iLOs and iDRACs should be on a management VLAN, vulnerable or not.
Security holes in server management technology create hacking opportunities almost on par with direct physical access, claims Metasploit creator HD Moore. The issue arises from security shortcomings involving baseboard management controllers (a type of embedded computer used to provide out-of-band monitoring for desktops and …
"iLOs and iDRACs should be on a management VLAN, vulnerable or not."
Yes but the snag is all the other things that get connected to management VLANs by people who should know better and who have been repeatedly warned of the risks.
VLANs, change the default passwords, and the same goes for all your managed networking kit even if you only use it as a dumb switch.
Until you discover years later that there is also a fixed admin account and the password, which you can't change, is "cisco"
"Yes but the snag is all the other things that get connected to management VLANs by people who should know better and who have been repeatedly warned of the risks."
You mean IT Managers right?
Most people don't understand network security. They use one VLAN for everything, probably use a /24 subnet and just plug and play. It works, but is ripe for abuse.
Devs need to start thinking remote management -> data link -> encryption
Not as an afterthought.
Re: Devs need to start thinking remote management -> data link -> encryption
I'd seriously point that finger elsewhere. If it's an afterthought, then it was never a baseline requirement as it was in all the projects where I was lead, manager, then CIO. And then there's the disquieting little problem of the lack of security training, no funds for security training, and no experience in applying the training. Having someone come in after the fact, say the CSO/CISO (if they even exist) yelling at the devs for not requiring secure programming technologies is far too late and accomplishes nothing but some security theatre.
Up until some of the suits get hauled off to prison for shoddy products that kill people as a result of poor security, nothing will change. "The prospect of being hanged in a fortnight concentrates the mind wonderfully," to probably mangle a quote, is the sad and sorry truth. In IT, out of IT, in military, government, and business, if I screwed up, well the results would not have been at all fun. How about some personal accountability? We do it with almost any other product?