I'd qualify it as ugly, but sometimes necessary. You should mitigate the risks by having some seriously restrictive ACL's on the ingress routers or L3 switches if any. I wouldn't trust the DRAC IPMI "firewall" by itself, neither would I expect the IP stack/firmware to resist a random DDoS/brute-force hacking attempt for long. The intertube has sadly become a dangerous neighborhood for quite some time. It would be better to have a firewall on-site to secure a management network dedicated to the DRAC's and have a VPN tunnel to a central management location, but sometimes this is just not in the budget. I shamefully admit that I have several boxes deployed in remote locations in just this kind of scenario with very restrictive ACL's on the routers, because we did not get a budget to acquire several firewalls to do just that. One firewall to secure two servers was deemed too expensive.
Cheers, Robert > -----Message d'origine----- > De : [email protected] > [mailto:[email protected]] De la part de Ed Brown > Envoyé : vendredi, 20. novembre 2009 01:13 > À : [email protected] > Objet : drac open to internet? > > What would YOU say to an admin who wants to make his DRAC > open to the internet? Does Dell address this scenario in > documentation anywhere? > Is it as bad an idea as it immediately and intuitively seems to be? > > thanks, > Ed > > _______________________________________________ > Linux-PowerEdge mailing list > [email protected] > https://lists.us.dell.com/mailman/listinfo/linux-poweredge > Please read the FAQ at http://lists.us.dell.com/faq > _______________________________________________ Linux-PowerEdge mailing list [email protected] https://lists.us.dell.com/mailman/listinfo/linux-poweredge Please read the FAQ at http://lists.us.dell.com/faq
