{ "authors": [ { "email": "rules@neuralwall.io", "name": "NeuralWall Rules Team", "org": "NeuralWall" } ], "description": { "en": "This scenario covers the network flows of an integration appliance that administers\nservers through their out-of-band management plane (BMC controllers, independent of the\noperating system). The appliance exposes a web UI and an API to administrators and to a\nvirtualization manager; it drives the managed servers' BMCs (discovery, inventory,\nconfiguration, firmware updates); and it reaches a vendor service on the Internet to\ndownload firmware packages. The out-of-band management plane grants full hardware control\n(below the operating system): it is treated as a high-privilege zone, segmented and\ninspected. Legacy clear-text management protocols (CIM-HTTP, unencrypted file transfer) are\nblocked in favor of their encrypted equivalents. The provenance (original vendor product) is\ndocumented in the Sources section.\n", "fr": "Ce scénario couvre les flux réseau d'un appliance d'intégration qui administre des\nserveurs via leur plan de gestion out-of-band (contrôleurs BMC, indépendants du système\nd'exploitation). L'appliance expose une interface web et une API à des administrateurs et\nà un gestionnaire de virtualisation ; il pilote les BMC des serveurs gérés (découverte,\ninventaire, configuration, mise à jour de firmware) ; et il joint un service éditeur sur\nInternet pour télécharger les paquets de firmware. Le plan de gestion out-of-band donne un\ncontrôle matériel total (sous le système d'exploitation) : il est traité comme une zone à\nprivilège élevé, segmentée et inspectée. Les protocoles de gestion en clair hérités\n(CIM-HTTP, transfert de fichiers non chiffré) sont bloqués au profit de leurs équivalents\nchiffrés. La provenance (produit éditeur d'origine) est documentée dans la section Sources.\n" }, "id": "out_of_band_server_management", "mitre_attack": [ { "name": "Exploit Public-Facing Application", "tactic": "initial-access", "technique_id": "T1190" }, { "name": "Exploitation of Remote Services", "tactic": "lateral-movement", "technique_id": "T1210" }, { "name": "Pre-OS Boot: System Firmware", "tactic": "persistence", "technique_id": "T1542.001" }, { "name": "Adversary-in-the-Middle", "tactic": "credential-access", "technique_id": "T1557" } ], "references": [ { "endpoints": [ "datacentersupport.lenovo.com", "download.lenovo.com", "filedownload.lenovo.com", "support.lenovo.com", "supportapi.lenovo.com" ], "product": "XClarity Integrator for VMware vCenter", "retrieved": "2026-06-04", "title": "Network requirements", "url": "https://pubs.lenovo.com/lxci-vcenter/network_requirements", "vendor": "Lenovo" } ], "rules": [ { "action": "allow", "application": { "app_id": "infra_mgmt_web", "category": "infrastructure", "default_ports": [ "tcp/443" ], "depends_on": [ "dns" ], "risk": 4 }, "decryption": { "exclusions": [], "mode": "ssl_inbound_inspection" }, "direction": "inbound", "identity": { "device_posture": "compliant", "user_group": [ "infrastructure_admins", "virtualization_admins" ] }, "logging": { "log_end": true, "log_forwarding": true, "log_start": false, "profile": "siem_high_priority" }, "rationale": { "en": "This rule allows administrators (compliant devices) and the virtualization manager to\nreach the appliance interface over HTTPS. Since the appliance is a controlled internal\nserver, ssl_inbound_inspection decrypts inbound traffic to detect exploits targeting the\ninterface (T1190) and malicious uploaded files. Access is restricted by directory group\n(least privilege) and the appliance stays in the management zone. Application risk is\nhigh (risk 4) because compromising the appliance opens a pivot into the hardware\nmanagement plane.\n", "fr": "Cette règle autorise les administrateurs (postes conformes) et le gestionnaire de\nvirtualisation à atteindre l'interface de l'appliance en HTTPS. L'appliance étant un\nserveur interne contrôlé, ssl_inbound_inspection déchiffre le trafic entrant pour\ndétecter les exploits visant l'interface (T1190) et les fichiers malveillants déposés.\nL'accès est restreint par groupe annuaire (moindre privilège) et l'appliance reste dans\nla zone management. Le risque applicatif est élevé (risk 4) car compromettre l'appliance\nouvre un pivot vers le plan de gestion matériel.\n" }, "security_profiles": { "antivirus": { "action": "block" }, "ips": { "action": "block", "min_severity": "medium" }, "url_filtering": { "credential_phishing": "block" } }, "service": { "app_default": true, "ports": [ "443" ], "protocol": "tcp" }, "zones": { "destination": [ "management" ], "source": [ "trust", "internal", "management" ] } }, { "action": "allow", "application": { "app_id": "bmc_management", "category": "infrastructure", "default_ports": [ "tcp/443", "tcp/5989", "tcp/6990" ], "depends_on": [ "dns" ], "risk": 4 }, "decryption": { "exclusions": [ "cert_pinned_app" ], "mode": "none" }, "direction": "internal", "logging": { "log_end": true, "log_forwarding": true, "log_start": false, "profile": "siem_high_priority" }, "rationale": { "en": "The appliance drives the BMCs through an encrypted management API (Redfish/CIM-HTTPS)\nand transfers firmware images. Decryption is disabled and documented via the\ncert_pinned_app exclusion: embedded controllers validate device certificates, and a MITM\nproxy would break BMC authentication. The flow is confined to the segmented management\nzone, which bounds the blind spot. Antivirus and sandboxing inspect firmware images\nbefore they are applied (mitigating T1542.001), and IPS covers management-service\nexploits (T1210). Operational note: an ICMP liveness probe accompanies these transfers\n(rule 3).\n", "fr": "L'appliance pilote les BMC via une API de gestion chiffrée (Redfish/CIM-HTTPS) et\ntransfère les images de firmware. Le déchiffrement est désactivé et documenté par\nl'exclusion cert_pinned_app : les contrôleurs embarqués valident des certificats\nd'équipement, et un proxy MITM romprait l'authentification du BMC. Le flux est confiné\nà la zone management segmentée, ce qui borne l'angle mort. L'antivirus et le sandboxing\ninspectent les images de firmware avant application (atténuation de T1542.001), et l'IPS\ncouvre les exploits des services de gestion (T1210). Note opérationnelle : une sonde de\nliveness ICMP accompagne ces transferts (règle 3).\n" }, "security_profiles": { "antivirus": { "action": "block" }, "ips": { "action": "block", "min_severity": "low" }, "sandboxing": { "enabled": true, "file_types": [ "firmware_image", "pe" ] } }, "service": { "app_default": true, "ports": [ "443", "5989", "6990" ], "protocol": "tcp" }, "zones": { "destination": [ "management" ], "source": [ "management" ] } }, { "action": "allow", "application": { "app_id": "icmp_probe", "category": "networking", "risk": 1 }, "decryption": { "mode": "none" }, "direction": "internal", "logging": { "log_end": true, "log_forwarding": true, "profile": "siem_default" }, "rationale": { "en": "The appliance checks a BMC's availability via ICMP before and during a firmware update.\nThe flow is internal to the management plane. The IPS profile in default mode detects\nprotocol anomalies (e.g. ICMP tunneling) without blocking the legitimate probe.\nDecryption is not applicable: ICMP is not an encrypted flow.\n", "fr": "L'appliance vérifie la disponibilité d'un BMC par ICMP avant et pendant une mise à jour\nde firmware. Le flux est interne au plan de gestion. Le profil IPS en mode default\ndétecte les anomalies de protocole (ex. tunneling ICMP) sans bloquer la sonde légitime.\nLe déchiffrement est non applicable : ICMP n'est pas un flux chiffré.\n" }, "security_profiles": { "ips": { "action": "default" } }, "service": { "protocol": "icmp" }, "zones": { "destination": [ "management" ], "source": [ "management" ] } }, { "action": "allow", "application": { "app_id": "slp", "category": "networking", "default_ports": [ "udp/427" ], "risk": 2 }, "decryption": { "mode": "none" }, "direction": "internal", "logging": { "log_end": true, "log_forwarding": true, "profile": "siem_default" }, "rationale": { "en": "Service discovery (SLP) lets the appliance locate BMCs on the management network. The\nflow is confined to the management zone. As SLP is an amplifiable protocol, IPS watches\nfor anomalies and reflection-abuse attempts. Decryption is not applicable: SLP over UDP\nis not encrypted.\n", "fr": "La découverte de service (SLP) permet à l'appliance de localiser les BMC sur le réseau\nde gestion. Le flux est confiné à la zone management. SLP étant un protocole amplifiable,\nl'IPS surveille les anomalies et les tentatives d'abus en réflexion. Le déchiffrement\nest non applicable : SLP sur UDP n'est pas chiffré.\n" }, "security_profiles": { "ips": { "action": "default" } }, "service": { "app_default": true, "ports": [ "427" ], "protocol": "udp" }, "zones": { "destination": [ "management" ], "source": [ "management" ] } }, { "action": "allow", "application": { "app_id": "dns", "category": "networking", "default_ports": [ "udp/53" ], "risk": 2 }, "decryption": { "mode": "none" }, "direction": "internal", "logging": { "log_end": true, "log_forwarding": true, "profile": "siem_default" }, "rationale": { "en": "DNS resolution is required to reach the BMCs, the virtualization manager and the vendor\nfirmware service. The flow is restricted to a controlled internal resolver (no direct\nInternet resolution). The dns_security profile with sinkhole mitigates DNS tunneling from\na compromised management host. Decryption is not applicable: DNS over UDP is not\nencrypted.\n", "fr": "La résolution DNS est requise pour joindre les BMC, le gestionnaire de virtualisation et\nle service éditeur de firmware. Le flux est restreint vers un résolveur interne contrôlé\n(pas de résolution directe vers Internet). Le profil dns_security avec sinkhole atténue\nle tunneling DNS depuis un hôte de gestion compromis. Le déchiffrement est non\napplicable : DNS sur UDP n'est pas chiffré.\n" }, "security_profiles": { "dns_security": { "action": "block", "sinkhole": true } }, "service": { "app_default": true, "ports": [ "53" ], "protocol": "udp" }, "zones": { "destination": [ "internal" ], "source": [ "management" ] } }, { "action": "allow", "application": { "app_id": "firmware_update", "category": "infrastructure", "default_ports": [ "tcp/443" ], "depends_on": [ "dns", "ssl" ], "risk": 3 }, "decryption": { "exclusions": [], "mode": "ssl_forward_proxy" }, "direction": "outbound", "logging": { "log_end": true, "log_forwarding": true, "log_start": false, "profile": "siem_high_priority" }, "rationale": { "en": "The appliance downloads firmware packages from a vendor service on the Internet. This is\nthe only outbound Internet flow and a supply-chain vector: ssl_forward_proxy is mandatory\nso antivirus and sandboxing can inspect the content (mitigating T1542.001 — malicious\nfirmware). url_filtering blocks risky categories and uncategorized sites (hardening). The\nvendor's domain allow-list remains deployment-specific: the domains documented by the\nsource are recorded as provenance (references[].endpoints / Sources section), to be set in\nurl_filtering.allow_list at deployment — without hardcoding a brand into the rule.\nApplication risk is medium (risk 3): a legitimate but sensitive outbound flow.\n", "fr": "L'appliance télécharge des paquets de firmware depuis un service éditeur sur Internet.\nC'est l'unique flux sortant vers Internet et un vecteur de chaîne d'approvisionnement :\nssl_forward_proxy est obligatoire pour que l'antivirus et le sandboxing inspectent le\ncontenu (atténuation de T1542.001 — firmware malveillant). url_filtering bloque les\ncatégories à risque et les sites non catégorisés (durcissement). La liste blanche des\ndomaines de l'éditeur reste spécifique au déploiement : les domaines documentés par la\nsource figurent en provenance (references[].endpoints / section Sources), à reporter en\nurl_filtering.allow_list au déploiement — sans coder de marque dans la règle. Le risque\napplicatif est moyen (risk 3) : flux sortant légitime mais sensible.\n" }, "security_profiles": { "antivirus": { "action": "block" }, "dns_security": { "action": "block", "sinkhole": true }, "ips": { "action": "block", "min_severity": "low" }, "sandboxing": { "enabled": true, "file_types": [ "firmware_image", "pe", "archive" ] }, "url_filtering": { "block_categories": [ "malware", "phishing", "c2", "newly_registered_domain", "compromised" ], "credential_phishing": "block", "uncategorized_action": "block" } }, "service": { "app_default": true, "ports": [ "443" ], "protocol": "tcp" }, "zones": { "destination": [ "internet" ], "source": [ "management" ] } }, { "action": "drop", "application": { "app_id": "clear_text_mgmt", "category": "infrastructure", "default_ports": [ "tcp/5988", "tcp/115" ], "risk": 4 }, "direction": "internal", "logging": { "log_end": true, "log_forwarding": true, "log_start": true, "profile": "siem_high_priority" }, "rationale": { "en": "Hardening: legacy clear-text management protocols (CIM-HTTP on 5988, unencrypted file\ntransfer on 115) are silently dropped. They can be intercepted on a poorly segmented\nmanagement network (T1557 — credential theft and in-flight tampering) and must be\nreplaced by their encrypted equivalents (CIM-HTTPS 5989, management on 443 — rule 2).\nHigh-priority logging flags any usage attempt, a sign of misconfigured legacy hardware or\na bypass attempt. Legacy clear-text out-of-band management (legacy IPMI on udp/623) falls\nunder the same posture and must be confined then eliminated.\n", "fr": "Durcissement : les protocoles de gestion en clair hérités (CIM-HTTP sur 5988, transfert\nde fichiers non chiffré sur 115) sont bloqués silencieusement. Ils sont interceptables\nsur un réseau de gestion mal segmenté (T1557 — vol d'identifiants et altération en vol)\net doivent être remplacés par leurs équivalents chiffrés (CIM-HTTPS 5989, gestion sur\n443 — règle 2). Le log en haute priorité signale toute tentative d'usage, indice de\nmatériel hérité mal configuré ou de tentative de contournement. La protection par\ngestion out-of-band en clair (IPMI hérité sur udp/623) relève de la même posture et doit\nêtre confinée puis éliminée.\n" }, "service": { "ports": [ "5988", "115" ], "protocol": "tcp" }, "zones": { "destination": [ "management" ], "source": [ "management" ] } } ], "schema_version": "1.0.0", "threat_model": { "attacker_goal": { "en": "Gain persistent below-OS control by writing malicious firmware through the BMC, or pivot\nfrom the integration appliance into the out-of-band management plane to take over the\nentire server fleet.\n", "fr": "Obtenir un contrôle persistant sous le système d'exploitation en écrivant un firmware\nmalveillant via le BMC, ou pivoter depuis l'appliance d'intégration vers le plan de\ngestion out-of-band pour prendre la main sur l'ensemble du parc de serveurs.\n" }, "key_controls": [ "management_zone_segmentation", "ssl_inbound_inspection", "block_cleartext_management", "ssl_forward_proxy", "firmware_sandboxing", "identity_user_group" ], "summary": { "en": "The out-of-band management plane (BMC) grants full hardware control, independent of and\nbelow the operating system: virtual media mounting, reconfiguration, and above all\nfirmware writes. It is a very high-value target. The integration appliance is a key choke\npoint because it bridges the IT plane (virtualization manager, administrators) and the\nhardware management plane. Three risks dominate. (1) Compromise of the appliance through\nits exposed interface, then pivot to the BMCs. (2) Interception of legacy clear-text\nmanagement protocols (CIM-HTTP, unencrypted file transfer) on a poorly segmented\nmanagement network. (3) The Internet firmware-update path hijacked into a supply-chain\nvector (malicious firmware package).\n", "fr": "Le plan de gestion out-of-band (BMC) confère un contrôle matériel total, indépendant et\nsous le système d'exploitation : montage de média virtuel, reconfiguration, et surtout\nécriture de firmware. C'est une cible de très haute valeur. L'appliance d'intégration est\nun point de passage privilégié car il relie le plan IT (gestionnaire de virtualisation,\nadministrateurs) au plan de gestion matériel. Trois risques dominent. (1) Compromission de\nl'appliance via son interface exposée, puis pivot vers les BMC. (2) Interception des\nprotocoles de gestion en clair hérités (CIM-HTTP, transfert de fichiers non chiffré) sur\nun réseau de gestion mal segmenté. (3) Chemin de mise à jour de firmware sur Internet\ndétourné en vecteur de chaîne d'approvisionnement (paquet de firmware malveillant).\n" } }, "title": { "en": "Out-of-band hardware management integration appliance (BMC)", "fr": "Appliance d'intégration de gestion matérielle out-of-band (BMC)" }, "trust_tier": "community", "version": "1.0.0" }