9 Replies Latest reply on Aug 19, 2009 1:09 PM by S Crawford

    PXE Security Considerations

      For those of you in high-security environments. What are some of the concerns around allowing PXE and DHCP within a production network?

        • 1. Re: PXE Security Considerations
          Bill Robinson

          most places don't want to run dhcp on their production wire, which is why we'd reccomend doing provisioning on a separate vlan. you don't want to build systems on a prod network because they would be the most vulnerable there, before they are patched/secured/configured.

          • 2. Re: PXE Security Considerations

            That makes a lot of sense. Thanks.

            • 3. Re: PXE Security Considerations
              Bill Robinson

              i was thinking also, dhcp usually doesn't fly on a production network because they don't want you to be able to plug in and get an ip. though i think that's kind of moot - if you can plug into the network, you can probably figure out the traffic (depends on the device you're plugged into). but if they're smart then they should turn off all ports not in use, and also limit the ports to 1 mac, or a list of know macs... so then it wouldn't matter if dhcp was on or not, you shouldn't get an ip unless you spoof a mac.

              • 4. Re: PXE Security Considerations

                Would provisioning on a separate VLAN require physically disconnecting and re-connecting to the production network? Is there perhaps a way to remotely/programmatically "move" a provisioned server into the production network?

                • 5. Re: PXE Security Considerations

                  You can do it all remotely from the switch, if you wanted to move it in and out of a vlan. The other method would be to trunk down to the port. Just put the appserver's switch port in both vlan's and do it that way.

                  • 6. Re: PXE Security Considerations
                    Bill Robinson

                    you don't even need to have the appserver on both vlans. w/ the right firewall rules you'd only need to change the vlan for the switchport of the target system.

                    • 7. Re: PXE Security Considerations

                      Would you be able to describe at a high level what those firewall rules would be? We're also consdering alternatives like creating a boot CD, but would love to avoid this if we can have a good answer for security. Would there happen to be a best practices document that would talk about this setup in more detail?

                      • 8. Re: PXE Security Considerations
                        Bill Robinson

                        VLAN1 = production network

                        VLAN2 = provisioning network


                        put the PXE/TFTP/DHCP server on VLAN2

                        open a hole for the db from the pxe/tftp server (VLAN2) to VLAN1 (db server), prot 1521 or 1433


                        open a hole for any system on VLAN2 to VLAN1 (appserver) for port 9831/tcp


                        open a hole for VLAN1 (appserver) to any server in VLAN2 on port 4750.


                        appserver needs to be able to resolve the names/ips of the targets in the prov vlan


                        that should do it.

                        • 9. Re: PXE Security Considerations
                          S Crawford

                          FYI we are in the process of building our provisioning network and will have the same scenario as the one you described here (where we can't have DHCP in the production network). We will also be setting up bootable CD and iLO images for cases where servers cannot be entered into the provisioning network and static IPs are assigned. If there are any updates or findings that anyone has encountered since the last posting here, please share. I will update and post anything that we find as we go through this process.