is IPMI on an old server safe to use?

[Ashleyyyy]

I've got an old HP ProLiant ML350 G6 and It has a port for IPMI. I disabled it since I didn't need it, but it would be fun to try. 

but is it safe? 

[Sir Asvald]

Why won't it be safe? Unless you're going to access it from the internet. I'd put the IPMI on a different subnet. Get it a different IP to what you usually use.

[Ashleyyyy]

5 minutes ago, Abdul201588 said:

Why won't it be safe? Unless you're going to access it from the internet. I'd put the IPMI on a different subnet. Get it a different IP to what you usually use.

I guessed so because it's old software.. isn't it venerable?

[Electronics Wizardy]

1 hour ago, firelighter487 said:

I guessed so because it's old software.. isn't it venerable?

yea it normally is, but thats why you don't connect it to the full internet, just use your local network.

[brwainer]

1 hour ago, firelighter487 said:

I guessed so because it's old software.. isn't it venerable?

Some older IPMI setups didn’t really have security in mind, such as HTTP only, easy to snoop on iKVM, and no security audits. Others are known to have significant vulnerabilities. Here are the known vulnerabilities for iLO2: https://www.cvedetails.com/vulnerability-list/vendor_id-10/product_id-27525/HP-Integrated-Lights-out-2-Firmware.html

 

The best practice is to seperate all your management interfaces (IPMI, switch IPs, etc) into a separate VLAN and subnet that is only accessible via a router or firewall that limits traffic to appropriate sources. This may be overkill but I suggest doing it if your router and switch(es) can do VLANs. Otherwise for a home lab, just don’t port forward to it from your WAN and it’ll probably be fine - you are relying on the security of the rest of the devices in the network.

[Ashleyyyy]

1 hour ago, brwainer said:

Some older IPMI setups didn’t really have security in mind, such as HTTP only, easy to snoop on iKVM, and no security audits. Others are known to have significant vulnerabilities. Here are the known vulnerabilities for iLO2: https://www.cvedetails.com/vulnerability-list/vendor_id-10/product_id-27525/HP-Integrated-Lights-out-2-Firmware.html

 

The best practice is to seperate all your management interfaces (IPMI, switch IPs, etc) into a separate VLAN and subnet that is only accessible via a router or firewall that limits traffic to appropriate sources. This may be overkill but I suggest doing it if your router and switch(es) can do VLANs. Otherwise for a home lab, just don’t port forward to it from your WAN and it’ll probably be fine - you are relying on the security of the rest of the devices in the network.

i'm going to be replacing all of the cheap switches etc we use now with (old) decent switches. can you recommend me some good one's that are safe to use and that I can get for cheap second hand?

[brwainer]

2 hours ago, firelighter487 said:

i'm going to be replacing all of the cheap switches etc we use now with (old) decent switches. can you recommend me some good one's that are safe to use and that I can get for cheap second hand?

Sorry, I haven’t been watching the second hand network equipment lately.