Hi, > On 23 Dec 2025, at 22:11, heasley <[email protected]> wrote: > > Tue, Dec 23, 2025 at 08:51:54PM +0100, Lukasz Bromirski via NANOG: >> I'm pretty sure you're half-joking and half-not, but that's the reality. >> I lead platform (hardware) development for Cisco Firewalls. I can tell you, >> that during my discussions with all of our Customers, from biggest to >> smallest >> ones, security folks don't appreciate fully dedicated, separate out-of-band >> management ports, with their own OS that's available no-matter-what. > > I'd expect that, from a security perspective, one problem is that > BMCs are often neglected by both the customer and the mfg. eg, they > often never receive a s/w update for the life of the product or the > update procedure is arcane and unautomatable; both like smc and > unacceptable.
Yes, and that's actually one of my talking points (to not use something off the shelf and instead deploy hardened Linux on some ARM/SoC). We never get to that point of discussion though. Currently our way of doing that was to dedicate cores from main CPU to run it's own VM as FXOS, or in some cases run these ports indeed as dedicated FXOS instance, physically distinct from the "main" CPU and OS. All we've heard was "oh, it adds complexity, we don't like it". >> - you vote with your wallets > how much is really saved? is it actually a noticable cost? make it a > daughter card? What I meant is by buying equipment that doesn't have it, or not driving this as a requirement in RFPs. The actual cost of the SoC, flash and circuitry is going to be like 5$. Let's be generous and assume I'm going to add 100$ to the price of the box to adjust for margins. There will be some cost of added development and testing. You think you're going to notice this in a 300k$ box? Or 1M$ box? Nah. But we need this clearly articulated by you - the people, otherwise it's "these PMs are making things up". -- ./ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/VVEZ7YEZGQLFUP5K7RNVSB4A7NK6AHQG/
