A Multi-Layered Approach to Console Terminal Server Security

When deploying a console terminal server (http://www.wti.com/c-50-console-terminal-servers.aspx) in an out of band management application, one of the most important considerations is adequate security. Ideally, console terminal servers should be protected by multiple layers of security and authentication features, and generally speaking, the more layers the better. In addition to more common security features such as password protection and authentication protocols such as LDAP or RADIUS, some console terminal servers include an IP address filter, which enables the console terminal server to accept or reject potential users based on their IP address.

Configuration of an IP address filter is usually fairly simple. Most console terminal server products that support IP address filtering offer the option to accept or deny individual IP addresses, groups of IP addresses or an entire range of IP addresses. Different console terminal server products offer a variety of different ways to configure the IP address filter, but the best solution involves creating two separate lists, an “allow” list and a “deny” list, that the IP address filter uses to determine if each potential user will be allowed to access command functions or rejected.

After the IP address filter has been configured and enabled, the console terminal server will check the IP address for each connection request. If the IP address is found in the “allow” list, the user will be immediately granted access to the console terminal server command mode. If the IP address is not found in the “allow” list, the console terminal server will then check the “deny” list and reject any address or range of addresses that appears in that list. This arrangement enables network administrators to define ranges of IP address that will all be allowed or denied access, or define specific, individual IP addresses that will be allowed or denied.

A console terminal server with an IP address filter can be particularly helpful in direct connect applications that require automated contact with the console terminal server. In many direct connect applications where the console terminal server is automatically contacted by another network device, there are often no means for the calling device to respond to the username/password prompt. In cases like this, password protection can be disabled and the IP address filter then basically uses the calling device’s IP address as a password, providing restricted access to console terminal server command functions without the need to manually respond to the password prompt.

Most network security professionals agree that a multi-layered approach to security and authentication provides the best means for ensuring that console terminal server command functions are protected from unauthorized access. Although a security strategy that relies on only password protection can often be easily bypassed by an experienced hacker, when password protection is combined with remote authentication protocols, this makes unauthorized access much more difficult. When you take this advanced level of security provided by the combination of password protection and remote authentication, and add another layer of security as can be provided by an IP address filter, this helps to provide even more assurance that access to console terminal server command functions is adequately protected from hackers and other unauthorized users.

Link to Original Content

Tags: , , , , ,

Comments are closed.