August 9, 2018

The Forgotten Management Interfaces – WST

The Forgotten Management Interfaces

Out-of-Band or OOB Management used to be a more common term.  This refers to any way you can manage or log into a device outside of its normal admin interface.  It can be a dial-in modem attached to a router, a console cable in a switch, or a management controller on a server.  Whatever the method, they all can fall prey to a common problem:  As they are only used in emergencies, they commonly are forgotten.  This means a critical management interface can become a security risk.

Our recommendations for securing OOB management channels:

  1. Inventory all management interfaces, including backup or OOB interfaces. You cannot secure what you don’t know about.
  2. When not needed on a regular basis, disable OOB management. ISP routers and some vendor equipment will sometimes have old fashioned dial-in modems.  These should be disconnected or powered off until needed.
  3. Make sure any connected OOB interfaces are properly secured. Change default passwords.  It is very common for us to find server management controllers such as Dell iDrac or HP ILO devices configured with default credentials.  Often, this will give us the same access as if we were physically interacting at the keyboard.  Also, just because you changed the “admin” password, doesn’t always mean it is secured.  Some interfaces will have other admin accounts, such as “root”, or “operator” that need passwords changed as well.  Review documentation to ensure you have changed all default passwords.
  4. Keep firmware up to date. Unfortunately, management cards such as the ones above have been susceptible to serious security flaws in the past several years.  Make sure you include firmware or software updates for these components in your patching process.

Past Weekly Security Tips – WST