Preventing network attacks on baseboard management controllers
First Claim
1. A computer program product comprising a computer readable storage medium having program instructions embodied therewith, wherein the computer readable storage medium is not a transitory signal per se, the program instructions executable by a processor(s) set to cause the processor set to perform a method comprising:
- receiving, by a network controller, a packet from a computer networking device on a computer network, where the packet is destined for a baseboard management controller (BMC);
determining, by the network controller, whether the packet contains a tag identifying that the packet has been determined to be free of suspicious or malicious traffic, wherein the tag is constructed using a secret key shared between the BMC and the computer networking device;
on condition that the packet has been determined to not contain the tag, sending the packet to a network inspection module, by the network controller, to be inspected for malicious traffic, wherein sending the packet to the network inspection module comprises;
determining whether a local host is available to inspect the packet for malicious traffic,upon determining that the local host is not available, instantiating a loadable kernel module (LKM) to modify the packet'"'"'s destination MAC address to be the MAC address of a remote host, andtransmitting the modified packet to the remote host; and
on condition that the packet has been determined to contain the tag, sending the packet to the BMC by the network controller.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for preventing network attacks on baseboard management controllers. The method includes receiving, by the network controller, a packet from a computer networking device on a computer network, where the packet is destined for a baseboard management controller (BMC); determining, by the network controller, whether the packet contains a tag identifying that the packet has been determined to be free of suspicious or malicious traffic; on condition that the packet has been determined to not contain the tag, sending the packet to a network inspection module, by the network controller, to be inspected for suspicious or malicious traffic; and on condition that the packet has been determined to contain the tag, sending the packet to the BMC by the network controller using a side band interface.
19 Citations
6 Claims
-
1. A computer program product comprising a computer readable storage medium having program instructions embodied therewith, wherein the computer readable storage medium is not a transitory signal per se, the program instructions executable by a processor(s) set to cause the processor set to perform a method comprising:
-
receiving, by a network controller, a packet from a computer networking device on a computer network, where the packet is destined for a baseboard management controller (BMC); determining, by the network controller, whether the packet contains a tag identifying that the packet has been determined to be free of suspicious or malicious traffic, wherein the tag is constructed using a secret key shared between the BMC and the computer networking device; on condition that the packet has been determined to not contain the tag, sending the packet to a network inspection module, by the network controller, to be inspected for malicious traffic, wherein sending the packet to the network inspection module comprises; determining whether a local host is available to inspect the packet for malicious traffic, upon determining that the local host is not available, instantiating a loadable kernel module (LKM) to modify the packet'"'"'s destination MAC address to be the MAC address of a remote host, and transmitting the modified packet to the remote host; and on condition that the packet has been determined to contain the tag, sending the packet to the BMC by the network controller. - View Dependent Claims (2, 3)
-
-
4. A computer system comprising a processor(s) set and a computer readable storage medium having program instructions embodied therewith, wherein the computer readable storage medium is not a transitory signal per se, the program instructions executable by the processor set to cause the processor set to perform a method comprising:
-
receiving, by a network controller, a packet from a computer networking device on a computer network, where the packet is destined for a baseboard management controller (BMC); determining, by the network controller, whether the packet contains a tag identifying that the packet has been determined to be free of malicious traffic, wherein the tag is constructed using a secret key shared between the BMC and the computer networking device; on condition that the packet has been determined to not contain the tag, sending the packet to a network inspection module, by the network controller, to be inspected for malicious traffic, wherein sending the packet to the network inspection module comprises; determining whether a local host is available to inspect the packet for malicious traffic, upon determining that the local host is not available, instantiating a loadable kernel module (LKM) to modify the packet'"'"'s destination MAC address to be the MAC address of a remote host, and transmitting the modified packet to the remote host; and on condition that the packet has been determined to contain the tag, sending the packet to the BMC by the network controller using a side band interface. - View Dependent Claims (5, 6)
-
Specification