docs/security/network-security-considerations.md

1 # Network Security Considerations
7 This is only intended to be a guide; security is ultimately the responsibility
9 a security vulnerability, please consider [how to report a security
12 [how to report a security vulnerability]:
13   https://github.com/openbmc/docs/blob/master/security/how-to-report-a-security-vulnerability.md
32 - The BMC is presumed to have a network adapter. The security considerations of
33   the NIC are important to the BMC security, but are outside the scope of this
48 driver have security considerations which are important to BMC security, but are
83 Transport layer security (TLS) protocols are configured for each service at
125 Laws may require products built on OpenBMC to have reasonable security built
145 - Transport layer security (TLS) protocols offered.
165 General security considerations for HTTP servers apply such as given by [OWASP
166 Application Security][].
168 BMCWeb controls which HTTPS transport layer security (TLS) ciphers it offers via
178 [owasp application security]:
201 General security considerations for REST APIs apply:
204 Redfish provides security considerations in the "Security Detail" section of the
211 Application Security Guidance][] apply to OpenBMC. The webui-vue uses username
214 [owasp web application security guidance]:
235 General security considerations for service discovery apply. For example,
240 General security considerations for service discovery apply.
250 General security considerations for IPMI apply. For example, described here: