The Case for Secure Out of Band Management
Secure Out of Band Management:
Using a secondary network outside the bandwidth of the primary network for management of remote devices. In particular being able to manage these remote devices if the primary network is not available, or the device has lost its network configuration, making it inaccessible on the primary network. Examples of a secondary network include analog telco circuits or a cellular GPRS network.
Out of Band Management needs to be addressed by any network architect who is designing a geographically distributed network that has any level of importance to the owner of the network. It also needs to be addressed by the group that will be managing that network along with what the expected Service Level Agreement is. Secure out of Band Management needs to be designed into the network from the beginning and not added later as an afterthought. Many times out of band management is addressed after a remote problem has already damaged more than the initial investment would have cost.
Small problems become very large when they are located at network edge points far away from NOC based engineers. An example would be the U.S. FAA Pilot flight plan submission system. This nationwide system was completely knocked off its pins because a router in Colorado lost is IP address. The router was at a site where there was no out of band mechanism and no engineers were present. It shut the system down. An engineer had to be dispatched to correct the problem. This took over 4 hours and grounded thousands of flights and magnitudes more passengers. A simple out of band management device deployed at this location would have corrected the problem in minutes not hours.
Denial of service attacks render sites useless and usually require them to be physically shut down in order to stop the attack. The site cannot be accessed via the network because it is flooded with data. A dial up or cellular GPRS out of band connection can access the site and bring it down gracefully via remote out of band access.
How about the rollout of a complex network? Do you want to dispatch a high salary engineer to each site to install, configure, and stand up the site? Wouldn’t it be more cost effective to include a dial up out of band device with the rollout so a NOC based engineer can dial into the site when the equipment is cabled up and configure it over the telco circuit? The digital side can then be brought up while the NOC engineer is still connected and can confirm that all is configured and tested as the site is brought up. The NOC engineer can then move to the next turn-up and the out of band equipment is left ready for issues that usually occur in the first weeks a network is turned-up.
The NOC engineers can access over the dial circuit, cellular GPRS network, or the WAN network if available. This ensures your rollout will go smoothly and will get the highest level of expertise right to the site immediately upon turn-up, very cost effectively by eliminating the need for an expert at each site turnup. It also ensures that the site has been turned up correctly as per the NOC teams configuration as they performed the work and can be signed off by a team leader as it is brought on-line.
Third party vendor access is another area where out of band management can be useful. Some network owners let their third party vendors VPN right into their network to manage and/or service their equipment. This of course brings up a huge security vulnerability as your vendors are now floating around on your network. By using out of band management devices you can direct your vendors to only access their equipment via the serial console port. This can be accomplished via the network, over dial-up circuits, or over a cellular GPRS network. All of these scenarios should force the vendor through the network NOC and then out through the out of band management system.
CDI has designed a system to meet the challenges of today’s network operations engineer to provide 24×7 access to remote sites regardless of the status of the network or the equipment. CDI’s system utilizes the highest government certified security to protect vital assets from compromise by outsiders, be they foreign, domestic, government, or corporate. Your network is safe and ready to operate for your users.