Manualshelf

Managing your HP servers through firewalls with HP SIM (481364-002, February 2008)

ManualsBrandsHP ManualsSoftwareHP Systems Insight Manager 5.x Windows Software
12345678910
5
Introduction
Managing systems in a secure environment is a challenge that most system administrators face. It
requires a careful balance between critical security requirements and the need to effectively manage
and maintain the systems.
Within an Internet connected architecture, there is typically a more secure zone, commonly referred to
as the de-militarized zone (DMZ). This zone is positioned between the corporate servers and the
Internet, usually separated from both by firewalls that restrict traffic flow. With this architecture,
servers that provide publicly available Internet services can be accessed through a firewall, but these
services are inaccessible on the internal network. This more secure zone provides an area that is
isolated from the internal network and is hardened against external attack (Figure 1). The security
challenges in the DMZ are similar to those in other areas of a network that require special security
attention.
Figure 1 Block diagram of a generic corporate computing environment
IntranetDMZ
Internet
Through three sample case studies, this paper explores options for managing HP systems in the DMZ.
It explains the benefits and risks associated with each option. Information in this paper should allow
system administrators to tailor solutions for their own computing environments, based on the levels of
management they need and the security risk level they are willing to take.
In Case 1, the majority of management protocols are prohibited from the secure network, and the
management solution will not be allowed to violate any security restrictions. This solution is not
recommended, as the administrator is incapable of managing the hardware in the DMZ. It completely
eliminates the use of HP management tools such as HP Systems Insight Manager.
In Case 2, a completely separate network is used for management. This solution has the benefit of
completely segregating management traffic from the primary network and allowing a full spectrum of
management capabilities (because management protocols can enter through the firewall). However, it
is the most expensive option in terms of hardware and infrastructure costs. While it does increase cost
due to additional hardware and infrastructure, this option allows the use of iLO 2 to securely manage
hardware in the DMZ. Of the two options providing management capabilities in the DMZ (case 2
and 3), this one has the least risk of hackers or security breaches.
In Case 3, management protocols are allowed and management traffic is permitted to travel through
the firewall to HP Systems Insight Manager. This results in a fully featured management solution at a
measured risk. Because the infrastructure uses a single network for both management and production
traffic, this option does increase the risk from hackers or security breaches.
The intended audience for this paper is engineers and system administrators familiar with existing HP
technology and servers. The paper does not attempt to define and explain all the security concepts
and topics mentioned. Instead, it refers readers to resources containing that information.