Xceedium Xio Framework: Securing Remote Out-of-band Access

Transcription

1 Xceedium Xio Framework: Securing Remote Out-of-band Access 1 Common Scenario A major corporation, with many domestic and international offices, has a massive network infrastructure that spans across many regions, such as America, Europe, and Asia/Pacific. For each of its numerous server rooms, redundant data centers, disaster recovery sites, and some co-location facilities found throughout the world, the company has, over time, deployed 100s of terminal server devices (a conservative estimate) to enable out-of-band access for administration and maintenance purpose. The terminal servers are for their network and telecommunication equipments, as well as many UNIX servers. For their Intel-based server environment, numerous KVM switches have also been deployed to allow access to multiple servers by the sharing of keyboard, video, and mouse (KVM). Typically, a terminal server (sometime also known as a console device) has a network interface and several serial ports. Each serial port is for connecting to the console port commonly found on network and UNIX-based devices. The console port on each device is intended for allowing access to the device without relying on the network interface on the device. For Intel servers connected to a KVM switch, the system administrator is physically working in front of the KVM. These are two common methods of outof-band console access. Securing Terminal Server Access Network engineers and UNIX administrators traditionally access via the out-of-band method by establishing a Telnet session from a desktop to the particular terminal server that has a serial connection to the console port on the backend device. Figure 1 illustrates a typical out-of-band configuration. Figure 1: Standard Out-of-Band Implementation

2 Known Issues 2 As showed in Figure 1, this type of setup has several known security concerns and limitations: 1. The Telnet session over the network, which is a clear text stream, can be easily snooped by anyone on the network with minimal effort. Information such as login account and password entered during the session can be discovered over the wire. This issue is particularly significant to the security infrastructure, where network and firewall devices have to be guarded against both external and internal users. 2. The terminal server devices are generally connected to the corporate backbone, which can be accessed by anyone on the network. One major issue concerning unauthorized access is that most legacy terminal server devices do not support per-port authentication. This means that if the IP address of a terminal server is known, then someone on the network can attempt to access the back-end devices connected to the terminal server by issue the following command: telnet ip_of_terminalserver port, where port is a number associated to the serial port number on the terminal server. In some cases, when the console of the back-end device is open, the unauthorized person can gain access to the device with the highest level of access right. 3. Telnet is generally blocked by the corporate firewall so off-site engineers are not allowed to gain access to the terminal servers over the Internet. Remote access into the private network by offsite engineers must rely on either a VPN or a dial-in facility. 4. Auditing of all out-of-band access sessions from anywhere to anywhere by anyone is an impossible task. Solutions Proven Ineffective To address these age-old issues, a new breed of terminal server device has emerged from various vendors. The new generation terminal server is basically a legacy terminal server with Telnet being replaced by the Secure Shell (SSH) or another form of built-in encrypted access. This new capability protects the transmission over the network by encrypting the session between the authorized user and the connected terminal server. Figure 2: Replacing Legacy with New SSH-enabled Terminal Servers Note: 1. Encrypted session prevents snooping. 2. SSH-enabled terminal server devices can still be reachable by anyone on the network.

3 As illustrated in Figure 2, the encrypted connection between the authorized user and the new terminal server device is protected. Therefore, security vulnerability associated with network snooping is resolved. However, because the new terminal servers are still connected to the corporate network, unauthorized access attempts can still occur simply by using a SSH client installed on a workstation residing somewhere on the network. One major issue pertaining to this solution is costs. In order to adopt this type of solution, the company has to purchase 100s of the new generation terminal servers, which can be as much as $3000 for each unit. Furthermore, previous investment on the existing 100s of legacy terminal servers is immediately lost. As such, this solution becomes economically ineffectively. Another potential issue is the amount of manual labor required to perform the terminal server replacements. As each terminal server generally connects to at least 8 backend devices, rewriting and reconfiguring 100s of new devices may necessitate a dedicated effort as well as possible service outage due to hardware downtime. Other issues exist with this solution. Such as: No Centralized Access Management for all out-of-band access. Can not easily establishing a Policy-based Access Control to differentiate authorized users. Limited expandability to include non-serial out-of-band access methods, such as kvm-over-ip and remote power control. Lack of integrated access control to incorporate other methods of access. Due to the high costs and labor intensiveness of this solution, very few companies have adopted it today. 3 Xio UAG Enhances Legacy Terminal Servers Xceedium s Xio UAG can be easily applied in this scenario to completely eliminate the need to replace the existing terminal servers. Furthermore, the resulting benefit can be extended beyond securing console access for network devices and various UNIX servers. Figure 3 illustrates the simplicity of utilizing the Xio UAG as a gateway for controlling access, and the flexibility it offers for future extension of control. Figure 3: Xio UAG secures and web-enables all existing terminal servers with centralized control

4 In Figure 3, the Xio UAG can be setup to use its 1 st network interface to connect to the corporate network; and the 2 nd network interface is used to create a dedicated out-of-band network segment where all terminal servers are attached. This isolated network can not be accessed by anyone without going through the Xio UAG, and only authorized users can access the Xio UAG. This method of implementation offers a number of benefits: 1. No need to replace the 100s of legacy terminal servers. This eliminates the high cost of purchasing new terminal servers with built-in encryption. This also eliminates the need to rewire cables between the terminal servers and the backend devices. 2. Each authorized user for out-of-band access is registered with the Xio UAG. Xio UAG s user profiling enables the company to establish a policy-based control for all serial out-of-band access. 3. All terminal servers, backend devices, user profiles, and access policy are centrally managed. 4. Authorized sessions are protected by a 128bit encryption between the user and the Xio UAG. Snooping is effectively eliminated. 5. Xio UAG supports Radius so token security can be used to enhance access control for mission critical computing environments, internally. 4 Xio UAG Enhances Legacy KVM Switches Leveraging the Xio UAG, along with the dedicated out-of-band network created for complete control of remote out-of-band access for terminal servers, the company can now effortlessly extend its access control to include remote KVM console access for all the Intel servers. Working in conjunction with one of Xceedium s add-on options, a KVM-over-IP module, the company s legacy KVM switches can be accessed over the network. Figure 4 illustrated how KVM out-of-band can be incorporated into the Xio framework. Figure 4: Extending Xio UAG to centrally manage all remote out-of-band access Each KVM-over-IP module supports one legacy KVM switch, which may be shared by 8,16,24,32 or more Intel servers (depending on the capability of the existing legacy KVM switch). This module takes advantage of the central access management framework provided by the Xio UAG already deployed. The follow benefits are immediate attainable with such a simple extension of the Xio UAG s capability: 1. KVM console can be access remotely using a browser. There is no more distance restriction. 2. The KVM console sessions are immediately protected by the Xio UAG s security framework: policy-based access, central management, user profiling, encrypted data transmission, and session auditing. 3. A local KVM port is available on the module for connecting a monitor, keyboard, and mouse. 4. KVM access becomes an integral part of the company s new secure out-of-band infrastructure.

5 Xio UAG Controlling Remote Power Access 5 Additional add-on power control options can further the company s centralized management of remote access security. Figure 5 illustrates the ease of incorporating remote power control into the existing Xio framework. Figure 5: Extending Xio UAG to centrally manage all remote power control There are a variety of add-on power modules available to meet different setup requirements. The Xio UAG supports Xceedium-brand power modules as well as some 3 rd -party network-enabled power management products. Remote power control access is managed by the same security policy defined in the Xio UAG. The Complete Xio Secure Out-of-Band Access Framework With the Xio framework in place for LAN-based remote out-of-band access, centralized management can accommodate for all external use. By utilizing the 3 rd network interface on the Xio UAG, the company can safely extend its secure out-of-band access framework to facilitate many remote applications. Figure 6 illustrates the complete Xio framework for all remote out-of-band access and power management. Incoming sessions, originated from either the Internet or Extranet, from authorized users (such as vendor support engineers or mobile IT resources) are secured without requiring a VPN setup or a dedicated dialin facility. The Xio UAG supports Radius for token security as well as provides for multi-level authentications. Combining the user profiling and policy-based access control, authenticated remote users can only access specific IT devices via the specific allowed access methods defined in the profile. This type of remote access provisioning is more suitable for non-trusted user than a VPN solution. WAN applications include remote IT administration and troubleshooting. Xio UAG enables engineers to respond to remote IT issues in real time, thereby eliminating travel time and associated expenses. Colocated IT facilities can be fully accessed for remote IT administration by the company s in-house engineers. This eliminates the dependency on the providers potentially limited technical capability. Beyond the Out-of-Band Access While this documentation introduces the Xio framework specific to seizing full control of all remote out-ofband access, the Xio UAG can fully support virtually all known in-band access methods such as graphical sessions in X, Windows, and Mac; and text-based sessions by Telnet, SSH, and Informational

6 documents are available for implementing the Xio framework solution for all in-band and out-of-band access management. Please check our website for additional detail: 6 Figure 6: The Complete Xio Secure Out-of-Band Access Framework Implementation

7 APPENDIX A: Practical choke point Application for SAN environment 7 A typical SAN infrastructure can be secured by creating an access choke point to enforce security and manage access control. The follow simplified diagram illustrates the vulnerability within the SAN infrastructure and how it can be addressed using the Xio framework. Figure 7: Securing administrative access to all SAN components

8 APPENDIX B: Practical choke point Application for Enterprise Access Control 8 An enterprise implementation of the Xio framework would require the Management Console (MC) unit to centrally manage users, devices, and access policies. Additionally, the MC provides a central repository for logs from all managed Xio UAG devices. The MC offers enterprises the ability to deploy n-active Xio UAG devices without the limitation generally found in active-passive pair configuration architecture. Figure 8: Securing administrative access to all SAN components