1. Manuals
  2. Brands
  3. HP Manuals
  4. Software
  5. AB500A - Integrated Lights-Out Advanced
  6. Technology brief

HP AB500A - Integrated Lights-Out Advanced Technology Brief

Hp integrated lights-out security, 6th edition
Hide thumbs Also See for AB500A - Integrated Lights-Out Advanced:
Table of Contents

Quick Links

See also: User Manual
HP Integrated Lights-Out security
technology brief, 6
th
Abstract.............................................................................................................................................. 3
Introduction......................................................................................................................................... 3
Security assumptions about iLO and its environment................................................................................. 4
Comparing the iLO processor to other service processors ......................................................................... 4
Phlashing ........................................................................................................................................ 4
iLO strengths against common attacks ................................................................................................ 4
Security of the hardware design ............................................................................................................ 5
Management ROM .......................................................................................................................... 6
Firewall logic................................................................................................................................... 7
Memory .......................................................................................................................................... 7
NVRAM-non-volatile data storage.................................................................................................... 7
Network and management ports........................................................................................................ 7
Security techniques used by iLO ............................................................................................................ 9
Authentication and authorization processes for browser access ............................................................. 9
Authentication and authorization processes for CLI access .................................................................. 23
Encryption..................................................................................................................................... 23
Disabling and changing ports.......................................................................................................... 25
Connectivity among iLO, the host server, and the network ...................................................................... 27
Access to iLO by means of the network............................................................................................. 27
edition
SNP for select ProLiant servers ....................................................................................................... 8
Shared network port with Virtual LAN ............................................................................................. 8
Login process using a local account.............................................................................................. 10
Login process using directory services with HP schema extensions .................................................... 13
Login process using directory services with HP default schema ......................................................... 14
Calculating current privileges....................................................................................................... 15
Login process using two-factor authentication................................................................................. 16
Login process for remote console and virtual serial port .................................................................. 18
Single Sign-On (SSO) ................................................................................................................. 20
Secure Sockets Layer (SSL)........................................................................................................... 24
AES encryption .......................................................................................................................... 24
Remote console and virtual serial port data encryption.................................................................... 24
Secure Shell encryption ............................................................................................................... 25
Web browser ............................................................................................................................ 27
Telnet, remote console, and virtual serial port ................................................................................ 28
Multi-user Integrated Remote Console (IRC) .................................................................................... 28
SSH for the command-line interface .............................................................................................. 28
CPQLOCFG utility ...................................................................................................................... 28
Directory services ....................................................................................................................... 29
Table of Contents
loading

Related Manuals for HP AB500A - Integrated Lights-Out Advanced

Summary of Contents for HP AB500A - Integrated Lights-Out Advanced

  • Page 1: Table Of Contents

    HP Integrated Lights-Out security technology brief, 6 edition Abstract.............................. 3 Introduction............................3 Security assumptions about iLO and its environment................. 4 Comparing the iLO processor to other service processors ................. 4 Phlashing ............................4 iLO strengths against common attacks ....................4 Security of the hardware design ......................
  • Page 2 SNMP ............................29 Systems Insight Manager......................29 Access to iLO by means of a physical connection ................29 Host server serial port ......................... 29 iLO Security Override jumper switch ..................... 30 Access to the server from iLO ......................30 iLO software on host using the PCI bus ..................... 30 RBSU ............................

  • Page 3: Abstract

    Abstract HP Integrated Lights-Out (iLO) is the autonomous management processor that resides on the system board of ProLiant and Integrity host servers. HP built security features into iLO using multiple layers that encompass the hardware, firmware, communication interfaces, and deployment capabilities. The intent of this technology brief is to inform readers about the design of iLO itself and how it ensures security.

  • Page 4: Security Assumptions About Ilo And Its Environment

    Security assumptions about iLO and its environment Persons with physical access to a server can alter the host server and the iLO setup. Therefore, it is assumed that any individual with unrestricted access to the inside of a server enclosure is a super-user or administrator.

  • Page 5: Security Of The Hardware Design

    awareness of attacks in progress, and unregulated virtual media access. While service processors produced by other vendors may be at risk from the issues described here, that is not the case with iLO. iLO has been hardened against all of these risks: Flash protection –...

  • Page 6: Management Rom

    Figure 1. Schematic diagram of the iLO processor Management ROM The Management ROM (flashROM) includes the iLO boot block and the iLO main firmware image. The iLO boot block is responsible for the initial hardware and software setup, location and validation of an executable image, and transfer of control to the executable image.

  • Page 7: Firewall Logic

    The boot block is flashed only if the firmware flash is performed while the iLO Security Override jumper is set (disabled). For maximum security, the flash should not be performed while the iLO security jumper is set unless the specific intent is to update the boot block. It is not anticipated that the boot block will require updating;...

  • Page 8: Snp For Select Proliant Servers

    will not be able to route packets between its 10/100 Ethernet port and an Ethernet port (possibly embedded) on the host server. Therefore, if the host is compromised, iLO cannot be exploited as a means to compromise the management network. Conversely, in the unlikely event that the management port is compromised, there is no chance that the server network will be compromised as a result.

  • Page 9: Security Techniques Used By Ilo

    VLAN tag is a 32-bit number inserted into each 802.1Q Ethernet frame. The VLAN ID is a 12-bit number within the VLAN tag that identifies the Ethernet frame as belonging to a particular VLAN. Each port in an 802.1Q-compliant switch can be configured to belong to the same VLAN or to a different VLAN.

  • Page 10: Login Process Using A Local Account

    Login process using a local account Figure 3 shows the iLO login process using a local account. Figure 3. User login process when using a local account 5. iLO performs login with cookie credentials. Privileges are verified The first step in the login/authentication process is for the web browser on the management console to connect with the web server in the iLO device.
  • Page 11 Once an SSL connection is established, login authentication commences. The iLO device returns a login page to the user that includes a unique session ID and a random session key. The unique session ID points to a session control block, an area of memory where all the session information is stored for that user and that session.
  • Page 12 session that generated the cookie can access it. When the user closes the browser or logs out of iLO, the browser destroys the cookie. Therefore, users should close all browser instances to guarantee the cookie is destroyed. After the browser creates the cookie, it returns it to iLO with a request for a status page. The iLO device then begins the process of looking up the assigned user privileges.

  • Page 13: Login Process Using Directory Services With Hp Schema Extensions

    (Figure 6). The iLO Status Summary screen provides general information about iLO, such as all logged in users, server name and status, iLO IP address and name, and latest log entry data. At that point, the login process is complete. The iLO processor has fully authenticated the user who can then perform authorized functions.

  • Page 14: Login Process Using Directory Services With Hp Default Schema

    Figure 7. Login process when using directory services Login process using directory services with HP default schema Using the HP Default Schema method (sometimes referred to as Schema-free method), access to iLO can be controlled using directories without requiring schema extensions. iLO acquires the user’s name to determine group membership from the directory.

  • Page 15: Calculating Current Privileges

    Calculating current privileges A user’s privileges can change at any time, even while the user is logged in. For example: • An administrator could change a user’s rights while that user is logged into the iLO device and the browser session is open. •...

  • Page 16: Login Process Using Two-Factor Authentication

    Figure 8. Flowchart for calculating current privileges NOTE: This section describing user privileges applies to local accounts as well as directory accounts. Login process using two-factor authentication With the version 1.80 firmware release, iLO provides a more robust authentication scheme supporting Microsoft Internet Explorer only.
  • Page 17 When two-factor authentication is required, access to the OS on a remote server will use smart card device support within Windows Remote Desktop Connection (RDP). iLO provides access to RDP with the Terminal Services pass-thru function. NOTE: Support for smart cards in RDP requires that the remote server be running Microsoft Windows Server 2003 or later.

  • Page 18: Login Process For Remote Console And Virtual Serial Port

    Figure 9. Two-Factor authentication dialogue between the client and iLO, and between iLO and the directory server Login process for remote console and virtual serial port The iLO remote console server monitors the remote console port for connections from the remote console and virtual serial port applets and possibly Telnet.
  • Page 19 The iLO device securely sends a one-time login token to the second browser window. The token contains base-64 encoded hash values of a random secret key and a random session key. This token is sent securely over SSL so a LAN sniffer cannot capture it. The Java applet in the second browser window decodes (using base-64) the information within the token.

  • Page 20: Single Sign-On (Sso)

    The result is base-64 encoded and sent to the applet. Figure 11. Process iLO uses to create the one-time login token for Java applet login The result is that the applet passes the web server session ID as username and the ASCII hash as password to iLO.
  • Page 21 user’s HP SIM role. iLO 2 will trust SIM and, implicitly, users authenticated by SIM. The SIM SSO implementation uses a trusted certificate model for iLO to allow authentication to users from within the SIM framework. Use of this feature was introduced with the release of iLO v1.91 or iLO 2 v1.30, and HP SIM 5.1 with SIM 5.1 Hotfix to add SIM SSO support.
  • Page 22 Figure 12. HP SIM Single Sign-On to iLO process The numbered steps shown in Figure 12 describe the authentication process: 1. The user logs-in to HP Systems Insight Manager Central Management Server. 2. The user follows a link in HP SIM. This link initiates the SSO connection. 3.

  • Page 23: Authentication And Authorization Processes For Cli Access

    iLO, but there is limited space to store certificates. When full, no additional records may be added unless other records are first removed. Record removal occurs when the buffer rolls over and any earlier certificate information is lost. Authentication and authorization processes for CLI access The iLO command-line interface gives customers another way (in addition to the web browser) to access critical iLO functions such as the virtual power capability, text-based remote console, and virtual serial port.

  • Page 24: Secure Sockets Layer (Ssl)

    The purpose of a cipher is to make data private, so that only parties to the cipher and keys can read the data. The frameworks enable cipher negotiation as well as the secure exchange of keys used to initiate encrypted communication within the cipher algorithm. iLO supports RC4, 3DES and AES ciphers.

  • Page 25: Secure Shell Encryption

    This random stream of bytes is combined in a Boolean XOR operation with the data being sent to create the encrypted data. The client then sends a “connect” message to the server. Part of the “connect” message is a “start encryption now”...
  • Page 26 Administrators can manually configure the port numbers of the HTTP port for the Web and XML server, the Telnet port, remote console port, Terminal Services Pass-Through port, virtual media port, and the SSH port. The only port numbers that cannot be reconfigured are the SNMP ports. For example, when given an IP address, a web browser normally attempts to connect with port 80.

  • Page 27: Connectivity Among Ilo, The Host Server, And The Network

    Connectivity among iLO, the host server, and the network Thus far, this paper has explained the techniques that iLO uses to ensure secure communications. To better understand potential security risks in their environments, administrators may also want to be aware of the points of access to and from iLO, the host server, and the client. The following sections briefly describe how the iLO design or its configuration mitigates those risks.

  • Page 28: Telnet, Remote Console, And Virtual Serial Port

    Telnet, remote console, and virtual serial port Because Telnet is not an inherently secure protocol, administrators may be reluctant to use its functionality. The following section describes how iLO facilitates secure Telnet access. The remote console and virtual serial port functions use the standard Telnet port to connect to the iLO device. Although Telnet itself is not encrypted, invoking the remote console applet enables its encryption feature.

  • Page 29: Directory Services

    Directory services The iLO processor uses SSL-protected LDAP (LDAPS) to communicate with the directory server. For a more detailed discussion of LDAPS, refer to “Appendix C: LDAP/LDAPS definitions” in this document. Using directory services is generally considered to be more secure than using local iLO user accounts for the following reasons: •...

  • Page 30: Ilo Security Override Jumper Switch

    functionality or restrict user access by requiring authentication to the CLI. In addition, administrators can change the host server OS to disable any support for the host server serial port. iLO Security Override jumper switch As stated in the section titled “Security assumptions about iLO and its environment,” people with physical access to a server can alter the host server and the iLO setup.

  • Page 31: Cpqlodos

    CPQLODOS Administrators can use the CPQLODOS utility for initial deployment of the iLO processor. It is used only in a DOS environment, such as during SmartStart scripted deployment, and not over the network. Therefore, it requires a reboot to DOS. The administrator must have a DOS image loaded on a host or a floppy, which means that the user either has physical access or a virtual media privilege, with all the accompanying user rights and authentications.
  • Page 32 Figure 15. Example configuration of a DMZ Internet Internet iLO provides the capability to create a separate, secondary network (iLO Net in Figure 14) that is parallel to the primary or production network. This dual network architecture has the benefit of completely segregating management traffic from production network traffic.

  • Page 33: Lights-Out Management Integration With Rapid Deployment Pack

    Servers inside the DMZ and on the internal network can use iLO processors. Because the network connection to iLO is completely isolated from the network ports on the server, there is no possibility for data to flow from the DMZ network to the iLO network, or vice-versa. Therefore, even if the DMZ network is compromised, the iLO network will remain secure.

  • Page 34: Security Audits

    Security Audits Recent legislation may mandate periodic security audits. iLO maintains an event log containing date- and time-stamped information pertaining to events that occurred in the iLO configuration and operation. This log can be accessed manually through the System Status tab of the iLO browser interface.
  • Page 35 of data, keystrokes, and security keys. The hardware design protects keys and sensitive password information. The hardware design also facilitates a separation of the iLO management traffic from all host server traffic. A networked environment has inherent security risks. The iLO processor mitigates many of these risks through authorization, authentication, and encryption.

  • Page 36: Appendix A: Digital Certificates

    Appendix A: Digital certificates A digital certificate is an integral component of the SSL encryption technology. The digital certificate provides data integrity by ensuring that a third party cannot insert false data into the encrypted data stream. A digital certificate includes a public key based on RSA encryption and an accompanying digital signature (see Table A-1).
  • Page 37 Figure A-1. Example of how a digital signature works...

  • Page 38: Appendix B: Ssh-2 Support

    Appendix B: SSH-2 support The following table lists the SSH features supported by iLO. Table B-1. Relationship between iLO SSH and the SSH-2 standard SSH-2 Standard iLO SSH Algorithm Server Host Key Algorithms ssh-dsa Required Supported ssh-rsa Recommended Supported X509v3-sign-rsa Optional Not supported Encryption (same set supported both ways)
  • Page 39 SSH-2 Standard iLO SSH Algorithm None Required Supported Language English (same as current Telnet) Supported Key exchange Differ-hellman-group1-sha1 Required Supported Public Key algorithms ssh-dss Required Supported ssh-rsa Recommended Supported X509v3-sign-rsa (certificates) Optional Not supported X509v3-sign-dss (certificates) Optional Not supported Spki-sign-rsa (certificates) Optional Not supported Spki-sign-dss (certificates)

  • Page 40: Appendix C: Ldap/Ldaps Definitions

    Appendix C: LDAP/LDAPS definitions The LDAP/LDAPS protocol provides access to directories supporting the X.500 models but does not incur the resource requirements of the X.500 Directory Access Protocol (DAP). The LDAP/LDAPS protocol is specifically targeted at management applications and browser applications that provide read/write interactive access to directories.

  • Page 41: Appendix D: Glossary

    Appendix D: Glossary Table D-1. Common acronyms used in this document Term Definition ASCII Acronym for the American Standard Code for Information Interchange. ASCII is a code for representing English characters as numbers, with each letter assigned a number from 0 to 127.
  • Page 42 Term Definition Virtual private network, or a network that is constructed using public wires (the Internet) to connect nodes. These systems use encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted. (Source: www.webopedia.com).

  • Page 43: For More Information

    Send comments about this paper to: [email protected] © 2004, 2006, 2007, 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services.

This manual is also suitable for:

Ilo 2 v1.60Ilo v1.91

Table of Contents