Can You Trust Public Internet For OOB?
Today’s private MPLS networks are widely used for corporate connectivity throughout the world. The private MPLS network provides a reliable and secure option for corporations to move data as well as access the public internet.
Managing the global MPLS network can be challenging when things go awry. If your remote MPLS router loses its configuration or becomes inaccessible over the MPLS, how do you fix it?
This is typically done with an OOB device (Out of band device) like a dial modem. Sourcing, maintaining, and paying for a local analog dial circuit can be challenging in itself. Another option is using a cellular data connection, which can be extremely cost effective as long as you have signal. If there is little or no cellular signal, a great alternative is using a public static IP address to access an OOB appliance. The OOB appliance then connects to the console port on the MPLS appliance(s).
The challenge to this approach is obvious, you cannot trust the internet unless you are using CDI products with “baked in” 2 factor authentication and encryption. No need for 3rd party services, we stop them dead with 2 factor authentication and encryption built in.
You spent the time and treasure to implement a private MPLS network and now you are connecting an OOB appliance to the public internet? Are you crazy? Any security you are going to implement on the OOB appliance would have to trust the internet, which is an untrusted network and a security policy violation.
Unless the OOB appliance has its own high level encrypted security “baked in”.
CDI implements a 2 factor cryptographic authentication approach which guarantees you are in control of access to your OOB devices over the internet and that no one else can compromise your network. The devices do not rely on any network for security, it is “baked in” and requires a “head end” device to access.
The CDI remote OOB appliance requires a properly keyed CDI device at the “head end” to gain access to these devices. IP filtering can also be implemented to further narrow the access source. The remote device will only open a connection from a properly identified and keyed CDI device at the head end. This eliminates bad actors from trying to gain direct access to your OOB appliance from anywhere in the world. Without coming through the protected “head end” they are dead in their tracks. It also satisfies the OOB 2nd method of access which would be the public internet rather than the MPLS network. This implementation is inexpensive and readily available. It can also be easily implemented on customer networks as there are typically spare public IP addresses available for use.
If there is a good cell signal present, the cellular network can be a cost effective and reliable solution as well. The cell network acts as a separate TCP network with an “always on” connection. The circuit is only billed when data is moving, so costs are kept low (about $10-$15 per month depending on the country).
Either way, CDI has you in control of the security, not the untrusted network.
Leave a Reply
Want to join the discussion?Feel free to contribute!