On Mon, Jun 2, 2014 at 8:21 AM, shawn wilson <ag4ve...@gmail.com> wrote: [snip] > So, kinda the same idea - just put IPMI on another network and use ssh > forwards to it. You can have multiple boxes connected in this fashion > but the point is to keep it simple and as secure as possible (and IPMI > security doesn't really count here :) ).
About that "as secure as possible" bit. If just one server gets compromised that happens to have its IPMI port plugged into this private network; the attacker may be able to pivot into the IPMI network and start unloading IPMI exploits. So caution is definitely advised, about security boundaries: in case a shared IPMI network is used, and this is a case where a Private VLAN (PVLAN-Isolated) could be considered, to ensure devices on the IPMI LAN cannot communicate with one another --- and only devices on a separate dedicated IPMI Management station subnet can interact with the IPMI LAN. -- -JH
