Additional Security for Dial-Up, Out-of-Band Access to Console Servers

Although there are plenty of different security and authentication options available for IP communication with a console server, security and authentication options are much more limited for those who need to establish a dial-up out-of-band connection with a console server. Popular authentication protocols such as LDAP, Kerberos and TACACS+ work fine when communicating via IP, but at present, there are few alternatives for authenticating dial-up out-of-band communication.

In most cases, the only means available to ensure that dial-up communication with a console server is secure, is basic username/password security. Although password security will generally deter less serious attempts to breach console server security, a determined hacker can find dozens of different ways around a password prompt if they’re really intent on breaking into your system. Given the importance of dial-up, out-of-band console server access when dealing with network problems at remote equipment sites, it’s extremely important to ensure that dial-up access to console server command functions is properly protected from unauthorized access.

In mission critical applications, where simple password security is not adequate to protect dial-up access to console server command functions, a callback security feature (or dial-back security feature) can often provide a basic means of authentication, which helps to ensure that each potential user is authorized and genuine.

In most cases, the callback security function is tied to a multilevel subscriber directory, which enables network administrators to define an account name, password, access privileges and other information for each potential console server user. Typically, the multilevel subscriber directory allows administrators to define a callback phone number for each registered user, which can then be employed to validate the identity of each potential user by mandating that the user is only able to access console server command functions after entering a valid username and password, and then waiting for the console server to call the user back at the callback number that has been predefined for the user account.

Although this may sound somewhat complicated, operation of the callback security feature is actually very simple. When a user dials in to the console server modem, the callback security feature will first prompt the user to enter a username and password. If a valid username and password is entered, the console server will not allow immediate access to command functions. Instead, the callback security feature will first disconnect the initial phone call, and then call the use back at the callback number that has been predetermined for the user’s account. If additional verification is desired, the callback security feature can sometimes be configured to re-prompt the user to enter a username/password upon callback.

When network communication with a remote equipment site is unavailable, a dial-up out-of-band connection often presents the only opportunity to access console server command functions at the remote site in order to restore network communication without a costly, time-consuming service call to the remote network equipment site. Although out-of-band management can reduce expenses that would otherwise be incurred by a service call, and help to minimize network downtime, a console server that offers modem access presents a different set of security and authentication challenges than are generally encountered when communicating via IP. When setting up a console server application that supports dial-up out-of-band access, it’s important to remember that often a simple password prompt does not provide adequate security for important network applications, and that often one must rely on alternative security means, such as a callback security feature, in order to make certain that access to console server command functions are adequately protected from unauthorized access.

Link to Original Content

Tags: , , , , ,

Comments are closed.