Is iLO safe enough to be hung on the WAN

Question

I am wondering if iLO is safe enough to be hung on the WAN, I looked for some articles but could not find any ?

How do you guys secure iLO ? Do you put it behind a firewall ?

Would you use a firewall that can be accessed from the WAN using iLO ?

iLO is a little jargony. By 'iLO' are you referring to HP's Integrated Lights-Out product? — Stefan Lasiewski, Aug 26 '11 at 18:34
...which might be SUN/Oracle as well. On Dell it`s called RAC (remote access card) on HP Itanium it is MP (management processor) - there are many more titles for these backend-devices... — Nils, Aug 27 '11 at 21:08

score 15 · Accepted Answer · answered Aug 26 '11 at 16:29

15

If your WAN is an internal network then more than likely you'll want to be able to access it over the WAN.

If by WAN you mean public facing (ie- Internet) then that's a security risk you'll have to evaluate for yourself. I personally would do nothing of the sort since iLO exposes full control of your machine. VPN into your network if you want access.

answered Aug 26 '11 at 16:29

squillman

37,618
10
90
145

5

+1 You wouldn't leave the physical server console in a publicly-accessible area, would you? – EEAA Aug 26 '11 at 16:32
2

+1 We've got iLO behind a firewall, SSH into that and port forward from there. – Chris S Aug 26 '11 at 16:34
2

@Chris S That's exactly what we do, can't recommend the use of an SSH gateway enough. Much nicer/easier than needing to strap on a full-fledged VPN. – EEAA Aug 26 '11 at 16:37

score 12 · Answer 2 · answered Aug 26 '11 at 16:36

12

Although iLO (I'm a HP guy) is almost all over SSL/SSH session it really is access to the heart of your platform so I'm going to say that you really should VPN into that network tier to add that much additional protection.

answered Aug 26 '11 at 16:36

Chopper3

100,240
9
106
238

4

Part of it too is *discovery*. If a hacker finds a VPN server, they know they'll be able to get into *something* on your network through it. If they find an iLO login page they know exactly what they've found. – Chris S Aug 26 '11 at 16:40

J. M. Becker · Answer 3 · 2011-08-30T17:36:18.487

8

iLO, DRAC, IPMI, or any Out of Band type of control, should only ever be accessible internally. The correct way to access such services via the internet is through a secure VPN. And strait PPTP is *not a secure VPN (exception EAP-TLS), just in case someone considers it.

*sorry, typo. Did not review before posting! If any one cares, i always recommend L2TP/EAP-TLS

or the venerable L2PT/IPsec

and Chris S. is right, PPTP/EAP-TLS is better then IPsec alone. TLS is preferred over IPsec generally.

and truthfully, if the system already has SSH available over the net. I would just use SSH to forward the ports and not deal with the irritation of VPN.

edited Aug 30 '11 at 17:36

answered Aug 26 '11 at 16:34

J. M. Becker

2,431
1
16
21

1

PPTP is secure? More often than not, it's horribly insecure. Stick with either IPSec or OpenVPN. Like FTP, PPTP is an old piece of software that desperately needs to die, but refuses to do so. – EEAA Aug 26 '11 at 16:42
3

PPTP *can* be very secure; but like many technologies it can be setup insecurely too. – Chris S Aug 27 '11 at 00:24

score 3 · Answer 4 · answered Aug 27 '11 at 21:11

3

We put these devices into a separated network called admin-network. It is accessible only through admin-workstations connected to that network. So in your case - VPN is the thing to do.

answered Aug 27 '11 at 21:11

Nils

7,657
3
31
71

Is iLO safe enough to be hung on the WAN

4 Answers4

Linked

Related