Is iLO safe enough to be hung on the WAN

I am wondering if iLO is safe enough to be hung on the WAN, I looked for some articles but could not find any ?

How do you guys secure iLO ? Do you put it behind a firewall ?

Would you use a firewall that can be accessed from the WAN using iLO ?

Solution 1:

If your WAN is an internal network then more than likely you'll want to be able to access it over the WAN.

If by WAN you mean public facing (ie- Internet) then that's a security risk you'll have to evaluate for yourself. I personally would do nothing of the sort since iLO exposes full control of your machine. VPN into your network if you want access.

Solution 2:

Although iLO (I'm a HP guy) is almost all over SSL/SSH session it really is access to the heart of your platform so I'm going to say that you really should VPN into that network tier to add that much additional protection.

Solution 3:

iLO, DRAC, IPMI, or any Out of Band type of control, should only ever be accessible internally. The correct way to access such services via the internet is through a secure VPN. And strait PPTP is *not a secure VPN (exception EAP-TLS), just in case someone considers it.

*sorry, typo. Did not review before posting! If any one cares, i always recommend L2TP/EAP-TLS

or the venerable L2PT/IPsec

and Chris S. is right, PPTP/EAP-TLS is better then IPsec alone. TLS is preferred over IPsec generally.

and truthfully, if the system already has SSH available over the net. I would just use SSH to forward the ports and not deal with the irritation of VPN.

Solution 4:

We put these devices into a separated network called admin-network. It is accessible only through admin-workstations connected to that network. So in your case - VPN is the thing to do.