Software > Firmware

network card to reduce attack surface?

(1/3) > >>

n2vi:
I have updated the BMC firmware in the past [see 2021-03-21 post], but as time passes I'm uncomfortable with the attack surface exposed by the BMC listening on the motherboard network ports. My current solution is to unplug from those and instead add a network card on the PCI bus. I still have serial connections for BMC and POWER for doing system administration.

Is there a simpler way to achieve this? Perhaps a BMC configuration trick that disables NC-SI?

Borley:
IIRC the BMC is only remote accessible through the third RJ45 port (adjoined to rear panel USB on Blackbird).


--- Quote ---The C1P9S01 BMC is attached to network port 3 via NCSI, and is configured to request an IP address via DHCP
--- End quote ---

It should be safe to just avoid using that port.

n2vi:
Thanks for the quick response!

I should have clarified in my question that I'm running TalosII and definitely can ssh to the BMC through the main ports. I don't have a Blackbird, so can't say what is possible there but if I'm looking at the correct schematic off Raptor's site it would seem to have the same issue.

It is the bmcweb process I see running on the BMC that particularly prompted me to be nervous, but I haven't investigated that in detail. A potential pre-auth ssh vulnerability is enough to make me want the air-gap anyway.

n2vi:
It might be enough (from the BMC serial port) to say "ifconfig eth0 down", which I've done.
I'm not enough of an expert in the firmware's network stack to feel confident that's all I need.

power9mm:
so to clarify, the BMC on the blackbird is isolated and not accessible if one has network access on the other two ethernet ports. correct?

Navigation

[0] Message Index

[#] Next page