On Mon, Jun 2, 2014 at 7:42 PM, Jimmy Hess <mysidia@gmail.com> wrote:
On Mon, Jun 2, 2014 at 8:21 AM, shawn wilson <ag4ve.us@gmail.com> wrote: [snip]
So, kinda the same idea - just put IPMI on another network and use ssh forwards to it. You can have multiple boxes connected in this fashion but the point is to keep it simple and as secure as possible (and IPMI security doesn't really count here :) ).
About that "as secure as possible" bit. If just one server gets compromised that happens to have its IPMI port plugged into this private network; the attacker may be able to pivot into the IPMI network and start unloading IPMI exploits.
Generally, I worry about workstations with access being compromised more than I do about a server running sshd and routing traffic. But obviously, if someone gets access, they can cause play foosball with your stuff.
So caution is definitely advised, about security boundaries: in case a shared IPMI network is used, and this is a case where a Private VLAN (PVLAN-Isolated) could be considered, to ensure devices on the IPMI LAN cannot communicate with one another --- and only devices on a separate dedicated IPMI Management station subnet can interact with the IPMI LAN.
I can't really argue against the proper use of vlans (and that surely wasn't my point). I was merely saying that you can use ssh as a simpler solution (and possibly a more secure one since there's not a conduit to broadcast to/from) than a vpn. That's it.