Looking for Feedback for Hardware Server Security
It's 2025, and I'm wondering if people have a different impression from some vendors. I used to love Supermicro, but:
* I cannot even get a response via email or calls re: sales
* Their website tells you to never upload the bios or bmc unless you "have a problem", and tries to claim no liability. Hello?! I need microcode updates, and other bios updates (yes I know about OS microcode updates, not my point), as well as IPMI updates
* They have no list of EOL support timeranges for any of their products. I need to know how long IPMI and other products are supported for security issues.
* They still seem to have ridiculous LAN sharing of IPMI, which means that even if you set their IPMI to use the dedicated NIC, and setup an isolated network, a loss of defaults means your IPMI is now no longer on that network but sharing the NIC on your main network. And in the past, I've seen this happen regardless of settings (buggy).
Dumbest setup ever, exceptionally unsecure, and they're still doing it?!
* If their sales channel doesn't respond, then their support channel will be 10x more lagged. Every sane company ensures you have enough resources to sell new product.
Are other vendors this bad too?
Has anyone noticed regular security updates for Dell or HP or other competitors?
Thanks
EDIT:
For clarity, I'm looking for hardware servers, 1Us. Not interested in cloud solutions for this usage case.
> They still seem to have ridiculous LAN sharing of IPMI, which means that even if you set their IPMI to use the dedicated NIC, and setup an isolated network, a loss of defaults means your IPMI is now no longer on that network but sharing the NIC on your main network.
This sounds partilularly weird though, if I am reading it right. Are you saying the BMC will bridge IPMI over multiple NICs in default configuration? And that there is no setup that safely and consistently binds the IPMI to a single NIC?
Isolating management to a dedicated network continues to be part of basic security and it's very surprising to hear that this would not be a supported use-case by SuperMicro...
By default, their servers have a 'failover' mode for the main NIC. This means that when the server gets power, and IPMI boots, if the IPMI NIC doesn't have a link it will then share connectivity with the main NIC.
# To get LAN mode:
ipmitool raw 0x30 0x70 0x0c 0
# 00 = dedicated, 01 = share, 02 = failover
# To set, use 0|1|2:
ipmitool raw 0x30 0x70 0x0c 1 <value>
You can set it to 'dedicated', but sometimes that's buggy and the setting can get lost. I've had it happen. And it defaults to failover on most servers I've bought, so a dead bios battery means the same outcome.
And if you're not aware, and leave it at failover, your dedicated IPMI LAN switch dies, then next boot all your stuff is exposed.
From what I've read, this is still the same in 2025.
I'd really have preferred a jumper for something this insanely unsecure.
Thanks for the FYI on AsRockRACK.
Have you had any firmware updates for IPMI with them, however?
> Thanks for the FYI on AsRockRACK.
NP. FWIW at least I think the BMC networking doesn't have the kind of failure mode you're describing.
> Have you had any firmware updates for IPMI with them, however?
Yeah, they have unofficial newer "beta" versions that you will get a private download link for over email if you contact support and ask for it. Same if you want fixes for UEFI or AMD firmware vulnerabilities more than a year or so after board release.
Thinking about supply-chain security when flashing those make me a bit nauseous... The industry seems to be stuck with 90s mindset and processes.
(no affiliation, I just like the solution)
Thanks though.
[0] https://oxide.computer/blog/exploiting-undocumented-hardware...
[1] https://oxide.computer/blog/hubris-and-humility
[2] https://rfd.shared.oxide.computer/rfd/0250
[3] https://rfd.shared.oxide.computer/rfd/0241
[4] https://www.youtube.com/watch?v=cWDDx74s090
Can I just install Linux directly on baremetal here?