10-22-2018 10:06 PM
Hi board,
I'm wondering how others handle the CIMC in the Cisco ISE.
In the ISE downloads, there is one BIOS and CIMC software (3.0.3a). However, there are lot's of CIMC vulnerabilities, which needs to be closed. The hardware installation guide does not state that the 3.0.3a is the only supported BIOS.
In fact the guide states:
The following procedure is for upgrading the BIOS and Cisco IMC to version 3.0(3a). However, this procedure is generic and is applicable for newer firmware releases that are posted on Cisco.com.
Does this statement apply to the firmware posted in the "Identity Services Engine" download section or is it also supported to use a newer firmware in the downloads section of the corresponding UCS server model?
I know that other firmwares also work - the question is whether this is supported as well.
How you do handle the software of the CIMC?
My question also applies to other UCS based appliances like the WLC5520 etc. :)
Solved! Go to Solution.
10-24-2018 10:05 PM
If your SNS appliances are of 3515 or 3595, they need signed binaries for secure boot. CSCvj90778 or CSCvm14331 are addressed recently with a secure signed CIMC 3.0(4j) and I believe it soon available at Cisco software download.
10-30-2018 12:28 AM
01-07-2019 11:01 AM
Hi,
The Cisco SNS 3500 Series Appliance Hardware Installation Guide has been updated. It now says why you should only use the CIMC software that is listed with the ISE downloads. It also mentions to check the download directory for other readme and upgrade files.
Currently, on the downloads page, under All Releases > Firmware > SNS35X5, there are downloads for the ISE-compliant CIMC and upgrade instructions.
10-22-2018 10:21 PM
10-22-2018 10:24 PM
Hey Mohammed,
yeah - I see it exactely the same way (except the fact that there is no CIMC in VM deployments because it is purely Cisco UCS related :) ).
However I don't get the point why there is exactely one offered version in the ISE download section. This implies that this is the only version to use in combination with ISE. Why isn't there just a download hint to the corresponding UCS model and the statement "use the software you want" ? :)
10-22-2018 10:49 PM
I think @Johannes Luther is referring to the software lifecycle management of the entire system (UCS server + ISE application) because when you purchase the SNS-3595 you should consider the life cycle management of CIMC as well. Yes of course an attacker on the ISE gig0 will never reach the CIMC (if the CIMC is running on dedicated Management Eth port) but the hacker may already be on the management network - and if they get to your CIMC then they can hose the entire server. Therefore it's probably sensible to keep patching the CIMC whenever possible. If you run CIMC and ISE application on the same GigE port, then who know what might happen (from a security risk point of view).
Server appliances are a pain in that respect because of this additional compute layer. Nevertheless, I think Johannes has an excellent question and when I recently commissioned 6 SNS-3595 servers I also looked at the CIMC version and didn't dare touch it. Not much guidance around this topic. It would be nice to know from Cisco how to maintain the SNS server CIMC software if a CVE is announced.
10-22-2018 11:46 PM
Hi Arne,
thanks for the feedback! At least someone understands me ;)
So what I do with the CIMC boards at the moment is to keep the recommended (downloadable) software, but I do a full blown configuration of the CIMC (SNMP, Syslog, LDAPs for admin auth, SSL certificates, SoL etc.).
I think this is really important in the ISE, because the ISE application and ADE-OS doesn't monitor all hardware related issues. I guess simple things like a power supply failure is recognized by ADE-OS (operating system).
But more complex situations like an HDD failure of the RAID-10 cluster are only recognized by the CIMC. Even if hardware failures of HDDs are recognized by ADE-OS, there are much more complex failure situations regarding storage, memory and CPU.....
So bottom line is, that the CIMC is a very very crucial part to fully monitor the SLA of the ISE service.
...
...
And no ... Configuring the CIMC is not fun :) It took me some time to build a good CLI template for my use case....
However, I'm still not sure about the SW version ...
10-24-2018 10:05 PM
If your SNS appliances are of 3515 or 3595, they need signed binaries for secure boot. CSCvj90778 or CSCvm14331 are addressed recently with a secure signed CIMC 3.0(4j) and I believe it soon available at Cisco software download.
10-25-2018 05:30 AM - edited 10-25-2018 05:42 AM
Good point - however the last SNS-35XX appliances I got have "secure boot" disabled by default.
Furthermore, does the "secure boot" setting actually restrict CIMC/BIOS updates?
"The SNS 3515 and SNS 3595 appliances support the Unified Extensible Firmware Interface (UEFI) secure boot feature. This feature ensures that only a Cisco-signed ISE image can be installed on the SNS 3515 and SNS 3595 appliances, and prevents installation of any unsigned operating system even with physical access to the device. For example, generic operating systems, such as Red Hat Enterprise Linux or Microsoft Windows cannot boot on this appliance. "
Edit after I read some other topics:
>> Furthermore, does the "secure boot" setting actually restrict CIMC/BIOS updates?
==> Yes it does :)
10-25-2018 12:25 AM - edited 10-25-2018 12:26 AM
Don't try corresponding UCS CIMC, I ruined 2 SNS3495 appliances this way. One time with host upgrade utility and one time with manual upgrade, it doesn't work. Probably there are some differences between CIMC on SNS Appliance and UCS
10-25-2018 01:22 AM
Hi Everyone
Just to add to this thread, I have recently deployed SNS-3515 with Cisco ISE 2.4 which comes with default CIMC firmware version 3.0 and when I'm tried to update the SNS-3515-K9 C220M4 Appliance Firmware from 3.0 to 4.0.1a (Cisco Recommended) using the HUU ISO, it won't allow me to boot with an error "Invalid signature detected. Check Secure Boot Policy in Setup".
So when I tried to disable the Secure boot option under the CIMC Utility, it shows another error "In ISE mode BIOS secure boot can not be disabled."