Effective Security for Dial-Up Out of Band Management Applications

Security and authentication are two vital elements for any out of band management strategy. The reason for this is simple: given the powerful remote access capabilities provided by an out of band management solution, it’s extremely important that access to console port command functions on remote network elements is adequately protected from unauthorized users. While it’s relatively easy to implement effective security and authentication measures when out of band management is accessed via a secondary maintenance network connection, the task of authenticating each user can prove to be much more of a challenge when the out of band management solution is accessed via dial-up connection.

When communicating via network, there are many popular authentication protocols (such as LDAP, TACACS+, RADIUS and Kerberos,) that can be employed to verify the identity of each potential user, but authentication protocols for dial-up communication are either very difficult to find or non-existent. While a secondary maintenance network might provide the ideal solution for out of band access to remote network equipment sites, dial-up communication is far more common because a dial-up out of band management solution is generally more economical in that it doesn’t require the same investment in infrastructure as is required when out of band access is accomplished via secondary network.

Obviously, most out of band management units will at least provide username/password security for dial-up communication, but in many applications, this extremely basic security is simply not adequate to protect console port command functions from unauthorized access. This often leaves the network engineer with a difficult choice between an expensive-yet-secure secondary network based out of band management solution, or an inexpensive, yet less secure dial-up out of band management solution.

Fortunately, there are other security measures for dial-up out of band management that might not be quite as elegant as a network based authentication protocol such as Kerberos or TACACS, but still provide adequate authentication to validate the identity of each potential user.

Callback security (or dial-back security) provides just such a solution for dial-up out of band management applications. Typically, an out of band management unit that is equipped with callback security will also include a user directory, which enables administrators to define user names and passwords for each user account, and also allows the definition of a “callback number” for out of band access via dial-up. When callback security is properly configured and enabled, users who attempt to access the out of band management unit via dial-up will not be granted immediate access to console port command functions. Instead, the callback security feature will first prompt the user to enter a username and password. If a valid username and password are entered, the out of band management unit will then hang up, and call the user back at the callback number that has been previously defined for their user account. If desired, the callback security feature can also be configured to prompt the user to re-enter their username and password upon receipt of the callback, prior to allowing access to command functions.

An out of band management solution that supports callback security often provides the best solution for network administrators who need secure out of band access to console port command functions on remote network elements, yet don’t have the budget to support running a network cable all the way out to each remote network equipment site. An out of band management unit that supports callback security, provides administrators with the assurance that the identity of each potential user is reasonably verified, without the expense, hassles and configuration challenges of a network based authentication solution.

Link to Original Content

Tags: , , , , ,

Comments are closed.