Ensuring Adequate Security for Console Terminal Server Applications

A console terminal server can provide network administrators with a convenient tool for out-of-band access to console port command functions on vital network elements located at remote network equipment sites. Although this capability can prove to be extremely helpful when dealing with network outages caused by malfunctioning network devices at remote sites, it can also sometimes create a bit of a worry, security-wise, due to the very nature of out-of-band management capabilities.

Security is obviously a major concern for all business network applications, so it’s important to make certain that in addition to providing out-of-band management capabilities, a good console terminal server should also provide adequate security and authentication measures in order to protect sensitive console port command functions from unauthorized access. Password protection is a good start on the road to providing secure out-of-band communication, but given the powerful command and device access capabilities provided by a console terminal server, it’s important to choose a console terminal server that also supports popular authentication protocols in order to ensure that each potential user is indeed who they claim to be.

Ideally, a secure console terminal server should support several different authentication protocols in order to provide compatibility with the needs of wide range of different users. When shopping for a console terminal server for a secure application, it’s important to look for a product that supports the LDAP, TACACS+, Kerberos and RADIUS authentication protocols, as well as other authentication options for dial-up, out-of-band communication.

Authentication for dial-up communication is often relatively difficult to find, when compared with network communication, but some console terminal server manufacturers have been able to create unique dial-up authentication protocols that are able to ensure the identity of dial-up users in a much simpler manner than is found in network communication. One good example of an effective dial-up authentication protocol is a “Callback Security” feature. When Callback Security solution is enabled, dial-up users are not granted immediate access to console port command functions after successfully entering a valid password. Instead, the console terminal server will first verify that a valid username and password have been entered, then disconnect and dial the user back at a phone number that has been predefined for the user account. In order to provide a secondary level of authentication, the user can then be prompted to re-enter their valid password upon receiving the callback from the console terminal server before being allowed to access command functions.

In most modern network applications that include off-site data centers or remote network equipment racks, console terminal servers have become so common that it’s sometimes difficult to find a remote network equipment rack that doesn’t include out-of-band management capabilities. This speaks volumes as to the power and convenience that a console terminal server can provide for out-of-band management applications, but it also underscores the importance of adequate security and authentication measures at remote network equipment installations, because hackers are well aware of the presence of console terminal servers too. With this in mind, when choosing a console terminal server solution it makes good sense to ensure that the console terminal server offers more robust security than can be provided by a username/password prompt, and goes the extra distance to provide adequate authentication support to make certain that users are actually who they claim to be.

Link to Original Content

Tags: , , , , , , , ,

Comments are closed.