An Invalid Access Attempt Alarm Improves Console Terminal Server Security

The task of maintaining security in an out of band management application can sometimes prove to be somewhat of a challenge. As anyone in the network security business can tell you, hackers love to wage war against random network elements, and it doesn’t take them long to find an inadequately protected network device. That’s why it’s important to choose a console terminal server unit that includes adequate security to protect sensitive console port command functions from unauthorized access.

The most common approach to security, is to make certain that important network devices such as console terminal servers are protected by multiple layers of security. At a minimum, a console terminal server should support basic security features such as password protection, authentication protocols such as TACACS+, RADIUS, Kerberos and LDAP, plus additional security measures such as IP address filtering and an Invalid Access Attempt Alarm.

Basically, an invalid access alarm counts unsuccessful password attempts at network ports on the console terminal server unit, and then automatically notifies network administrators when the number of unsuccessful attempts exceeds user-defined threshold levels. In some cases, an invalid access alarm can also lock network ports when excessive failed password attempts are detected, and then unlock those ports again after a user-defined time-out period has elapsed. This type of security proves especially effective against attacks by random password generators, essentially stopping the attack in its tracks before the hacker has a chance to stumble across a valid password and gain entry.

When excessive failed password attempts are detected, it’s also important that the console terminal server should be able to notify network administrators that an attack might be in progress in order to allow administrators to implement additional security precautions before the hacking attempt is successful. It’s also important that the invalid access attempt alarm should support multiple communication formats in order to fit the needs of a variety of administrators and IT support personnel. At a minimum, the invalid access attempt alarm should support notification via email, but ideally, the alarm should also support notification via other methods such as text message, SNMP trap and SYSLOG message.

Given the powerful remote access to console port command functions provided by a console terminal server, it quickly becomes obvious that effective security is a vital element in any out of band management application. That’s why it’s critical to choose a console terminal server that not only provides basic password security and support for popular authentication protocols, but also provides an additional level of security by including features such as an invalid access attempt alarm with invalid access lockout capabilities.

Tags: , , , , ,

Comments are closed.