Manualshelf

Managing HP Servers through Firewalls with Insight Management 7.0

ManualsBrandsHP ManualsSoftwareInsight Software
12345678910
8
(primary) network maintains security. Configuring a separate management network using HP Systems
Insight Manager allows secure access to the systems in the DMZ.
The secondary network can also be used for other operations that would be inappropriate for the
primary network, such as tape backups, deployments using Insight Control Server Deployment, or
application maintenance.
Note:
Do not connect the management network to the corporate (internal)
network. Compromising one of the systems in the DMZ could allow a
hacker to get onto the management network. However, it may be beneficial
to allow VPN access to the management network.
Figure 2 Parallel primary (production) and secondary (management) networks
Servers inside the DMZ and on the internal network can use iLO 2 processors. Because the network
connection to iLO 2 is completely isolated from the network ports on the server, there is no possibility
for data to flow from the DMZ network to the iLO management network, or vice-versa. Therefore, if
anyone compromises the DMZ network, he or she cannot compromise the iLO network. This
architecture permits administrators to use iLO on servers located in the DMZ, or in the internal
network, without the risk of compromising sensitive data. This separation is accomplished through the
use of a dedicated NIC or the iLO 2 Shared Network Port with its Virtual Local Area Network. For
more information, see the paper titled HP Integrated Lights-Out security technology available at
http://h20000.www2.hp.com/bc/docs/support/SupportManual/c00212796/c00212796.pdf.
For best protection of the servers operating inside the DMZ, administrators should set the SNMP trap
destinations to the loop back address and enable the SNMP pass-through in iLO 2 so that SNMP
traps are routed onto the iLO management network. While this SNMP pass-through option does not
enable all management functions, it allows for passing status, inventory, and fault information to HP
Systems Insight Manager or another SNMP-capable management application. This option has the
benefit of being very secure because the host operating system does not recognize the Lights-Out
product as a NIC.