Most places I know of isolate their OOB management network, requiring a vpn or jumpbox to access it. However, if someone did let their OOB network full outbound access, I could see this slipping through. I could imagine that simply going to a CDN or cloud provider like AWS/Cloudfront/cloudflare/akamai with a dns lookup along the lines of updates.supermicro.cdn-front.com wouldn't be too suspicious. At that point, you'd be looking for dns lookups and not firewall hits.
If you are blocking outbound, I could still this going unnoticed if you're not actively reviewing denials.
But, if you are properly watching dns lookups from OOB and it's anything other than necessary services (ntp, ldap, syslog), then this would get picked up pretty quickly.
> However, if someone did let their OOB network full outbound access, I could see this slipping through.
Quite, especially in small networks and inline ilos, entirely possible that people plug the ilo (ipmi etc) to a more open network. Sure, nothing in, but no block on stuff going out.
Heh. One colleague has "Hope is not a valid deployment strategy" as a signature.
Most places might be blocking this type of activity by default. For most of our security audits, it's just assumed that the SM IPMI or Dell idrac is vulnerable to one exploit or another. We mitigate that by controlling the traffic. I feel this is common practice in most places that understand vlans and firewalls.
However, while blocking is easy, being aware of something like this is on another level altogether. Unicorn jumping over a rainbow level rare. You really have to be logging outbound attempts and dns lookups. Where I work, there is a full security team and they are at an insane level where they log the allowed traffic. One told me that the allowed traffic is more interesting than the denied traffic. Denied just tells them what we anticipated, while active helps them establish a pattern and look for deviations.
That's my point. Security people were analyzing network traffic for decades trying to spot something that doesn't fit, host-wise, pattern-wise or even packet-wise (see The Museum of Broken Packets[0], for example). And someone managed to somehow hide all this traffic from security experts working for Amazon and Apple, for months or years? I'm very curious to see how.
If you are blocking outbound, I could still this going unnoticed if you're not actively reviewing denials.
But, if you are properly watching dns lookups from OOB and it's anything other than necessary services (ntp, ldap, syslog), then this would get picked up pretty quickly.