A BMC (Baseboard Management Controller), which is an embedded computer that can access and control all of a server’s resources, uses remote management capabilities to increase efficiency but can be hacked at any time, posing security risks.
In this blog, you’ll learn what IPMI (Intelligent Platform Management Interface) is and why its security is important to safely monitor server health and control data irrespective of the operating system or location.
What is IPMI?
IPMI (Intelligent Platform Management Interface) is a set of standardized specifications for hardware-based platform management systems that makes it possible to control and monitor servers centrally.
IPMI is a form of out-of-band (OOB) management, meaning it can perform management tasks regardless of the server’s location or installed operating system.
IPMI is used by the server’s BMC (Baseboard Management Controller), an embedded computer used to provide OOB management. The BMC has access to and control of the server’s resources, including memory, power, and storage. Additionally, it supports remote boot and server environment monitoring.
IPMI is usually implemented as a network service that runs on a dedicated Ethernet port on the server, sometimes labeled the “management port.”
What are the main features of IPMI?
IPMI is a software-neutral approach that functions independently from a server’s BIOS, CPU, and operating system (OS).
The main reason why IPMI is critical is its ability to effectively execute the following four features:
- Monitoring and supervising servers
- Recovering and restarting servers
- Logging server states
- Listing all server inventory
What are the benefits of IPMI?
There are six main benefits to IPMI:
- It constantly monitors server health and issues advanced warnings of possible system failures.
- IPMI acts independently of the server and is always accessible.
- Configuration changes are easy to make.
- It enables the user(s) to access and make BIOS changes without operating system access.
- Server recovery is possible even if it is switched off.
- It is a universal standard that is supported by the vast majority of hardware vendors.
IPMI is a software-neutral approach that functions independently from a server’s BIOS, CPU, and operating system. Above is our BAM8270 board with AST2500 BMC and how it communicates to the rest of a system.
What supports IPMI?
In addition to the BMC, there are four other key components that support IPMI:
- Intelligent Chassis Management Bus (ICMB): This is an interface that allows communication from one chassis to another.
- Intelligent Platform Management Bus (IPMB): This extends the BMC management controllers while complying with a communications protocol.
- IPMI Memory: This is the IPMI’s Sensor Data Record, System Event Log, Field Replaceable Units, and Repository that stores data.
- Communication Interfaces: These consist of local system interfaces, a serial interface, LAN (local access network) interface, ICMB, and PCI Management Bus.
How to access IPMI
Once you connect to the IPMI manager via the LAN or the internet, the manager utilizes IPMI over IP (Internet Protocol) to connect with the BMC on the server motherboard.
The BMC then uses the system bus to connect with the BIOS, CPU, OS, power supply, and sensors, allowing the administration of the CPU speeds, fan speeds, voltages, temperatures, event log, and rebooting of the server.
Why IPMI must be secured
Devices with IPMI exposed have the potential to be completely compromised at the BMC level.
If hackers access the IPMI, they can reboot the system, install a new OS, and access data, bypassing any operating system control. Since IPMI can also allow remote console access, hackers may also be able to modify the BIOS.
IPMIs typically have default passwords, and they can be obtained from a root-compromised server. If someone gets a hold of these passwords, they can access other hosts in the IPMI managed group.
How to secure IPMI
To prevent unauthorized access and protect critical data, IPMI should be restricted to private management networks only.
If IPMI is not in use and cannot be disabled on your device, or if there is no choice but to run IPMI on a public network, then block its MAC address to limit access to your virtual local access network (VLAN) only. (VLAN is a subnetwork that groups collections of devices on separate physical local area networks, or LANs.)
If you do not intend to use IPMI, assign it a non-routable IP address in an address range that is not used for anything else.
If you do intend to use it and need to do so on your campus network, get a static IP address for it.
IPMI should never be using a public address.
IPMI and Trenton Systems
Trenton Systems uses the latest IPMI utilities and has software engineers on staff to bolster its security features to protect critical data at the highest level.
With a shared effort with partners like Insyde who develop the source code, we are able to make quick changes in the BIOS around IPMI and other features per customer requirements.
Want to learn more? Get in touch with our team of experts of craft a customized, USA-made, cybersecure, high-performance compute solution that enables you to ensure optimal performance across all domains of the modern battlespace, no matter where the mission leads.