer/easier than needing to strap on a full-fledged VPN. – EEAA Aug 26 '11 at 16:37
12

Although iLO (I'm a HP guy) is almost all over SSL/SSH session it really is access to the heart of your platform so I'm going to say that you really should VPN into that network tier to add that much additional protection.

Chopper3
  • 100,240
  • 9
  • 106
  • 238
  • 4
    Part of it too is *discovery*. If a hacker finds a VPN server, they know they'll be able to get into *something* on your network through it. If they find an iLO login page they know exactly what they've found. – Chris S Aug 26 '11 at 16:40
8

iLO, DRAC, IPMI, or any Out of Band type of control, should only ever be accessible internally. The correct way to access such services via the internet is through a secure VPN. And strait PPTP is *not a secure VPN (exception EAP-TLS), just in case someone considers it.

*sorry, typo. Did not review before posting! If any one cares, i always recommend L2TP/EAP-TLS

or the venerable L2PT/IPsec

and Chris S. is right, PPTP/EAP-TLS is better then IPsec alone. TLS is preferred over IPsec generally.

and truthfully, if the system already has SSH available over the net. I would just use SSH to forward the ports and not deal with the irritation of VPN.

J. M. Becker
  • 2,431
  • 1
  • 16
  • 21
  • 1
    PPTP is secure? More often than not, it's horribly insecure. Stick with either IPSec or OpenVPN. Like FTP, PPTP is an old piece of software that desperately needs to die, but refuses to do so. – EEAA Aug 26 '11 at 16:42
  • 3
    PPTP *can* be very secure; but like many technologies it can be setup insecurely too. – Chris S Aug 27 '11 at 00:24
3

We put these devices into a separated network called admin-network. It is accessible only through admin-workstations connected to that network. So in your case - VPN is the thing to do.

Nils
  • 7,657
  • 3
  • 31
  • 71