Security Techniques Used By Ilo; Authentication And Authorization Processes For Browser Access - HP AB500A - Integrated Lights-Out Advanced Technology Brief

VLAN tag is a 32-bit number inserted into each 802.1Q Ethernet frame. The VLAN ID is a 12-bit
number within the VLAN tag that identifies the Ethernet frame as belonging to a particular VLAN.
Each port in an 802.1Q-compliant switch can be configured to belong to the same VLAN or to a
3
different VLAN. The switch examines the tag field in an incoming 802.1Q Ethernet frame and
forwards the Ethernet packet to the ports that have the same VLAN ID.
The SNP NIC checks the Ethernet frame for a VLAN ID and compares it against its configured value. If
they match, then the frame is stripped of the VLAN tag and forwarded to iLO. If they do not match,
the frame is forwarded to the host. For outgoing packets, the SNP NIC inserts a VLAN tag into the
Ethernet frame.
For customers who have been reluctant to use the iLO SNP feature because they wanted to separate
regular Ethernet network traffic from management Ethernet network traffic, VLAN capability can now
act as an Ethernet frame filter.

Security techniques used by iLO

The fundamental issue for enabling a secure system is whether a specific person, computer, or device
knows that another person, computer, or device can be trusted: Has the end user or client node been
authenticated against some indisputable standard to prove authenticity? If the end user is
authenticated, at what level is that user authorized to make changes or access a requested
environment? Finally, is it possible for data being sent through iLO to remain confidential?
The following sections identify the three essential techniques that iLO has or an iLO administrator can
use to verify trust:
• Authentication and authorization
• Encryption
• Disabling ports and changing port locations
Every function of iLO – such as the remote console, virtual serial port, virtual power capability, and
virtual media – builds on one or more of these techniques.

Authentication and authorization processes for browser access

System administrators can access the key functionality of iLO either through a web browser HTTP
interface or through the iLO command-line interface (CLI) or Command Line Protocol (CLP). When
users access iLO through the browser, the iLO management processor authenticates them differently,
depending on whether they log in through a local account or use directory services. In either case,
every time a user makes a request, iLO re-evaluates the user's privileges to ensure that the privileges
are still valid. Although these access methods use JavaScript or ActiveX control, both are signed and
no additional login process is required.
Using iLO firmware 1.80 and iLO2 v1.10 or later, a system administrator can use two-factor
authentication to augment the security provided by iLO. This form of authentication is provided on top
of either local accounts or directory services. This section describes each of the progressively more
secure login models.
The network switch must also support VLAN
3
9