zlacker

>>zdw+(OP)
If you've never used the BMC on a server... it is all 100% garbage. Software mostly written by embedded folks who haven't got a clue. It is absolutely garbage software on the whole (and no matter what vendor you get the board from). Go ahead and hit up the web interface then do a bit of "View Source". If you are imagining the rest of that stack is any better than my friend have I got a Beautiful Bridge in Brooklyn to sell you!

If it were me I'd assume the majority of BMC firmware out there from all vendors: 1. Is full of many many exploitable vulnerabilities 2. To the extent they patch holes it will be whack-a-mole because the economics do not permit large investments in software quality. 3. Many server owners will never install a patch anyway.

>>xenadu+d3c
BMC software quality is low but what's the alternative? Without BMC it is more expensive to manage a fleet of servers. In a better word hardware vendors will publish specs to allow open-source BMC firmware but for some reason they resist this idea. Having only insecure BMC available a semi-separate management network (connected via a bastion host or a VPN) provides balance between cost and security.

>>citrin+nyc
> BMC software quality is low but what's the alternative?

Dedicated KVM devices?

>>einste+hWc
This won't scale. Dedicated KVM needs you as an admin walking to the server, reswitching cables, walking back to the KVM console. Instead, with Out of band managament hw/sw, you spawn a dedicated ethernet and can access it from anywhere. It is a flexibility advantage on the costs of security.

>>ktpsns+I4d
I was thinking more like just having one IP KVM per server always hooked up to a dedicated management network, basically used exactly like a BMC just with better software.