Resend : Enable/disable access to BMC through interfaces for security

Jandra A jandraara at gmail.com
Tue Nov 5 09:57:59 AEDT 2019


Thank you Joseph and Justin. I am keeping track of all of these to
discuss in the Security Workgroup.

Another thing to think about is where we and customers would want this
type of functionality to live within the GUI. As of now, the proposal
is to create a new panel dedicated to Security within the Access
Control category of the navigation.

Regards,
Jandra

On Fri, Nov 1, 2019 at 12:46 PM Justin Thaler
<thalerj at linux.vnet.ibm.com> wrote:
>
> Hi Jandra, I'm interested in the subject blow. Joseph, I've added a few
> more options to your list as well.
>
>  > On 11/1/19 11:55 AM, Joseph Reynolds wrote:
> > On 11/1/19 9:40 AM, Jandra A wrote:
> >> I am resending this message to who has thoughts on which BMC
> >> interfaces need to be disabled for security purposes and what the best
> >> way to do that would be. I would love to collaborate with all parties
> >> interested.
> >
> > Thanks Jandra.  I've added this to the OpenBMC Security Working Group
> > agenda.
> > https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI
> >
> >
> >> ------- begin message:
> >>
> >> Hello all,
> >>
> >> As part of the GUI design team, I am starting to look at requirements
> >> for enabling and disabling network interfaces for which the BMC can be
> >> accessed. For example, IPMI, SSH, Redfish, HTTP, and USB, to name a
> >> few.
> >>
> >> I know there has been some conversation on the topic before (see email
> >> linked below) and want to reach out to see who is interested in this
> >> topic. And I would love to get your thoughts on the following topics.
> >>
> >> Some questions we want to tackle are:
> >> 1. Which interfaces need to be enabled/disabled and what is their
> >> priority? (See full list in the redfish documentation)
> >> 2. What should be the default for the selected above (enabled/disabled)?
> >> 3. Do we need a staged plan for it?
> >> 4. When can we expect backend availability?
> >
> > I am interested in the list of the BMC's external interfaces from a
> > security perspective.  The [network security considerations][] talks
> > about many of the network interfaces.  We should encourage users to
> > disable interfaces they don't need and are not using.  Having such
> > interfaces active opens up the BMC's attack surface and represents
> > security risks.  For example, newly discovered security vulnerabilities
> > might place BMCs at risk, and shutting off the interface will likely
> > make the BMC safe.
> >
> > The BMC also has physical interfaces which users may wish to disable
> > (for the same reasons as above).  The BMC's network interface and and
> > USB ports are examples.  Some users may wish to disable the BMC's access
> > to the network and control it solely via its host. However, I am not an
> > exert in this area, so I need help here.  TODO: Get one of the kernel
> > hackers to go over this list.  I understand because OpenBMC is used on
> > different hardware models (such as AST2500's hosted in the AC922
> > "Witherspoon"), it will have different interfaces present.  I think the
> > folks who wirj with the machines, and who bind device drivers can help
> > us if we know what questions to ask them (better questions than: what
> > interfaces does the BMC have)?  <-- Once again, I am no expert here, so
> > we need to work together to understand this.
> >
> > Here's my starter kit of BMC's external interfaces:
> > network:
> >   - SSH to the BMC shell (port 22)
> >   - HTTP (for either [BMCWEB_INSECURE_DISABLE_SSL][] users or the
> > nascent [HTTP redirect design][])
> >   - HTTPS
>      - Secure Websockets
> >   - (network, aka out of band) IPMI
>      - Extend REST APIs
>      - Redfish
> >   - KVMIP
> >   - Virtual media
> >   - SoL (SSH via port 2200) to the host console
> >   - mDNS discovery
> >   - Avahi discovery service
> >   - virtual USB (USB-over-IP)
> > physical:
> >   - network
>      - USB External
>      - USB to Host
> >   - more? Help needed: would anyone want to give the BMC admin control
> > to shut down pathways between the BMC and host?
> >
> > There will be more interfaces as the project goes forward.  For example,
> > the OpenPOWER work is proposing a communication channel between a
> > Hardware Management Console (HMC) and the host's hypervisor (PHYP) which
> > would use the BMC to set up the channel. Users who don't need this a
> > capability might want to have a way to disable it (I don't know) so they
> > can avoid giving unnecessary network access to their hypervisor.  The
> > point is, I think tending this list will be ongoing work.
> >
> > The short list of interfaces I personally care about includes:
> >    SSH, IPMI, Avahi, and USB (physical and USB-over-IP)
> >
> > I hope this partially addresses item 1 above.  :)
> >
> > - Joseph
> >
> > References:
> > [network security considerations]:
> > https://github.com/openbmc/docs/blob/master/security/network-security-considerations.md
> >
> > [BMCWEB_INSECURE_DISABLE_SSL]:
> > https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt
> > [HTTP redirect design]:
> > https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/24173
> >
> >>
> >> Redfish documentation:
> >> https://redfish.dmtf.org/schemas/ManagerNetworkProtocol.v1_4_0.json
> >>
> >> Related email discussion (on staged plans to address IPMI access):
> >> https://lists.ozlabs.org/pipermail/openbmc/2019-September/018373.html
> >>
> >>
> >>
> >> Regards,
> >> Jandra Aranguren
> >


More information about the openbmc mailing list