HP Adaptive Infrastructure Solution Security for BladeSystem Matrix
Enclosure communication
This section describes the security mechanisms in place to protect communications between key
management components within the BladeSystem enclosure. These components include the OA, iLO
Virtual Connect module and blade servers.
Both iLO and Virtual Connect provide the capability to create a separate secondary management
network in parallel to the primary production network handling user data traffic. This dual network
architecture has the benefit of completely segregating management traffic from production network
traffic.
Virtual Connect also provides an access control mechanism to restrict the flow of packets between
specified networks at the physical network layer. This mechanism segregates the data of one user
from that of other users.
The separation of management traffic enables iLO to facilitate system-wide server management
activities, including servers in the DMZ, while maintaining maximum security by limiting access to the
production network. Because the network connection to each iLO can be completely isolated from the
network ports on the server, data cannot flow between a DMZ network and a production network.
Likewise, compromise of the DMZ network does not lead to compromise of the iLO management
network. This separation is accomplished through the use of a dedicated NIC and/or use of VLAN
technology.
The iLO management processor has communication channels with the managed host (through the PCI
bus) and the management console (for example, a web browser or command line connection) that
must be protected. The flow of information between the host server and the management console is
controlled by a host firewall incorporated into the iLO management processor. This access control
protects against unauthorized access through the PCI bus and protects access to sensitive keys and
data stored in memory and firmware. Also, there is no connection between the iLO management port
and the host server Ethernet port. This ensures that a compromised host does not allow iLO to be used
as a conduit to compromise the management network.
The iLO management processor can send server alerts and management information to OA and
HP SIM. Initially the OA module provides independent IP addresses for each blade and each iLO.
This facilitates communications between the OA management module and the iLO processor on each
server blade. The iLO firmware exclusively controls any communication from the iLO to the OA
module. Each iLO processor has information about the presence of other blades in the enclosure,
however there is no communication path from an iLO processor on one server blade to the iLO
processor on another blade.
The use of virtualization technology does bring about a change that if ignored can create a security
gap in some environments. However, if understood, it can be easily addressed. Some hypervisors
utilize virtual switch technology. This means that communications between two guests on the same
hypervisor might not be sent onto the network, but might be routed directly through a virtual switch in
the hypervisor. In general this is not a security issue. However, if a program is analyzing network
traffic through a switch mirroring port, as used for an antivirus program or is common with an
Intrusion Detection System (IDS), the data going through the virtual switch is not seen. If an attack is
launched in this data stream, it is not detected. You can utilize several products available on the
market to address this issue. For instance, you can deploy an IDS probe in the hypervisor to monitor
the virtual switch. Virtual Connect, which also uses virtual switch technology, has a feature to support
port monitoring, where traffic to and from specified ports is copied to a defined faceplate port. With
this functionality a privileged administrator can configure a device such as an IDS or other malware
scanning tool to tap in and monitor the virtual switch traffic.
An often overlooked aspect of security is availability. The BladeSystem Matrix solution offers the
newly introduced HP Virtual Connect Flex 10 functionality, which enables an administrator to manage
and partition bandwidth associated with a server enclosure. This functionality can provide more
flexibility in network bandwidth utilization and help to avoid some denial of service aspects resulting
21