April 10, 2015
Best Practices for managing servers with IPMI features enabled in Datacenters
Baseboard Management controllers (BMC) with IPMI is commonly used to manage servers. Most Supermicro server models support IPMI either through a dedicated management interface or through a shared LAN. All X7 and later generation products have IPMI 2.0 enabled that provides security through encryption algorithms. BMC provides powerful remote debugging capabilities in the datacenters but at the same time if not configured properly, causes unwarranted access to BMCs from Internet or within the company and can compromise the security of your machines. Supermicro recommends the following steps that datacenters need to consider while using IPMI to manage your machines.
1. Network Configuration
a. Restrict inbound traffic over internet directly to BMCs. Logon to a secure management server in datacenter and manage all BMCs from the management server.
b. Reserve special IP address range (private subnets) to BMC management interfaces and management servers. Don’t use reserved IP subnets with LAN interfaces of the managed machines.
c. Configure the firewall to restrict outbound traffic from BMC including alerts within the reserved IP range.
d. Use dedicated management interfaces for managing BMCs. If dedicated management interfaces are absent and have to use shared LAN, then configure separate VLANs for BMC traffic.
2. BMC Configuration
a. Customize service ports information on the BMC to your datacenter specifications. For example; you can configure http port to 57880 instead of 80.
b. Change the default password during installation and use strong passwords
c. Create user policies and roles on BMC
d. Use the IP Access Policy to enable access rules to BMC from management servers
3. Additional measures
a. Monitor for unusual traffic between BMC and other machines in the network
b. Pay attention to firmware release notes (especially related to security fixes) and plan upgrades of the firmware during maintenance cycles
About ServerWare® Sdn Bhd
ServerWare® provides advanced hardware systems to cloud datacenters worldwide. Product lines include servers, storage, network switches, and integrated rack systems. ServerWare® customers want the same innovative cloud hardware technology in use by hyperscale cloud datacenter operators, but in off-the-shelf SKUs with global services. ServerWare® sells cloud hardware that delivers hyperscale performance, efficiency and advanced engineering, with flexible product configuration, rack integration, performance tuning and engineering consulting services to help customers deploy optimized cloud solutions for their unique cloud workloads.
ServerWare® is SuperMicro® Distributor in Malaysia