Securing the BMC port on the NVIDIA DGX A100 when connected to a shared LAN involves several steps to ensure that the system remains protected from unauthorized access. Here's a detailed guide on how to achieve this:
1. Use a Separate VLAN for BMC Traffic**
If you cannot use a dedicated management network, configure a separate VLAN for BMC traffic. This isolates BMC management from other network traffic, reducing the risk of unauthorized access. Ensure that this VLAN is not used for other purposes, especially not for LAN interfaces of the managed machines[2][5].2. Restrict IPMI Traffic**
Limit IPMI traffic to trusted internal networks. This can be achieved by configuring firewall rules to restrict inbound and outbound traffic related to BMC management. Ensure that only authorized management servers can access the BMC[2][6].3. Enable Encryption**
If possible, enable encryption on the IPMI interface. Check your user manual for specific instructions on how to do this, as it may vary depending on the BMC model[2].4. Secure Management Servers**
Manage all BMCs from secure management servers that require a login. Implement access rules to ensure that only authorized personnel can access the BMC. This adds an additional layer of security by controlling who can manage the BMC[2][6].5. Change Default Credentials**
Immediately change the default BMC username and password. Use strong, unique passwords and consider implementing user policies and roles to limit access further[6][9].6. Disable Unused Services**
If IPMI services are not being used via the web console, disable them to prevent unnecessary exposure. Additionally, consider blocking TCP port 623 (the default IPMI port) if it's not needed[2].7. Regularly Update Firmware**
Keep the BMC firmware updated to address any known security vulnerabilities. Regularly check for updates and apply them during maintenance cycles[6][11].8. Monitor Network Activity**
Regularly monitor network activity for unusual traffic patterns between the BMC and other machines. This can help detect potential security breaches early[6].By following these steps, you can significantly enhance the security of the BMC port on the DGX A100 even when it's connected to a shared LAN.
Citations:
[1] https://docs.nvidia.com/dgx/dgxa100-user-guide/security.html
[2] https://www.unicomengineering.com/blog/ipmi-best-practices/
[3] https://docs.nvidia.com/dgx/dgxa100-user-guide/network-config.html
[4] https://www.intel.com/content/www/us/en/support/articles/000098962/server-products.html
[5] http://cdn.cnetcontent.com/2f/68/2f6888a0-063f-4d76-94e4-8666b7619dfd.pdf
[6] https://www.supermicro.com/products/nfo/files/IPMI/Best_Practices_BMC_Security.pdf
[7] https://www.skyblue.de/uploads/Datasheets/nvidia_twp_dgx_a100_system_architecture.pdf
[8] https://docs.nvidia.com/dgx/dgxa100-user-guide/using-the-bmc.html
[9] https://docs.nvidia.com/dgx/dgx-station-a100-user-guide/security.html
[10] https://www.reddit.com/r/servers/comments/sol1up/using_bmc_functionality_with_regular_ethernet/
[11] https://nvidia.custhelp.com/app/answers/detail/a_id/5510/~/security-bulletin:-nvidia-dgx-a100---january-2024
[12] https://www.intel.com/content/www/us/en/support/articles/000036861/server-products/server-boards.html
[13] https://www.robusthpc.com/wp-content/uploads/2021/11/nvidia-dgx-station-a100-system-architecture-white-paper_published.pdf