Securing the Baseboard Management Controller (BMC) on the NVIDIA DGX Station A100 is crucial to protect against unauthorized access and potential security breaches. Here are some best practices to enhance BMC security:
1. Change Default Credentials**
The DGX Station A100 ships with default BMC credentials (`admin` / `admin`). It is essential to change these credentials immediately after the initial boot. The system prompts you to set a new username and password during the first boot, which also disables the default user account[4].2. Network Configuration**
- Dedicated Management Network: Connect the BMC to a dedicated management network with firewall protection to isolate it from the internet and other networks[1][7].- Private Subnets: Use private IP subnets for BMC management interfaces and management servers to prevent unauthorized access[7].
- Firewall Configuration: Restrict inbound and outbound traffic to and from the BMC using firewalls[7].
3. Secure Remote Access**
If remote access to the BMC is necessary, ensure it is accessed through a secure method, such as a VPN server, to prevent unauthorized access from the internet[1].4. BMC Configuration**
- Customize Service Ports: Change default service ports (e.g., HTTP port) to non-standard ports to reduce the risk of automated attacks[7].- User Policies and Roles: Implement user policies and roles to limit access and actions within the BMC[7].
- IP Access Policy: Configure IP access rules to restrict BMC access to authorized management servers only[7].
5. Firmware Updates**
Regularly check for and apply firmware updates to address security vulnerabilities and ensure the BMC has the latest security patches[6][10].6. Monitoring and Alerts**
Monitor BMC traffic for unusual patterns and configure alerts for high-severity system events to quickly respond to potential security incidents[7].7. SSL Certificates**
Use secure SSL certificates for BMC communication. Generate or upload custom SSL certificates to ensure encrypted communication between the BMC and management tools[11].8. System Lockdown**
Enable system lockdown features to prevent unintentional configuration changes and ensure that only authorized personnel can modify BMC settings[7].By implementing these practices, you can significantly enhance the security of the BMC on the DGX Station A100, protecting your system from unauthorized access and potential cyber threats.
Citations:
[1] https://docs.nvidia.com/dgx/dgxa100-user-guide/security.html
[2] https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3426648/nsa-and-cisa-release-guide-to-protect-baseboard-management-controllers/
[3] https://www.redbooks.ibm.com/redbooks/pdfs/sg248538.pdf
[4] https://docs.nvidia.com/dgx/dgx-station-a100-user-guide/security.html
[5] https://docs.nvidia.com/dgx/dgxh100-user-guide/bmc.html
[6] https://cve.mitre.org/cgi-bin/cvekey.cgi
[7] https://www.supermicro.com/products/nfo/files/IPMI/Best_Practices_BMC_Security.pdf
[8] https://www.youtube.com/watch?v=XuahCY_MJGc
[9] https://www.robusthpc.com/wp-content/uploads/2021/11/nvidia-dgx-station-a100-system-architecture-white-paper_published.pdf
[10] https://nvidia.custhelp.com/app/answers/detail/a_id/5513/~/security-bulletin:-nvidia-dgx-station-a100-and-dgx-station-a800---february-2024
[11] https://www.manualslib.com/manual/2197924/Nvidia-Dgx-Station-A100.html
[12] http://cdn.cnetcontent.com/2f/68/2f6888a0-063f-4d76-94e4-8666b7619dfd.pdf