All higher-end LoadMasters are equipped with a Baseboard Management Controller (BMC) that provides remote system configuration and monitoring of critical hardware resources. In some environments, the BMC is also used to provide automatic and unattended installation of the Operating System (OS) software.

The BMC is industry-standard technology, commonly delivered on data center hardware by many vendors.

On LoadMaster, the BMC should only be used for remote monitoring. It is not recommended to change any values in the BMC other than login information. Doing so may invalidate the system warranty.

Note: It is important to review the BMC configuration on LoadMaster when it is provisioned on the network to maintain system security.

If BMC access is not required in your deployment, best practice is to disable access to the BMC.

If BMC access is desired, best practice is to modify the password of the default BMC user login to use a strong password, and assign strong passwords to any new users created.

The remainder of this chapter provides the information you need to accomplish the above tasks.

BMC / IPMI Security Concerns

One of the interfaces described below for accessing the BMC is the Intelligent Platform Management Interface (IPMI). This is an Application Programming Interface (API) that is implemented by Linux and Windows tools to provide an easy to use command line interface to the BMC that can be run from a remote server or laptop.

Security issues accessing the BMC through IPMI have existed since the IPMI 2.0 specification was developed in 2013. There is no update to this specification planned. For a review of the issues inherent in BMC and IPMI, refer to the Risks of Using the Intelligent Platform Management Interface on the Cybersecurity & Infrastructure Security Agency’s website.

The basic best practice guidance is as follows:

  • Restrict IPMI to Trusted Internal Networks.

    Restrict IPMI traffic to allow access only to trusted internal networks by authorized personnel. You should restrict traffic from IPMI (usually UDP port 623) to a management VLAN segment with strong network controls.

  • Use strong passwords.

    You must set strong, unique passwords for all BMC logins, which can be up to 20 characters long. For advice on setting strong passwords, refer to the NIST Password Guidelines and Best Practices webpage.

Default BMC Configuration

All LoadMasters equipped with a BMC have the BMC enabled by default:

  • LoadMaster “NG” hardware appliances (for example, LM-X25-NG) are configured with a username of “admin” and the password set to the system serial number (which is unique to the device).
  • Legacy LoadMaster hardware appliances (for example, LM-X25) are configured with a username of “admin” with the password “admin”, in addition to an anonymous user.

By default (on all models) the BMC attempts to obtain an IP address through DHCP, and may become available on the network as soon as the system is provisioned.

BMC Administration Interfaces

You can configure and access the BMC using the interfaces discussed in the following sections.

Using the HTTPS browser interface

You can configure the BMC, view hardware sensor values, and use other features with this user-friendly interface. The BMC provides the IP address automatically configured at startup.

Upon first access to the BMC using the HTTPS interface, log in as ‘admin’ and provide the default password appropriate for your model as described in the previous section (‘admin’ or the system serial number). You will be prompted to reset the ‘admin’ login password to a strong password.

Using the IPMI interface

The ipmitool utility provides a command line interface to BMC capabilities. IPMI commands are sent to the same BMC IP address at which the HTTPS interface is available, using the IPMI port (623). You can download installable packages for Linux or Windows at https://ipmiutil.sourceforge.net/.

Using the system BIOS

This is the lowest level interface provided and it gives you limited ability to configure BMC network access and logins. It is generally not recommended to use the BIOS controls for these purposes, because the HTTPS and IPMI interfaces provide complete configurability and a superior user experience.

Disabling Access to the BMC

To disable access to the BMC on LoadMaster, do the following:

  1. At the upstream firewall, block the IPMI port (port 623). This will block remote traffic should BMC access be restored, confining use to the local network. See your firewall documentation for instructions.
  2. Using the HTTPS interface described above:
    1. Configure the BMC so that it does not obtain an address automatically through DHCP.
    2. Disable login to the BMC.
    3. Set the BMC IP address to a non-routable address.
  3. Reboot the system.

Restoring Access to the LoadMaster BMC

If BMC access is disabled on LoadMaster, you must go into the BIOS to turn it back on again:
  1. Configure the IP address for the BMC network interface.
  2. Enable at least one login.
  3. Ensure that all logins are assigned a strong password.