Collaborators? :: Enable/disable access to BMC through interfaces for security

Collaborators? :: Enable/disable access to BMC through interfaces for security

[Jandra A]

Hello all,

As part of the GUI design team, I am starting to look at requirements
for enabling and disabling network interfaces for which the BMC can be
accessed. For example, IPMI, SSH, Redfish, HTTP, and USB, to name a
few.

I know there has been some conversation on the topic before (see email
linked below) and want to reach out to see who is interested in this
topic. And I would love to get your thoughts on the following topics.

Some questions we want to tackle are:
1. Which interfaces need to be enabled/disabled and what is their
priority? (See full list in the redfish documentation)
2. What should be the default for the selected above (enabled/disabled)?
3. Do we need a staged plan for it?
4. When can we expect backend availability?


Redfish documentation:
https://redfish.dmtf.org/schemas/ManagerNetworkProtocol.v1_4_0.json

Related email discussion (on staged plans to address IPMI access):
https://lists.ozlabs.org/pipermail/openbmc/2019-September/018373.html



Regards,
Jandra Aranguren

Resend : Enable/disable access to BMC through interfaces for security

[Jandra A]

I am resending this message to who has thoughts on which BMC
interfaces need to be disabled for security purposes and what the best
way to do that would be. I would love to collaborate with all parties
interested.

------- begin message:

Hello all,

As part of the GUI design team, I am starting to look at requirements
for enabling and disabling network interfaces for which the BMC can be
accessed. For example, IPMI, SSH, Redfish, HTTP, and USB, to name a
few.

I know there has been some conversation on the topic before (see email
linked below) and want to reach out to see who is interested in this
topic. And I would love to get your thoughts on the following topics.

Some questions we want to tackle are:
1. Which interfaces need to be enabled/disabled and what is their
priority? (See full list in the redfish documentation)
2. What should be the default for the selected above (enabled/disabled)?
3. Do we need a staged plan for it?
4. When can we expect backend availability?


Redfish documentation:
https://redfish.dmtf.org/schemas/ManagerNetworkProtocol.v1_4_0.json

Related email discussion (on staged plans to address IPMI access):
https://lists.ozlabs.org/pipermail/openbmc/2019-September/018373.html



Regards,
Jandra Aranguren

Re: Resend : Enable/disable access to BMC through interfaces for security

[Joseph Reynolds]

On 11/1/19 9:40 AM, Jandra A wrote:
> I am resending this message to who has thoughts on which BMC
> interfaces need to be disabled for security purposes and what the best
> way to do that would be. I would love to collaborate with all parties
> interested.

Thanks Jandra.  I've added this to the OpenBMC Security Working Group 
agenda.
https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI

> ------- begin message:
>
> Hello all,
>
> As part of the GUI design team, I am starting to look at requirements
> for enabling and disabling network interfaces for which the BMC can be
> accessed. For example, IPMI, SSH, Redfish, HTTP, and USB, to name a
> few.
>
> I know there has been some conversation on the topic before (see email
> linked below) and want to reach out to see who is interested in this
> topic. And I would love to get your thoughts on the following topics.
>
> Some questions we want to tackle are:
> 1. Which interfaces need to be enabled/disabled and what is their
> priority? (See full list in the redfish documentation)
> 2. What should be the default for the selected above (enabled/disabled)?
> 3. Do we need a staged plan for it?
> 4. When can we expect backend availability?

I am interested in the list of the BMC's external interfaces from a 
security perspective.  The [network security considerations][] talks 
about many of the network interfaces.  We should encourage users to 
disable interfaces they don't need and are not using.  Having such 
interfaces active opens up the BMC's attack surface and represents 
security risks.  For example, newly discovered security vulnerabilities 
might place BMCs at risk, and shutting off the interface will likely 
make the BMC safe.

The BMC also has physical interfaces which users may wish to disable 
(for the same reasons as above).  The BMC's network interface and and 
USB ports are examples.  Some users may wish to disable the BMC's access 
to the network and control it solely via its host. However, I am not an 
exert in this area, so I need help here.  TODO: Get one of the kernel 
hackers to go over this list.  I understand because OpenBMC is used on 
different hardware models (such as AST2500's hosted in the AC922 
"Witherspoon"), it will have different interfaces present.  I think the 
folks who wirj with the machines, and who bind device drivers can help 
us if we know what questions to ask them (better questions than: what 
interfaces does the BMC have)?  <-- Once again, I am no expert here, so 
we need to work together to understand this.

Here's my starter kit of BMC's external interfaces:
network:
  - SSH to the BMC shell (port 22)
  - HTTP (for either [BMCWEB_INSECURE_DISABLE_SSL][] users or the 
nascent [HTTP redirect design][])
  - HTTPS
  - (network, aka out of band) IPMI
  - KVMIP
  - Virtual media
  - SoL (SSH via port 2200) to the host console
  - mDNS discovery
  - Avahi discovery service
  - virtual USB (USB-over-IP)
physical:
  - network
  - USB
  - more? Help needed: would anyone want to give the BMC admin control 
to shut down pathways between the BMC and host?

There will be more interfaces as the project goes forward.  For example, 
the OpenPOWER work is proposing a communication channel between a 
Hardware Management Console (HMC) and the host's hypervisor (PHYP) which 
would use the BMC to set up the channel. Users who don't need this a 
capability might want to have a way to disable it (I don't know) so they 
can avoid giving unnecessary network access to their hypervisor.  The 
point is, I think tending this list will be ongoing work.

The short list of interfaces I personally care about includes:
   SSH, IPMI, Avahi, and USB (physical and USB-over-IP)

I hope this partially addresses item 1 above.  :)

- Joseph

References:
[network security considerations]: 
https://github.com/openbmc/docs/blob/master/security/network-security-considerations.md
[BMCWEB_INSECURE_DISABLE_SSL]: 
https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt
[HTTP redirect design]: 
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/24173

>
> Redfish documentation:
> https://redfish.dmtf.org/schemas/ManagerNetworkProtocol.v1_4_0.json
>
> Related email discussion (on staged plans to address IPMI access):
> https://lists.ozlabs.org/pipermail/openbmc/2019-September/018373.html
>
>
>
> Regards,
> Jandra Aranguren

Re: Resend : Enable/disable access to BMC through interfaces for security

[Justin Thaler]

Hi Jandra, I'm interested in the subject blow. Joseph, I've added a few 
more options to your list as well.

 > On 11/1/19 11:55 AM, Joseph Reynolds wrote:
> On 11/1/19 9:40 AM, Jandra A wrote:
>> I am resending this message to who has thoughts on which BMC
>> interfaces need to be disabled for security purposes and what the best
>> way to do that would be. I would love to collaborate with all parties
>> interested.
> 
> Thanks Jandra.  I've added this to the OpenBMC Security Working Group 
> agenda.
> https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI 
> 
> 
>> ------- begin message:
>>
>> Hello all,
>>
>> As part of the GUI design team, I am starting to look at requirements
>> for enabling and disabling network interfaces for which the BMC can be
>> accessed. For example, IPMI, SSH, Redfish, HTTP, and USB, to name a
>> few.
>>
>> I know there has been some conversation on the topic before (see email
>> linked below) and want to reach out to see who is interested in this
>> topic. And I would love to get your thoughts on the following topics.
>>
>> Some questions we want to tackle are:
>> 1. Which interfaces need to be enabled/disabled and what is their
>> priority? (See full list in the redfish documentation)
>> 2. What should be the default for the selected above (enabled/disabled)?
>> 3. Do we need a staged plan for it?
>> 4. When can we expect backend availability?
> 
> I am interested in the list of the BMC's external interfaces from a 
> security perspective.  The [network security considerations][] talks 
> about many of the network interfaces.  We should encourage users to 
> disable interfaces they don't need and are not using.  Having such 
> interfaces active opens up the BMC's attack surface and represents 
> security risks.  For example, newly discovered security vulnerabilities 
> might place BMCs at risk, and shutting off the interface will likely 
> make the BMC safe.
> 
> The BMC also has physical interfaces which users may wish to disable 
> (for the same reasons as above).  The BMC's network interface and and 
> USB ports are examples.  Some users may wish to disable the BMC's access 
> to the network and control it solely via its host. However, I am not an 
> exert in this area, so I need help here.  TODO: Get one of the kernel 
> hackers to go over this list.  I understand because OpenBMC is used on 
> different hardware models (such as AST2500's hosted in the AC922 
> "Witherspoon"), it will have different interfaces present.  I think the 
> folks who wirj with the machines, and who bind device drivers can help 
> us if we know what questions to ask them (better questions than: what 
> interfaces does the BMC have)?  <-- Once again, I am no expert here, so 
> we need to work together to understand this.
> 
> Here's my starter kit of BMC's external interfaces:
> network:
>   - SSH to the BMC shell (port 22)
>   - HTTP (for either [BMCWEB_INSECURE_DISABLE_SSL][] users or the 
> nascent [HTTP redirect design][])
>   - HTTPS
     - Secure Websockets
>   - (network, aka out of band) IPMI
     - Extend REST APIs
     - Redfish
>   - KVMIP
>   - Virtual media
>   - SoL (SSH via port 2200) to the host console
>   - mDNS discovery
>   - Avahi discovery service
>   - virtual USB (USB-over-IP)
> physical:
>   - network
     - USB External
     - USB to Host
>   - more? Help needed: would anyone want to give the BMC admin control 
> to shut down pathways between the BMC and host?
> 
> There will be more interfaces as the project goes forward.  For example, 
> the OpenPOWER work is proposing a communication channel between a 
> Hardware Management Console (HMC) and the host's hypervisor (PHYP) which 
> would use the BMC to set up the channel. Users who don't need this a 
> capability might want to have a way to disable it (I don't know) so they 
> can avoid giving unnecessary network access to their hypervisor.  The 
> point is, I think tending this list will be ongoing work.
> 
> The short list of interfaces I personally care about includes:
>    SSH, IPMI, Avahi, and USB (physical and USB-over-IP)
> 
> I hope this partially addresses item 1 above.  :)
> 
> - Joseph
> 
> References:
> [network security considerations]: 
> https://github.com/openbmc/docs/blob/master/security/network-security-considerations.md 
> 
> [BMCWEB_INSECURE_DISABLE_SSL]: 
> https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt
> [HTTP redirect design]: 
> https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/24173
> 
>>
>> Redfish documentation:
>> https://redfish.dmtf.org/schemas/ManagerNetworkProtocol.v1_4_0.json
>>
>> Related email discussion (on staged plans to address IPMI access):
>> https://lists.ozlabs.org/pipermail/openbmc/2019-September/018373.html
>>
>>
>>
>> Regards,
>> Jandra Aranguren
> 

Re: Resend : Enable/disable access to BMC through interfaces for security

[Jandra A]

Thank you Joseph and Justin. I am keeping track of all of these to
discuss in the Security Workgroup.

Another thing to think about is where we and customers would want this
type of functionality to live within the GUI. As of now, the proposal
is to create a new panel dedicated to Security within the Access
Control category of the navigation.

Regards,
Jandra

On Fri, Nov 1, 2019 at 12:46 PM Justin Thaler
<thalerj@linux.vnet.ibm.com> wrote:
>
> Hi Jandra, I'm interested in the subject blow. Joseph, I've added a few
> more options to your list as well.
>
>  > On 11/1/19 11:55 AM, Joseph Reynolds wrote:
> > On 11/1/19 9:40 AM, Jandra A wrote:
> >> I am resending this message to who has thoughts on which BMC
> >> interfaces need to be disabled for security purposes and what the best
> >> way to do that would be. I would love to collaborate with all parties
> >> interested.
> >
> > Thanks Jandra.  I've added this to the OpenBMC Security Working Group
> > agenda.
> > https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI
> >
> >
> >> ------- begin message:
> >>
> >> Hello all,
> >>
> >> As part of the GUI design team, I am starting to look at requirements
> >> for enabling and disabling network interfaces for which the BMC can be
> >> accessed. For example, IPMI, SSH, Redfish, HTTP, and USB, to name a
> >> few.
> >>
> >> I know there has been some conversation on the topic before (see email
> >> linked below) and want to reach out to see who is interested in this
> >> topic. And I would love to get your thoughts on the following topics.
> >>
> >> Some questions we want to tackle are:
> >> 1. Which interfaces need to be enabled/disabled and what is their
> >> priority? (See full list in the redfish documentation)
> >> 2. What should be the default for the selected above (enabled/disabled)?
> >> 3. Do we need a staged plan for it?
> >> 4. When can we expect backend availability?
> >
> > I am interested in the list of the BMC's external interfaces from a
> > security perspective.  The [network security considerations][] talks
> > about many of the network interfaces.  We should encourage users to
> > disable interfaces they don't need and are not using.  Having such
> > interfaces active opens up the BMC's attack surface and represents
> > security risks.  For example, newly discovered security vulnerabilities
> > might place BMCs at risk, and shutting off the interface will likely
> > make the BMC safe.
> >
> > The BMC also has physical interfaces which users may wish to disable
> > (for the same reasons as above).  The BMC's network interface and and
> > USB ports are examples.  Some users may wish to disable the BMC's access
> > to the network and control it solely via its host. However, I am not an
> > exert in this area, so I need help here.  TODO: Get one of the kernel
> > hackers to go over this list.  I understand because OpenBMC is used on
> > different hardware models (such as AST2500's hosted in the AC922
> > "Witherspoon"), it will have different interfaces present.  I think the
> > folks who wirj with the machines, and who bind device drivers can help
> > us if we know what questions to ask them (better questions than: what
> > interfaces does the BMC have)?  <-- Once again, I am no expert here, so
> > we need to work together to understand this.
> >
> > Here's my starter kit of BMC's external interfaces:
> > network:
> >   - SSH to the BMC shell (port 22)
> >   - HTTP (for either [BMCWEB_INSECURE_DISABLE_SSL][] users or the
> > nascent [HTTP redirect design][])
> >   - HTTPS
>      - Secure Websockets
> >   - (network, aka out of band) IPMI
>      - Extend REST APIs
>      - Redfish
> >   - KVMIP
> >   - Virtual media
> >   - SoL (SSH via port 2200) to the host console
> >   - mDNS discovery
> >   - Avahi discovery service
> >   - virtual USB (USB-over-IP)
> > physical:
> >   - network
>      - USB External
>      - USB to Host
> >   - more? Help needed: would anyone want to give the BMC admin control
> > to shut down pathways between the BMC and host?
> >
> > There will be more interfaces as the project goes forward.  For example,
> > the OpenPOWER work is proposing a communication channel between a
> > Hardware Management Console (HMC) and the host's hypervisor (PHYP) which
> > would use the BMC to set up the channel. Users who don't need this a
> > capability might want to have a way to disable it (I don't know) so they
> > can avoid giving unnecessary network access to their hypervisor.  The
> > point is, I think tending this list will be ongoing work.
> >
> > The short list of interfaces I personally care about includes:
> >    SSH, IPMI, Avahi, and USB (physical and USB-over-IP)
> >
> > I hope this partially addresses item 1 above.  :)
> >
> > - Joseph
> >
> > References:
> > [network security considerations]:
> > https://github.com/openbmc/docs/blob/master/security/network-security-considerations.md
> >
> > [BMCWEB_INSECURE_DISABLE_SSL]:
> > https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt
> > [HTTP redirect design]:
> > https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/24173
> >
> >>
> >> Redfish documentation:
> >> https://redfish.dmtf.org/schemas/ManagerNetworkProtocol.v1_4_0.json
> >>
> >> Related email discussion (on staged plans to address IPMI access):
> >> https://lists.ozlabs.org/pipermail/openbmc/2019-September/018373.html
> >>
> >>
> >>
> >> Regards,
> >> Jandra Aranguren
> >