Manualshelf

Managing HP servers through firewalls with Insight Management 7.2

ManualsBrandsHP ManualsSoftwareInsight Software
11121314151617181920
White paper| HP Insight Management 7.2
11 | March 2013
Case 2: Separate
management network
In some computing environments, system administrators create a separate, secondary network
parallel to the primary or production network (Figure
2). The chief benefit to this approach is that
management traffic flows through the secondary network, while the limited access from the
production (primary) network maintains security. Configuring a separate management network
using HP SIM allows secure access to the systems in the DMZ.
The secondary network can also be used for other operations that would be inappropriate for the
primary network, such as tape backups, deployments using Insight Control Server Deployment, or
application maintenance.
Note: Do not connect the management network to the corporate (internal) network.
Compromising one of the systems in the DMZ could allow a hacker to get onto the management
network. However, it may be beneficial to allow VPN access to the management network.
Figure 2: Parallel primary (production) and secondary (management) networks
Servers inside the DMZ and on the internal network can use iLO 2 or iLO3 processors. Because the
network connection to iLO 2 or iLO 3is completely isolated from the network ports on the server,
there is no possibility for data to flow from the DMZ network to the iLO management network, or
vice versa. Therefore, if anyone compromises the DMZ network, he or she cannot compromise the
iLO network. This architecture permits administrators to use iLO on servers located in the DMZ, or
in the internal network, without the risk of compromising sensitive data. This separation is
accomplished through the use of a dedicated NIC or the iLO 2 or iLO 3 Shared Network Port with its
Virtual Local Area Network. For more information, see the paper HP Integrated Lights-Out security
technology, available at:
http://h20000.www2.hp.com/bc/docs/support/SupportManual/c00212796/c00212796.pdf
For best protection of the servers operating inside the DMZ, you should set the SNMP trap
destinations to the loop back address and enable the SNMP pass-through in iLO 2 so that SNMP
traps are routed onto the iLO management network. While this SNMP pass-through option does
not enable all management functions, it allows for passing status, inventory, and fault information
to HP SIM or another SNMP-capable management application. This option has the benefit of being
secure because the host operating system does not recognize the Lights-Out product as a NIC.
Asset management