xref: /openbmc/docs/security/network-security-considerations.md (revision 67032dffe31f98a8638927f74a7a35990d6a1fbc)
1# Network Security Considerations
2
3This describes network services provided by OpenBMC-based systems, some threats
4the BMC faces from its network interfaces, and steps OpenBMC takes to address
5these threats.
6
7This is only intended to be a guide; security is ultimately the responsibility
8of projects which choose to incorporate OpenBMC into their project. If you find
9a security vulnerability, please consider [how to report a security
10vulnerability][].
11
12[how to report a security vulnerability]:
13  https://github.com/openbmc/docs/blob/master/security/how-to-report-a-security-vulnerability.md
14
15Threats to the BMC are classified using the [CIA triad][]. All threat types are
16significant; here is an example of each:
17
18- Confidentiality: If an attacker can get data from the BMC, they may be able to
19  chain other vulnerabilities to establish a covert information channel to get
20  sensitive information from the host.
21- Integrity: If an attacker can modify BMC settings or data, they may be able to
22  gain additional access, and launch more attacks.
23- Availability: If an agent can overwhelm the BMC's resources, either by
24  accident or on purpose, the BMC will not be available to service its host
25  (denial of service).
26
27[cia triad]: https://en.wikipedia.org/wiki/Information_security#Key_concepts
28
29This document is organized by how OpenBMC services connect to the network. The
30general flow is:
31
32- The BMC is presumed to have a network adapter. The security considerations of
33  the NIC are important to the BMC security, but are outside the scope of this
34  document.
35- Network traffic then flows through the kernel, detailed below.
36- Finally, connections flow to various OpenBMC services.
37
38OpenBMC provides services on TCP and UDP ports. For example, the HTTPS protocol
39on port 443 is used to provide REST APIs and serve Web applications. These
40services are detailed below. Implicit is that all other ports are inactive.
41
42OpenBMC also initiates network communications, for example, NTP, LDAP, etc.
43These are covered with their associated functions.
44
45## Kernel and ICMP messages
46
47Network traffic is handled by the Linux kernel. The exact kernel and device
48driver have security considerations which are important to BMC security, but are
49better addressed by the Linux kernel community. You can learn which kernel and
50patches are used from the kernel recipes typically found in the board support
51packages for the BMC referenced by your machine's configuration. For example, in
52the `https://github.com/openbmc/meta-aspeed` repository under
53`recipes-kernel/linux/linux-aspeed_git.bb`.
54
55Per [CVE 1999-0524][], responding to certain ICMP packets can give an attacker
56more information about the BMC's clock or subnet, which can help with subsequent
57attacks. OpenBMC responds to all ICMP requests.
58
59[cve 1999-0524]: https://nvd.nist.gov/vuln/detail/CVE-1999-0524
60
61General considerations for ICMP messages apply. For example, packet
62fragmentation and packet flooding vulnerabilities.
63
64It is sometimes useful to filter and log network messages for debug and other
65diagnostic purposes. OpenBMC provides no support for this.
66
67## General considerations for services
68
69Several services perform user identification and authentication:
70
71- Phosphor REST APIs
72- Redfish REST API SessionService
73- Network IPMI
74- SSH secure shell
75
76OpenBMC's [phosphor-user-manager][] provides the underlying authentication and
77authorization functions and ties into IPMI, Linux PAM, LDAP, and logging. Some
78of OpenBMC services use phosphor-user-manager.
79
80[phosphor-user-manager]:
81  https://github.com/openbmc/docs/blob/master/architecture/user-management.md
82
83Transport layer security (TLS) protocols are configured for each service at
84compile time, become part of the image, and cannot be changed dynamically. The
85protocols which use TLS include:
86
87- RAKP for IPMI.
88- SSH for ssh and scp.
89- HTTPS for Web and REST APIs.
90
91Automated network agents (such as hardware management consoles) may malfunction
92in a way that the BMC continuously gets authentication failures, which may lead
93to denial of service. For example, a brief delay before reporting the failure,
94for example, of one second, may help prevent this problem or lessen its
95severity. See [OWASP Blocking Brute Force Attacks][].
96
97[owasp blocking brute force attacks]:
98  https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks
99
100Network agents may fail to end a session properly, which causes the service to
101use resources to keep track of orphaned sessions. To help prevent this, services
102may limit the maximum number of concurrent sessions, or have a session
103inactivity timeout.
104
105Services which are not required should be disabled to limit the BMC's attack
106surface. For example, a large scale data center may not need a Web interface.
107Services can be disabled in several ways:
108
1091.  Configure OpenBMC recipes to build the unwanted feature out of the BMC's
110    firmware image. This gives the BMC the advantage of a smaller attack
111    surface.
1122.  Implement something like the [Redfish ManagerNetworkProtocol][] properties
113    for IPMI, SSH, and other BMC services, possibly by using shell commands like
114    'systemctl disable ipmid' and 'systemctl stop ipmid'.
115
116[redfish managernetworkprotocol]:
117  https://redfish.dmtf.org/schemas/ManagerNetworkProtocol.v1_4_0.json
118
119Network services should log all authentication attempts with their outcomes to
120satisfy basic monitoring and forensic analysis requirements. For example, as
121part of a real-time monitoring service, or to answer who accessed which services
122at what times.
123
124OpenBMC does not have a firewall.
125
126Laws may require products built on OpenBMC to have reasonable security built
127into them, for example, by not having a default password. See, for example, [CA
128Law SB-327].
129
130[ca law sb-327]:
131  https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327
132
133## Services provided on TCP and UDP ports
134
135### TCP port 22 - Secure Shell (SSH) access to the BMC
136
137The Secure Shell (SSH) protocol is provided, including secure shell (ssh
138command) access to the BMC's shell, and secure copy (scp command) to the BMC's
139file system.
140
141The default SSH server implementation is provided by Dropbear. All configuration
142is at compile-time with defaults for:
143
144- Authentication provided by Linux PAM, where methods include username and
145  password, and SSH certificates (the `ssh-keygen` command).
146- Transport layer security (TLS) protocols offered.
147
148SSH access to the BMC's shell is not the intended way to operate the BMC, gives
149the operator more privilege than is needed, and may not be allowed on BMCs which
150service hosts that process sensitive data. However, BMC shell access may be
151needed to provision the BMC or to help diagnose problems during its operation.
152
153### TCP port 443 - HTTPS REST APIs and Web application
154
155BMCWeb is the Web server for:
156
157- The Redfish REST APIs.
158- The webui-vue Web interface.
159- The Phosphor D-Bus REST interface. And initiates WebSockets for:
160- Host KVM.
161- Virtual media.
162- Host serial console.
163
164The [BMCWeb configuration][] controls which services are provided.
165
166General security considerations for HTTP servers apply such as given by [OWASP
167Application Security][].
168
169BMCWeb controls which HTTPS transport layer security (TLS) ciphers it offers via
170compile-time header file `include/ssl_key_handler.hpp` in the
171https://github.com/openbmc/bmcweb repository. The implementation is provided by
172OpenSSL.
173
174BMCWeb provides appropriate HTTP response headers, for example, in header file
175`include/security_headers_middleware.hpp` and `crow/include/crow/websocket.h` in
176the https://github.com/openbmc/bmcweb repository.
177
178[bmcweb configuration]: https://github.com/openbmc/bmcweb#configuration
179[owasp application security]:
180  https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
181
182#### REST APIs
183
184BMCWeb offers three authentication methods:
185
1861.  The Redfish SessionService, which takes a username and password and provides
187    an X-Auth token.
1882.  The Phosphor D-Bus REST interface '/login' URI, which takes a username and
189    password and provides a session cookie. This method is deprecated in
190    OpenBMC.
1913.  Basic Access Authentication, which takes a username and password (often URL
192    encoded like https://user:pass@host/...) in an "Authorization" request
193    header, and returns no credentials. This method is deprecated by RFC 3986.
194
195The username and password are presented to phosphor-user-manager for
196authentication.
197
198The first two methods create the same kind of session but return different
199credentials. For example, you can create a Redfish session, and use your
200credentials to invoke Phosphor D-Bus REST APIs. Note, however, that the X-Auth
201tokens are required to use POST, PUT, PATCH, or DELETE methods.
202
203General security considerations for REST APIs apply:
204https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/REST_Security_Cheat_Sheet.md
205
206Redfish provides security considerations in the "Security Detail" section of the
207"Redfish Specification" (document ID DSP0266) available from
208https://www.dmtf.org/standards/redfish.
209
210#### The webui-vue Web application
211
212General considerations for Web applications such as given by [OWASP Web
213Application Security Guidance][] apply to OpenBMC. The webui-vue uses username
214and password-based authentication, and REST APIs for subsequent access.
215
216[owasp web application security guidance]:
217  https://www.owasp.org/index.php/Web_Application_Security_Guidance
218
219The web app also provides interfaces to use the host serial console, virtual
220media, and host KVM.
221
222### TCP port 2200
223
224Access to the BMC's [host serial console][] is provided via the SSH protocol on
225port 2200.
226
227[host serial console]: https://github.com/openbmc/docs/blob/master/console.md
228
229This uses the same server implementation as port 22, including the same TLS
230mechanisms.
231
232How the host secures its console (for example, username and password prompts) is
233outside the scope of this document.
234
235### TCP and UDP ports 5355 - mDNS service discovery
236
237General security considerations for service discovery apply. For example,
238described here: https://attack.mitre.org/techniques/T1046/
239
240### UDP port 427 - SLP, Avahi
241
242General security considerations for service discovery apply.
243
244### UDP port 623 - IPMI RCMP
245
246The IPMI network-facing design is described here:
247https://github.com/openbmc/docs/blob/master/architecture/ipmi-architecture.md
248and the implementation is described here:
249https://github.com/openbmc/phosphor-net-ipmid. Note that host IPMI is outside
250the scope of this document.
251
252General security considerations for IPMI apply. For example, described here:
253https://www.us-cert.gov/ncas/alerts/TA13-207A
254
255OpenBMC implements RCMP+ and IPMI 2.0. The phosphor-user-manager provides the
256underlying authentication mechanism.
257
258Supported IPMI ciphers can be found in the code, for example, by searching for
259function `isAlgorithmSupported`, or from the `ipmitool` command such as
260`ipmitool channel getciphers ipmi`.
261
262OpenBMC supports IPMI "serial over LAN" (SOL) connections (via
263`impitool sol activate`) which shares the host serial console socket.
264