On Mon, Jun 2, 2014 at 7:42 PM, Jimmy Hess <mysi...@gmail.com> wrote: > On Mon, Jun 2, 2014 at 8:21 AM, shawn wilson <ag4ve...@gmail.com> wrote: > [snip] >> So, kinda the same idea - just put IPMI on another network and use ssh >> forwards to it. You can have multiple boxes connected in this fashion >> but the point is to keep it simple and as secure as possible (and IPMI >> security doesn't really count here :) ). > > About that "as secure as possible" bit. If just one server gets > compromised that happens to have its IPMI port plugged into this > private network; the attacker may be able to pivot into the IPMI > network and start unloading IPMI exploits. >
Generally, I worry about workstations with access being compromised more than I do about a server running sshd and routing traffic. But obviously, if someone gets access, they can cause play foosball with your stuff. > So caution is definitely advised, about security boundaries: in case > a shared IPMI network is used, and this is a case where a Private > VLAN (PVLAN-Isolated) could be considered, to ensure devices on > the IPMI LAN cannot communicate with one another --- and only > devices on a separate dedicated IPMI Management station subnet can > interact with the IPMI LAN. > I can't really argue against the proper use of vlans (and that surely wasn't my point). I was merely saying that you can use ssh as a simpler solution (and possibly a more secure one since there's not a conduit to broadcast to/from) than a vpn. That's it.
