Manualshelf

HP Adaptive Infrastructure Solution Security for BladeSystem Matrix

ManualsBrandsHP ManualsSoftwareHP Insight Server Migration X2X Unlimited Migration 1yr Supp/Updates SW License
11121314151617181920
To ensure a high degree of security, iLO re-evaluates a user’s access privileges on every request to
ensure validity. This means that the revocation or addition of access privileges is enforced on the next
user request. The user does not need to log out and log back in for the changes to take effect.
Virtual Connect defines the following administrative roles with which zero or more users can be
associated:
Domain administrator—Performs domain specific activities (create/delete a user, update FW).
Network administrator—Creates, edits, and deletes, network definitions.
Storage administrator—Creates, edits, and deletes Fibre Channel fabric definitions.
Server Admin—Creates, modifies, deletes and assigns server profiles.
The user will be granted the union of privileges for all of the roles that they have been allowed. Users
without any roles will only have the ability to view Virtual Connect configuration information.
When using Virtual Connect, a privileged administrator with access to the bays in an enclosure has
control over all the server blades within the enclosure. At this time, a fine-grained control mechanism
to limit control to certain bays or modules in the enclosure does not exist.
Server protection
Within a typical BladeSystem Matrix solution deployment several host operating systems are utilized
in physical or virtual machines. The operating systems on these logical servers might include HP-UX,
Linux, and Windows. These systems are general purpose in nature and therefore have numerous
software utilities that can be used to solve many different business problems. This also means that the
system might contain software that is not required for a particular solution. One of the first steps to
achieve better security is to reduce the attack surface. Lock down the systems and configure them so
that unneeded programs and services are removed or disabled. You must also check the configuration
parameters to ensure that they are in a secure state. Examine not only the settings for services that are
being used, but also to ensure that settings for services that are not being used (open ports) are
configured securely. When you are verifying the configuration, be sure to check the devices
associated with the servers to ensure a secure configuration. For instance, iLO provides the ability to
change port numbers for services and selectively disable non-essential services.
Initial configuration is very important, however maintaining the security of the computing environment,
especially the servers, requires ongoing effort. One of the most important aspects is keeping machines
up to date with vendor supplied patches; of particular importance are patches to mitigate security
vulnerabilities.
The IT community has expressed concern about security bugs in a hypervisor that might open them up
to attacks. Although theoretically possible, to this point few successful attacks have been documented.
The security of the hypervisor is very much analogous to the security of a traditional operating system
such as UNIX or Windows. The hypervisors might even have a slight advantage since they tend to be
smaller than a general purpose operating system. However, the issues described for securing host
systems are also applicable to hypervisors. Proper configuration and timely patch maintenance is key
to maintaining the security of the various hypervisor solutions. Introducing hypervisors into the
environment, as with the addition of any code, does increase the attack surface and modifications or
additions to existing security policies might be required to provide a comparable level of risk
reduction.
HP SIM includes a version control mechanism to identify and if desired update systems whose BIOS,
drivers, and agent versions deviate from established company baselines. In addition Insight Control
provides a solution to detect potential vulnerabilities and manage patches on servers. The
Vulnerability and Patch Manager software component detects potential vulnerabilities and manages
patches on supported servers. VPM automates the detection of security vulnerabilities and provides
actionable advice for problem resolution. VPM also facilitates automated patch deployment, selecting
17