Robust security is imperative for network-based systems, particularly for applications that deal with sensitive information, to prevent unauthorized agents from intercepting, corrupting or publishing sensitive data. A suitable information security system must perform with minimum disruption to users to ensure that authorized users are neither erroneously denied access nor unduly restricted in their duties.
Efforts exist in the server industry to develop a standard to create manageable hardware building blocks that share management information through a standard interface, known as the Intelligent Platform Management Interface (IPMI). This standard is designed to allow plug-and-play architecture for hardware management, thereby making possible scalable systems utilizing hardware from multiple vendors, while resulting in a completely manageable system.
Remote management of the IPMI occurs through host instrumentation client applications executing on the operating system. Several existing standards, such as the Desktop Management Interface (DMI), Common Information Model (CIM) and Simple Network Management Protocol (SNMP) define frameworks to access the management data through the operating system-based services. Management data can also be accessed directly in some systems without passing through the operating system or the main system processors, which access is called “out-of-band” access, and which can occur via modem, serial and local area network connections.
The remote access mechanisms used today provide limited security, such as clear text password, for direct access to the hardware components. Using this access, critical operations may be executed (e.g., shutting down or resetting the system). Therefore, it is imperative to include adequate security mechanisms for this access. Unfortunately, the platform management components (i.e., the micro-controllers that act as service processors) are usually low-cost hardware, and typically have very low processing power and memory. The security infrastructure therefore must not require significant processing capacity and memory resources from these devices without compromising security.
Examples of client applications that enable remote management of hardware components include the Intel Server Control (ISC) product and the Appliance Server Management (ASM) product. The ISC product allows in and out-of-band access to the server. The various connection points between the console and the server are depicted in FIG. 2. ASM provides similar functionality, the connections of which are depicted in FIG. 3.
Modest security mechanisms are provided for the ISC and ASM connections. In ISC, for example, a password routine protects access from the Direct Platform Control (DPC) console 24 to: (1) the Server Management Controllers (SMCs) 28; (2) the BIOS 25 (and the BIOS mode is accessible only if access to the SMC is authorized, as a command to remotely reboot the system can only be issued in this mode); (3) the Service Partition (and the service partition mode is only accessible if the access to the SMC is authorized, as a command to remotely reboot to the service partition can only be executed in this mode). In addition, in ISC the SMC can be configured to operate in a “Restricted Access Mode” preventing the DPC console from executing any Reset/PowerOff commands. In ISC, direct access to the firmware can also be completely disabled. In ASM, access from the ASM Emergency console 32 to BIOS 33 is protected by a password routine. In the ISC product, however, access from the Platform Instrumentation Control (PIC) 21 to the DMI instrumentation 27 on the operating system does not occur through any authorization process. This limitation originates with the DMI, which allows free access to the instrumentation. In contrast to the ISC, access from the ASM console 31 to the CIM instrumentation 35 is protected by a username/password validated by the web server (IIS) on the managed Windows Appliance.
An example of a service processor for interacting with client applications for managing hardware components is the Baseboard Management Controller (BMC), which provides a level of systems management via an external modem or a network adapter during all system states. This includes the powered-down, pre-boot, OS-down or OS-up situations. The DPC graphical user interface (GUI) communicates directly with the BMC. Even if the OS on the target server is operating, communications between the DPC and BMC do not pass through it.
The functionality that can be achieved through this connection is the monitoring of hardware sensors, access to sensor configuration access to the Platform Event log, and the capability to reboot, power cycle or shutdown the system. Consequently, this connection requires that a DPC user be properly authenticated, ensuring the user is authorized to perform the operations. The communication over the wire must be protected against spoofing, session hijacking or replay attacks. The privacy of the data is not critical, as security is not compromised if an unauthorized person reads a command to “reboot the system.” The security of the system is protected as long as integrity of the data is preserved.
To complicate matters, there are certain restrictions in this environment that impact on the ability to integrate security measures into the interface. The management controller employed in this environment may have a low processing capability as well as limited resource capability, both in terms of code size, and the available memory to execute the code. Moreover, the due to aforementioned processing limitation, extensive computations that are typical of many security schemes are not possible.
The present invention is therefore directed to the problem of developing a method and apparatus that execute independently of the operating system for interfacing with hardware components via direct access from a remote device in a secure manner, without overly taxing the processing and memory resources of the hardware components.