I've got a Compaq server with two Ethernet connections. One is the
standard Ethernet connection attached to one of my DMZ networks. The
other is a Compaq Lights Out Board to my local network. I personally
don't like this setup because I've a box with an external connection
which also has a connection to my local network.

I've been assured by my Windows admin that if that machine gets
compromised, there is no way to make a connection onto my local
network.

I'm not sure exactly how the lights out board works, but to me I see a
box with two physical network connections. Therefore, I'd like to
verify this statement that there is no way to connect from that box to
my local network.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

pjk wrote:

> I've got a Compaq server with two Ethernet connections. One is the
> standard Ethernet connection attached to one of my DMZ networks. The
> other is a Compaq Lights Out Board to my local network. I personally
> don't like this setup because I've a box with an external connection
> which also has a connection to my local network.
>
> I've been assured by my Windows admin that if that machine gets
> compromised, there is no way to make a connection onto my local
> network.
>
> I'm not sure exactly how the lights out board works, but to me I see a
> box with two physical network connections. Therefore, I'd like to
> verify this statement that there is no way to connect from that box to
> my local network.

If you're running Windows on the Compaq machine, this is probably the
easiest method:

Open a command prompt window:
Start | Run
Type in 'cmd.exe' (no quotes)
press Enter.

In the command=line window (also known as a console window) type:

ipconfig

Press Enter.

You should see two entries with information similar to the listing below:

(This is taken from a Windows 2000 system. Your DNS entry may be empty.)

Windows 2000 IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
IP Address . . . . . . . . . . : 172.16.1.10
Subnet Mask . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . : 172.16.1.1

The Ethernet card attached to the DMZ should display a routable IP address
while the card that connects to your local, internal network should display
a private non-routable address.

My examples above of 172.16.1.10 and 172.16.1.1 are non-routable addresses;
if they get sent to the Internet they will be ignored or discarded by
properly-confgured routers.

If your two cards are separated by non-routable addresses and (hopefully)
different subnets, and a good, up-to-date firewall it will be extremely
difficult to connect to your internal network from the DMZ.

It probably is not "impossible", but it will be difficult and likely not
worth the effort involved.

If you're running UNIX or a variant such as a modern Linux distribution on
the Compaq, it will be even more difficult to move through that from the
DMZ to the internal network.

- --
Ron n1zhi

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFAIXBha9fyRcf4bIYRAhbwAJ4u6G+yPNlCUN3dyFRBwG vRrGaVhACgm+eX
/tuNjtd+fxHOx2gMUAoXBN8=
=9dAc
-----END PGP SIGNATURE-----

Ron,

Thanks for the follow-up.

Let me explain my situation a bit further.

The Compaq lights-out board is a single board computer running an
embedded OS and sitting in on of the machines PCI slots. You can
access the board in a number of ways but our folks here use it remote
console into devices (via a Java enabled browser).

Running ipconfig on the Windows box simply shows the single Ethernet
interface attached to my DMZ network. This is at the heart of my
question. Physically inspecting the box, you see two Ethernet
connections in. However, only one appears to be "accessible" from the
operating system. The other is connected to the LOB.

Therefore, if the box were compromised, would it be possible to
somehow route traffic through the LOB and onto my local network.
That's what I would like answered.

-Paul

Ron Cook <> wrote in message news:<4s78f1->...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> pjk wrote:
>
> > I've got a Compaq server with two Ethernet connections. One is the
> > standard Ethernet connection attached to one of my DMZ networks. The
> > other is a Compaq Lights Out Board to my local network. I personally
> > don't like this setup because I've a box with an external connection
> > which also has a connection to my local network.
> >
> > I've been assured by my Windows admin that if that machine gets
> > compromised, there is no way to make a connection onto my local
> > network.
> >
> > I'm not sure exactly how the lights out board works, but to me I see a
> > box with two physical network connections. Therefore, I'd like to
> > verify this statement that there is no way to connect from that box to
> > my local network.
>
> If you're running Windows on the Compaq machine, this is probably the
> easiest method:
>
> Open a command prompt window:
> Start | Run
> Type in 'cmd.exe' (no quotes)
> press Enter.
>
> In the command=line window (also known as a console window) type:
>
> ipconfig
>
> Press Enter.
>
> You should see two entries with information similar to the listing below:
>
> (This is taken from a Windows 2000 system. Your DNS entry may be empty.)
>
> Windows 2000 IP Configuration
>
> Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix . :
> IP Address . . . . . . . . . . : 172.16.1.10
> Subnet Mask . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . : 172.16.1.1
>
> The Ethernet card attached to the DMZ should display a routable IP address
> while the card that connects to your local, internal network should display
> a private non-routable address.
>
> My examples above of 172.16.1.10 and 172.16.1.1 are non-routable addresses;
> if they get sent to the Internet they will be ignored or discarded by
> properly-confgured routers.
>
> If your two cards are separated by non-routable addresses and (hopefully)
> different subnets, and a good, up-to-date firewall it will be extremely
> difficult to connect to your internal network from the DMZ.
>
> It probably is not "impossible", but it will be difficult and likely not
> worth the effort involved.
>
> If you're running UNIX or a variant such as a modern Linux distribution on
> the Compaq, it will be even more difficult to move through that from the
> DMZ to the internal network.
>
> - --
> Ron n1zhi
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (GNU/Linux)
>
> iD8DBQFAIXBha9fyRcf4bIYRAhbwAJ4u6G+yPNlCUN3dyFRBwG vRrGaVhACgm+eX
> /tuNjtd+fxHOx2gMUAoXBN8=
> =9dAc
> -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

pjk wrote:

> Ron,
>
> Thanks for the follow-up.
>
> Let me explain my situation a bit further.
>
> The Compaq lights-out board is a single board computer running an
> embedded OS and sitting in on of the machines PCI slots. You can
> access the board in a number of ways but our folks here use it remote
> console into devices (via a Java enabled browser).
>

And, I thank you for the opportunity to learn about the product.

Based on what I read at the HP website, I'd have to agree with your network
admin.

It appears that since the host machine effectively has no knowledge of the
LO card, it also has no way to offer or open a route between the DMZ
Ethernet and the LO card.

Were the box to be compromised in such a way that it could be bridged, it
appears that the compromise would have to come from the internal network,
not the DMZ side.

If the system were on my network(s) I'd feel safe using it in the manner you
suggest.


- --
Ron n1zhi

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFAIrqna9fyRcf4bIYRAqgGAKCfQRYPqClQuC/MQQuBkYLCJ3GAoQCfeZWI
09x175UsYz3MX5Nu/vgw/iQ=
=0rCR
-----END PGP SIGNATURE-----