It is interesting how many people don’t realize how many of these “management engine” platforms there are out there, or how poorly documented they are. While these are horribly egregious, I found the ones that that give remote management even more terrifying as most admins don’t even realize they exist. I’ve seen a stupid amount of:
iDRAC interfaces exposed to non-admin VLANs (and one exposed to the internet)
IPMI
iLO
An old Broadcom network card when working at my universities NOC that always exposed a strange port that my OS couldn’t detect and apparently when I contacted support it was for remote management.
This needs to stop, it is absolutely insane to me that anyone thought these were a good idea. Yet again this is more evidence of the paradigm that more features being equated with better systems is seriously flawed. I wonder if there is a single person in the entire world using these properly? Even if there are a couple I have been on pentests where iDRAC and IPMI have been the direct cause of compromise to a network and I’m sure there are much more intelligent and not friendly people targeting these.
Well, out of band management like iLO, iDRAC, IPMI, and friends are supremely useful to admins. The majority of the time these are setup on separate management only networks/VLANs and the physical separation makes it ok.
The difference here is that as a hardware owner I can’t do anything with or about ME while I can choose to use (or not) IPMI.
Also, to my knowledge, IPMI always needs a separate NIC while ME slyly uses the primary NIC.
So I don’t think they’re quite comparable, and I like having things like IPMI available on devices. I think if Intel was more open about ME the conversation would be very different.
Also, to my knowledge, IPMI always needs a separate NIC while ME slyly uses the primary NIC.
This is sadly not the case – there definitely exist machines whose BMCs use the host system’s primary NIC for IPMI. (The ones I’ve got do at least allow you to configure them to use a separate port, but from the factory they came configured on a single shared port – a nasty surprise when I realized they’d been sitting there exposed to the public internet with default usernames/passwords.)
Supremely useful if they are used properly, they even know they are available, or don’t have superior alternatives. I would say that from what I have seen in the wild that “majority” is far from the case, in fact I’ve only seen these behind VLANs a single time. As for the types of networks where these are most useful and that I see all of these in, are when you have people with an insane budget they tend to buy “drop-in” hardware that is filled with this stuff and the vendors tend to either not document it or just assume that the people know how to manage them.
From my surface area minimization standpoint, I still wouldn’t want ME even if it was completely open, same with the rest of these engines. IPMI does not always need a separate NIC (see OpenIPMI and Cisco docs).
It is interesting how many people don’t realize how many of these “management engine” platforms there are out there, or how poorly documented they are. While these are horribly egregious, I found the ones that that give remote management even more terrifying as most admins don’t even realize they exist. I’ve seen a stupid amount of:
This needs to stop, it is absolutely insane to me that anyone thought these were a good idea. Yet again this is more evidence of the paradigm that more features being equated with better systems is seriously flawed. I wonder if there is a single person in the entire world using these properly? Even if there are a couple I have been on pentests where iDRAC and IPMI have been the direct cause of compromise to a network and I’m sure there are much more intelligent and not friendly people targeting these.
Well, out of band management like iLO, iDRAC, IPMI, and friends are supremely useful to admins. The majority of the time these are setup on separate management only networks/VLANs and the physical separation makes it ok.
The difference here is that as a hardware owner I can’t do anything with or about ME while I can choose to use (or not) IPMI.
Also, to my knowledge, IPMI always needs a separate NIC while ME slyly uses the primary NIC.
So I don’t think they’re quite comparable, and I like having things like IPMI available on devices. I think if Intel was more open about ME the conversation would be very different.
This is sadly not the case – there definitely exist machines whose BMCs use the host system’s primary NIC for IPMI. (The ones I’ve got do at least allow you to configure them to use a separate port, but from the factory they came configured on a single shared port – a nasty surprise when I realized they’d been sitting there exposed to the public internet with default usernames/passwords.)
Supremely useful if they are used properly, they even know they are available, or don’t have superior alternatives. I would say that from what I have seen in the wild that “majority” is far from the case, in fact I’ve only seen these behind VLANs a single time. As for the types of networks where these are most useful and that I see all of these in, are when you have people with an insane budget they tend to buy “drop-in” hardware that is filled with this stuff and the vendors tend to either not document it or just assume that the people know how to manage them.
From my surface area minimization standpoint, I still wouldn’t want ME even if it was completely open, same with the rest of these engines. IPMI does not always need a separate NIC (see OpenIPMI and Cisco docs).
I really wish I had the balls and/or know-how to do this to my own laptop. Or if it would even help.