HMC

 View Only
  • 1.  Security concern over Redundant HMC's setup

    User Group Leader
    Posted Mon August 26, 2024 03:47 AM

    Hello,

    In a dual site setup i know the redundant hmc's has many advantages including the both can control the power systems at a time if one fails. But i was thinking more on the security side here. Example, we have 2 sites production and DR site. We have configured redundant hmc's which can manage either of the systems across the two site. But let's say if  hmc at the DR site is compromised site then the chances of manipulating the production systems with this hmc is really high ? Is it my correct assumption or am i missing something here?



    ------------------------------
    Rohit Chauhan
    Senior Technical Specialist
    Norway
    ------------------------------


  • 2.  RE: Security concern over Redundant HMC's setup

    IBM Champion
    Posted Tue August 27, 2024 07:43 AM

    While it is possible that if someone gets into the one HMC then they can access both systems isn't it also true that if they can access one HMC it's likely they can access both?

    Picture this:  One of our data centers is a few hours north of me.  The other is a few hours south of me.  If I can access one HMC from the office and attack both Power systems then isn't it likely that I can access the other HMC also?  If so, then what does limiting one HMC to one Power system buy me?  Inconvenience and lack of redundancy with no additional security?

    Sure I could limit the HMC's to only being accessible while physically on site but is that really practical in our situation?  If I'm at the one data center and something happens at the other then what do I do?  If I made 3 trips to a single data center in a single year then, based on past history, that would be a very busy year.

    We do not have a physical HMC with it's own attached monitor standing there waving it's arm saying "attack me".  We use vHMC.  Therefore it's unlikely that one of the DC employees will access our cage, pull out a KVM tray, open up the HMC and attack Power Systems at both locations.



    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------



  • 3.  RE: Security concern over Redundant HMC's setup

    User Group Leader
    Posted Wed August 28, 2024 02:41 AM

    Thanks for the feedback Robert. I understand your point of having redundant hmc which makes life easier but if i think from security perspective and the ongoing cyberattacks across organisation then still redundant hmc setup concerns me.

    In this scenario, HMC will have access to only one server in one location. Similarly DR site will have one hmc with access to its local server only. Hence, if hmc at site 1 is compromised there is no way to connect to hmc at Site 2. Does this makes sense?

    Regards,

    Rohit



    ------------------------------
    Rohit Chauhan
    Senior Technical Specialist
    Norway
    ------------------------------



  • 4.  RE: Security concern over Redundant HMC's setup

    Posted Wed August 28, 2024 03:23 AM

    Thanks for bringing this to our attention. As you have also stated the benefits of dual HMC setup has many advantages. But this comes with extra security requirement due to scope of multiple data center connectivity. And hence its is recommended and hopefully ever data center has EDR security solutions to record the activities and events taking place on endpoints, providing security teams with the visibility they need to uncover incidents/unusual activities that would otherwise remain unattended. This will help in providing continuous and comprehensive visibility into what is happening on endpoints in real time. As additional solution PowerSC supports HMC now as end point and if there are some enhancements needed in the profile which can help to detect such malicious activities can be shared as enhancements with us.

    Regards,

    Samvedna



    ------------------------------
    SAMVEDNA JHA
    ------------------------------



  • 5.  RE: Security concern over Redundant HMC's setup

    IBM Champion
    Posted Wed August 28, 2024 08:24 AM

    But I keep saying, that if a person has access to one HMC then he probably has access to the other HMC.  Everyone at my company who has access to one, has access to the other.



    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------



  • 6.  RE: Security concern over Redundant HMC's setup

    Posted Wed August 28, 2024 09:12 AM
    On Mon, Aug 26, 2024 at 07:46:53AM +0000, Rohit Chauhan via IBM TechXchange Community wrote:
    > In a dual site setup i know the redundant hmc's has many advantages
    > including the both can control the power systems at a time if one
    > fails. But i was thinking more on the security side here. Example,
    > we have 2 sites production and DR site. We have configured redundant
    > hmc's which can manage either of the systems across the two
    > site. But let's say if hmc at the DR site is compromised site then
    > the chances of manipulating the production systems with this hmc is
    > really high ? Is it my correct assumption or am i missing something
    > here?

    This can be summarized as redundant HMCs mean redundant management
    domains. If one management domain is compromised, both sites are
    compromised.

    If you make the HMC's non-redundant so they don't share a management
    domain, then a compromise at one site is isolated. Also ensure you use
    unique passwords at each site for your hscroot account.

    You need to choose a balance between redundancy and isolation for
    security. Many times I have dual HMCs at each site. It's cheaper to
    implement now with the vHMC.

    Just a reminder if you are doing cross site HMCs, you likely have your
    FSPs on a public VLAN and should ensure you have strong passwords on
    the FSP accounts. Also consider using the firewall on the FSP to lock
    it to only allow the HMC IPs to login. Otherwise a network scan may
    allow attackers to go directly to the FSP, bypassing the HMCs
    completely. There is a horrible history of bad default passwords being
    placed on FSP accounts.

    I recommend using an isolated VLAN for the FSPs for that reason.

    ------------------------------------------------------------------
    Russell Adams Russell.Adams@AdamsSystems.nl
    Principal Consultant Adams Systems Consultancy
    https://adamssystems.nl/




  • 7.  RE: Security concern over Redundant HMC's setup

    IBM Champion
    Posted Thu August 29, 2024 03:30 PM

    Another way to look at this is the following:

    If I have a share, mapped drive, etc, on my laptop to one power system and a share on that same laptop to another power system, then if they infect my laptop they can attack both power systems?  Shouldn't I then use separate laptops for each share?  To me, this is MUCH more likely than someone NOT having access to both HMCs having access to one and attacking both Power Systems.



    ------------------------------
    Robert Berendt IBMChampion
    Business Systems Analyst, Lead
    Dekko
    Fort Wayne
    260-599-3160
    ------------------------------



  • 8.  RE: Security concern over Redundant HMC's setup

    IBM Champion
    Posted Tue September 03, 2024 07:41 AM

    These are two separate issues:  one is redundancy, the other is segmentation.

    From a redundancy perspective, you should have two HMCs controlling each frame.  By itself this doesn't increase your attack surface.

    From a segmentation perspective, you may want independent sites to have independent HMCs.  Limiting the HMC/BMC/FSP VLAN to a site protects them from things that happen on the other site.



    ------------------------------
    José Pina Coelho
    IT Specialist at Kyndryl
    ------------------------------