Manualshelf

Managing HP servers through firewalls with Insight Management 7.2

ManualsBrandsHP ManualsSoftwareInsight Software
12345678910
White paper| HP Insight Management 7.2
7 | March 2013
Introduction
Managing systems in a secure environment is a challenge that most system administrators face. It
requires a careful balance between critical security requirements and the need to effectively
manage and maintain the systems.
Within Internet-connected architecture, there is typically a more secure zone, commonly referred
to as the DMZ. This zone is positioned between the corporate servers and the Internet, usually
separated from both by firewalls that restrict traffic flow. With this architecture, servers that
provide publicly available Internet services can be accessed through a firewall, but these services
are inaccessible on the internal network. This more secure zone provides an area that is isolated
from the internal network and is hardened against external attack (Figure
1). The security
challenges in the DMZ are similar to those in other areas of a network that require special security
attention.
Figure 1: Block diagram of a generic corporate computing environment
Through three sample case studies, this paper discusses options for managing HP systems in the
DMZ. It explains the benefits and risks associated with each option. Information in this paper
should allow system administrators to tailor solutions for their own computing environments
based on the levels of management they need and the security risk level they are willing to take.
In Case 1, the majority of management protocols are prohibited from the secure network, and the
management solution is not allowed to violate any security restrictions. HP does not recommend
this solution, because the administrator is incapable of managing the hardware in the DMZ. It
completely eliminates the use of HP management tools such as HP Insight Control.
In Case 2, a completely separate network is used for management. This solution has the benefit of
completely segregating management traffic from the primary network and allowing a full
spectrum of management capabilities (because management protocols can enter through the
firewall). However, it is the most expensive option in terms of hardware and infrastructure costs.
While it does increase cost due to additional hardware and infrastructure, this option allows the
use of iLO 2 or iLO 3to securely manage hardware in the DMZ. Of the two options providing
management capabilities in the DMZ (Case 2 and 3), this one has the least risk of hackers or
security breaches.
In Case 3, management protocols are allowed, and management traffic is permitted to travel
through the firewall to HP Insight Control. This results in a fully featured management solution at
a measured risk. Because the infrastructure uses a single network for both management and
production traffic, this option does increase the risk from hackers or security breaches.
The intended audience for this paper is engineers and system administrators familiar with existing
HP technology and servers. The paper does not attempt to define and explain all the security
concepts and topics mentioned. Instead, it refers readers to resources containing that information.