HP OneView User Manual
Page 46
•
Operating-system-level users are not allowed to access the appliance, with the following
exceptions:
◦
A special pwreset command used only if the Infrastructure administrator password is
lost or forgotten. This command requires that you contact your authorized support
representative to obtain a one-time password. For more information, see the online help.
◦
A setting that enables an authorized support representative to obtain a one-time password
so that they can log in to the appliance console (and only the console) to perform advanced
diagnostics.
You can either enable or disable access with this setting.
•
HP closely monitors security bulletins for threats to appliance software components and, if
necessary, issues software updates.
3.2 Best practices for maintaining a secure appliance
The following is a partial list of security best practices that HP recommends in both physical and
virtual environments. Differing security policies and implementation practices make it difficult to
provide a complete and definitive list.
•
HP recommends a strict separation of the management LAN and production LAN, using VLAN
or firewall technology (or both) to maintain the separation:
◦
Management LAN
All management processor devices (including Onboard Administrators and virtual
connections through an Onboard Administrator, iLOs, and iPDUs) are connected to the
management LAN.
Grant management LAN access to authorized personnel only: Infrastructure administrators,
Network administrators, and Server administrators.
◦
Production LAN
All NICs for managed devices are on the production LAN.
•
The appliance is preconfigured so that nonessential services are removed or disabled in its
management environment. Ensure that you continue to minimize services when you configure
host systems, management systems, network devices (including network ports not in use) to
significantly reduce the number of ways your environment could be attacked.
•
Ensure that a process is in place to determine if software and firmware updates are available,
and to install updates for all components in your environment on a regular basis.
•
Ensure that the security policies and processes address the virtual environment:
Educate administrators about changes to their roles and responsibilities in a virtual
environment.
◦
◦
Restrict access to the appliance console to authorized users. For more information, see
“Restricting console access” (page 54)
.
◦
If you use an Intrusion Detection System (IDS) solution in your environment, ensure that
the solution has visibility into network traffic in the virtual switch.
◦
Turn off promiscuous mode in the hypervisor and encrypt traffic flowing over the VLAN
to lessen the effect on any VLAN traffic sniffing.
NOTE:
In most cases, if promiscuous mode is disabled in the hypervisor, it cannot be
used on a VM (Virtual Machine) guest. The VM guest can enable promiscuous mode, but
it will not be functional.
46
Understanding the security features of the appliance