"For the gateway, whatever the system administrator is most comfortable with [is OK]," he said. "I would use a Linux machine stripped down only to the basic functionality that's needed. Other people might be more comfortable with Windows, so they probably should do a Windows server build with the same stripped down functionality."
Finally, companies should monitor network traffic to the port closely for any abnormalities, such as an IP address for a computer that is not normally used to access the IPMI, Kandek said.
While segregation is a good solution, it isn't always possible, said HD Moore, chief research officer for Rapid7 and the creator of the open source Metasploit Framework, used to execute exploit code against a remote system for testing purposes.
Because low-end servers often have only one port for connecting to the Internet, segregating the IPMI isn't possible. An option would be to set up a virtual local area network that creates a distinct broadcast domain to carry only packets headed to the IPMI. This would enable monitoring of the network traffic.
"Most people don't do this because it's a pain in the butt and you have to have a switch that supports its," Moore said.
In general, there is no single solution to the problem. Moore recommends that system administrators scan their servers with Metasploit, find the vulnerabilities that affect their systems and then decide what to do about them.
"There's definitely a number of mitigation strategies out there," Moore said.
Read more about network security in CSOonline's Network Security section.