InformationWeek Financial Services Special Reports

Perimeter Security

Issue link:

Contents of this Issue


Page 24 of 24

[ Perimeter Security ] Robert Graham, CEO of Errata, which has been conducting Internet scan research of its own, says Moore's IPMI research is the most critical to enterprises because it shows how corporate servers and datacenters are exposed. Even though many of the flaws that are found in Moore's, Errata Security's, and others' scans go ignored by many users and vendors, it's still necessary because the bad guys are doing the very same scans, Graham contends. "IPMI is dangerous, and that has been known for a long time [by hackers]," he says. Exposing the vulnerable devices ultimately pressures vendors to do something to improve security, he says. Graham says "making a stink" about these problems prevents vendors from holding their users hostage. "When they say [to researchers], 'Please don't disclose this vulnerability because it affects my users' ... it means, 'I'm holding my users hostage,' " Graham says. So what can enterprises do to protect their servers from getting hacked via IPMI or BMC bugs? Johannes Ullrich, head of SANS Storm Center, says protecting IPMI is a tricky balance. "There is little one can do to protect an IPMI interface if the interface is needed to remotely administer the system, in particular, given the back door fixed passwords. The best you can do is limit access to the IPMI interface via a firewall, and maybe by changing default ports if this is an option," Ullrich said in a SANS ISC diary post. "Once exposed, an attacker will have the same access to the system as a user with physical system access. Remember that turning off a system may leave IPMI enabled unless you disconnect power or network connectivity." Running the IPMI traffic over a separate management network or virtual LAN is also an option, Graham says. "No matter how many updates you get, assume you've still got a problem. [IPMI] should always be managed [as if in a] hostile [environment]," he says. Beardsley says security pros should talk with their IT and network staff who run their datacenters. "Ask them nicely to make sure this stuff is not exposed on the WAN," he says. p 25

Articles in this issue

view archives of InformationWeek Financial Services Special Reports - Perimeter Security