Eh?
Management stuff on the same switch/LAN as normal traffic? And exposed to the internet?
That sounds more like 32,000 sackings to me!
Thousands of Supermicro baseboard management controllers (BMCs) continue to spit administrator passwords in cleartext after a patch described as unsuitable was not applied by admins. Accessing the machines could be dead simple for the tech savvy; vulnerable boxes would pop during a net or Shodan scan for port 49152. Any of the …
I do agree with you but it's not always that simple. There are a lot of boards out there which pipe their IPMI and normal network traffic out over the same network port. If that's the case, you dont' have much choice but to run the management and data on the same LAN.
Unless you stick another NIC in the machine anyway.
Aside from that, many hosting providers charge per port so having lights out on a separate nic would increase hosting costs.
Most IPMI controllers let you tag the traffic to put it on another VLAN, but again that depends on the hosting provider to configure their switches accordingly and in that case the host itself can still access the VLAN in question so if you compromise one box you can start attacking all the other IPMI devices (which are likely to be even more badly configured on the assumption they cant be directly reached from the internet).
Also if you have a box hosted far away from your physical location, having lights out is absolutely essential incase anything goes wrong... Most hosting providers offer a remote hands service but they are expensive and often not very capable.
"There are a lot of boards out there which pipe their IPMI and normal network traffic out over the same network port. "
Yes, generally Intel Vpro systems or servers
Supermicro systems normally use a sparate IPMI device and physical port.
In the very few cases where a completely separate IPMI connector isn't provided (some older systems using a specific IPMI plugin card which was last sold 8 years ago) then the IPMI ends on the motherboard's second ethernet port and prevents it being used by the OS.
Maybe, but in many other instances it will sound much more like an IT tech trying to explain why THIS kind of thing is exactly the reason why he/she requested that $500 switch instead of the $200 one that the boss eventually bought from the local store.
Also consider that SuperMicro purchases may be skewed towards those trying to 'do more with less'. They have a large spread of options but they are a cheaper non-tier1 option.
it will sound much more like an IT tech trying to explain why THIS kind of thing is exactly the reason why he/she requested that $500 switch instead of the $200 one that the boss eventually bought from the local store.
What do you think happens in that scenario, PHB goes seppuku-o-clock, or shifts the blame to the vendors/beancounters?
What do you think happens in that scenario, PHB goes seppuku-o-clock, or shifts the blame to the vendors/beancounters?
No, the PHB shifts blame to poor IT sod, who has no say in the matter just to save his ass!!!!
"Wot?????!! That slacker didn't tell me what could go wrong!! How was I supposed to know that?" or some shit like that!
If you ask the official El Reg Supermicro champion (Trevor Pott), you'll find out that Supermicro HAD in the past an unstable IPMI implementation but it is now rock solid.
I have a 1U server at a colo for my own personal stuff, and I could not tell if it was impacted or not the docs were not clear. So I decided to upgrade anyway just in case since it hadn't seen an IPMI update in about 3 years now.
This server is directly on the internet because well it's the only system there, I have contemplated putting a Soekris in front of it though my IP space is limited.
Supermicro sucks for not having changelogs on pretty much anything to start with.
Next off in their instructions they say in big red letters
"NOTE !!! Uncheck preserve configuration box during flashing (very important step for FW to work properly). All settings will be reset to default."
I was going from version 2.x to version 3.x if I recall right.
later on in the documentation it says
"1.8 Click < OK > System will reboot after upgrade complete. The web page will redirect to the login page automatically."
So that implies the web page will still work after the upgrade.
So I thought - this is Supermicro, so I'm thinking when they say "reset to default" that means what they say. Which means once this thing reboots there is no more connectivity to IPMI and I have to go on site to fix it.
But I thought, maybe.. just maybe..they preserve the IP address info and perhaps authentication info.
NOPE!
I clicked upgrade, it upgraded, and rebooted, and well that was about 3 hours ago and the ipmi is not responding to pings even.
Fortunately the data center is only about a 45 minute drive away w/o traffic and I am not in any urgent rush to get it fixed I can fix it on the weekend.
But just goes to show, you get what you don't pay for..
I can live with it for my own personal stuff but wouldn't use this in a business of course (I have used supermicro off and on for the past 11 years, so this experience is par for the course for me).