Xceedium Xio Framework: Securing Remote Out-of-band Access

Similar documents
Opengear Technical Note

Remote power and console management in large datacenters

WHITE PAPER. Good Mobile Intranet Technical Overview

HikCentral V.1.1.x for Windows Hardening Guide

REMOTE IT MANAGEMENT SOLUTIONS: MANAGE REMOTE OFFICES WITHOUT LEAVING YOURS

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

HikCentral V1.3 for Windows Hardening Guide

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

Securing Access to Network Devices

31270 Networking Essentials Focus, Pre-Quiz, and Sample Exam Answers

Echidna Concepts Guide

WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution

VMware HA: Overview & Technical Best Practices

Securing Wireless Networks by By Joe Klemencic Mon. Apr

Intranets and Virtual Private Networks (VPNs)

Securing the Empowered Branch with Cisco Network Admission Control. September 2007

Two-factor Authentication: A Tokenless Approach

Solution Overview Vectored Event Grid Architecture for Real-Time Intelligent Event Management

Automating VPN Management

The SafeNet Security System Version 3 Overview

IEEE 802.1x, RADIUS AND DYNAMIC VLAN ASSIGNMENT

Security Fundamentals for your Privileged Account Security Deployment

Introduction to iscsi

Opengear Application Note

Network+ Guide to Networks 6 th Edition

Never Drop a Call With TecInfo SIP Proxy White Paper

Accessing CharityMaster data from another location

PCI DSS Compliance. White Paper Parallels Remote Application Server

Chapter Topics Part 1. Network Definitions. Behind the Scenes: Networking and Security

IBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights

Out-of-Band Management for Windows Server 2003

How Parallels RAS Enhances Microsoft RDS. White Paper Parallels Remote Application Server

Network Performance, Security and Reliability Assessment

CyberP3i Course Module Series

WHITEPAPER. Security overview. podio.com

Delivering. Effective Element Management Networks

REMOTE ACCESS AND CONTROL SOLUTIONS

Concord Fax Network Architecture. White Paper

Three Pillars of Effective Disaster Recovery

W H I T E P A P E R : O P E N. V P N C L O U D. Implementing A Secure OpenVPN Cloud

Networking interview questions

CommandCenter Secure Gateway

Ready Theatre Systems RTS POS

iscsi Technology: A Convergence of Networking and Storage

Cisco Network Admission Control (NAC) Solution

BlackBerry Mobile Voice System

NIST Revision 2: Guide to Industrial Control Systems (ICS) Security

SOLUTION OVERVIEW THE ARUBA MOBILE FIRST ARCHITECTURE

White paper: Agentless Backup is Not a Myth. Agentless Backup is Not a Myth

Understanding VLANs. Existing Shared LAN Configurations CHAPTER

Innovative Solutions. Trusted Performance. Intelligently Engineered. Comparison of SD WAN Solutions. Technology Brief

DeltaV Remote Client. Introduction. Remote engineering and operator consoles. View Multiple DeltaV Systems from a single workstation

Oracle Mission Critical Support Platform. General. Installation. Troubleshooting. Inventory and Discovery. Frequently Asked Questions Release 2.

Cloud FastPath: Highly Secure Data Transfer

DeltaV Remote Client. Introduction. Remote engineering and operator consoles. View Multiple DeltaV Systems from a single workstation

Improving Business Continuity for the

Guardian PRODUCT BRIEF. Introduction. ... a suite of OAM&P NetApps

Table of Contents. Page 1 of 6 (Last updated 27 April 2017)

Safeguarding Cardholder Account Data

GoToMyPC Corporate Product Guide

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

HIPAA Security and Privacy Policies & Procedures

Application Note 3Com VCX Connect with SIP Trunking - Configuration Guide

Hardware and Software Requirements

Information System Security. Nguyen Ho Minh Duc, M.Sc

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

ISSP Network Security Plan

The Balabit s Privileged Session Management 5 F5 Azure Reference Guide

Delivering Windows-based Client-Server Applications Anywhere, On Demand with Presentation Server 4.5

Sentinet for Microsoft Azure SENTINET

Metasys System Extended Architecture

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 8 Networking Essentials

Security Digital Certificate Manager

Jaringan Komputer (CCNA-1)

Security and PCI Compliance for Retail Point-of-Sale Systems

IT your way - Hybrid IT FAQs

ON-LINE EXPERT SUPPORT THROUGH VPN ACCESS

TACACS Device Access Control with Cisco Active Network Abstraction

Rethink Remote Access

RSA SecurID Implementation

Utilizing Cloud Storage for Mainframes

Control-M and Payment Card Industry Data Security Standard (PCI DSS)

NetPro. from Wireless Logic. Available on a per SIM license basis. No CAPEX. Retain your Airtime Contracts with your existing providers

product overview CRASH

SECURE, FLEXIBLE ON-PREMISE STORAGE WITH EMC SYNCPLICITY AND EMC ISILON

Microsoft DirectAccess

MPLS in the DCN. Introduction CHAPTER

VMware Mirage Getting Started Guide

Virtualizing Open Text Fax Server with Realtime Fax over IP and Open Text Fax Gateway

Enabling Branch Office Consolidation

A Ready Business rises above infrastructure limitations. Vodacom Power to you

Enterasys. Design Guide. Network Access Control P/N

Achieving End-to-End Security in the Internet of Things (IoT)

DS Series & AutoView 1000R/2000R. Setting New Standards in IP Access and Control

Why KVM over IP? Leading the World in KVM Innovations

Insurance Industry - PCI DSS

VMware Mirage Getting Started Guide

Rethinking VDI: The Role of Client-Hosted Virtual Desktops. White Paper Virtual Computer, Inc. All Rights Reserved.

Information Technology Policy Board Members. SUBJECT: Update to County WAN/LAN Wireless Standards

Introduction. H.323 Basics CHAPTER

Transcription:

Xceedium Xio Framework: Securing Remote Out-of-band Access 1 Common Scenario A major corporation, with many domestic and international offices, has a massive network infrastructure that spans across many regions, such as America, Europe, and Asia/Pacific. For each of its numerous server rooms, redundant data centers, disaster recovery sites, and some co-location facilities found throughout the world, the company has, over time, deployed 100s of terminal server devices (a conservative estimate) to enable out-of-band access for administration and maintenance purpose. The terminal servers are for their network and telecommunication equipments, as well as many UNIX servers. For their Intel-based server environment, numerous KVM switches have also been deployed to allow access to multiple servers by the sharing of keyboard, video, and mouse (KVM). Typically, a terminal server (sometime also known as a console device) has a network interface and several serial ports. Each serial port is for connecting to the console port commonly found on network and UNIX-based devices. The console port on each device is intended for allowing access to the device without relying on the network interface on the device. For Intel servers connected to a KVM switch, the system administrator is physically working in front of the KVM. These are two common methods of outof-band console access. Securing Terminal Server Access Network engineers and UNIX administrators traditionally access via the out-of-band method by establishing a Telnet session from a desktop to the particular terminal server that has a serial connection to the console port on the backend device. Figure 1 illustrates a typical out-of-band configuration. Figure 1: Standard Out-of-Band Implementation

Known Issues 2 As showed in Figure 1, this type of setup has several known security concerns and limitations: 1. The Telnet session over the network, which is a clear text stream, can be easily snooped by anyone on the network with minimal effort. Information such as login account and password entered during the session can be discovered over the wire. This issue is particularly significant to the security infrastructure, where network and firewall devices have to be guarded against both external and internal users. 2. The terminal server devices are generally connected to the corporate backbone, which can be accessed by anyone on the network. One major issue concerning unauthorized access is that most legacy terminal server devices do not support per-port authentication. This means that if the IP address of a terminal server is known, then someone on the network can attempt to access the back-end devices connected to the terminal server by issue the following command: telnet ip_of_terminalserver port, where port is a number associated to the serial port number on the terminal server. In some cases, when the console of the back-end device is open, the unauthorized person can gain access to the device with the highest level of access right. 3. Telnet is generally blocked by the corporate firewall so off-site engineers are not allowed to gain access to the terminal servers over the Internet. Remote access into the private network by offsite engineers must rely on either a VPN or a dial-in facility. 4. Auditing of all out-of-band access sessions from anywhere to anywhere by anyone is an impossible task. Solutions Proven Ineffective To address these age-old issues, a new breed of terminal server device has emerged from various vendors. The new generation terminal server is basically a legacy terminal server with Telnet being replaced by the Secure Shell (SSH) or another form of built-in encrypted access. This new capability protects the transmission over the network by encrypting the session between the authorized user and the connected terminal server. Figure 2: Replacing Legacy with New SSH-enabled Terminal Servers Note: 1. Encrypted session prevents snooping. 2. SSH-enabled terminal server devices can still be reachable by anyone on the network.

As illustrated in Figure 2, the encrypted connection between the authorized user and the new terminal server device is protected. Therefore, security vulnerability associated with network snooping is resolved. However, because the new terminal servers are still connected to the corporate network, unauthorized access attempts can still occur simply by using a SSH client installed on a workstation residing somewhere on the network. One major issue pertaining to this solution is costs. In order to adopt this type of solution, the company has to purchase 100s of the new generation terminal servers, which can be as much as $3000 for each unit. Furthermore, previous investment on the existing 100s of legacy terminal servers is immediately lost. As such, this solution becomes economically ineffectively. Another potential issue is the amount of manual labor required to perform the terminal server replacements. As each terminal server generally connects to at least 8 backend devices, rewriting and reconfiguring 100s of new devices may necessitate a dedicated effort as well as possible service outage due to hardware downtime. Other issues exist with this solution. Such as: No Centralized Access Management for all out-of-band access. Can not easily establishing a Policy-based Access Control to differentiate authorized users. Limited expandability to include non-serial out-of-band access methods, such as kvm-over-ip and remote power control. Lack of integrated access control to incorporate other methods of access. Due to the high costs and labor intensiveness of this solution, very few companies have adopted it today. 3 Xio UAG Enhances Legacy Terminal Servers Xceedium s Xio UAG can be easily applied in this scenario to completely eliminate the need to replace the existing terminal servers. Furthermore, the resulting benefit can be extended beyond securing console access for network devices and various UNIX servers. Figure 3 illustrates the simplicity of utilizing the Xio UAG as a gateway for controlling access, and the flexibility it offers for future extension of control. Figure 3: Xio UAG secures and web-enables all existing terminal servers with centralized control

In Figure 3, the Xio UAG can be setup to use its 1 st network interface to connect to the corporate network; and the 2 nd network interface is used to create a dedicated out-of-band network segment where all terminal servers are attached. This isolated network can not be accessed by anyone without going through the Xio UAG, and only authorized users can access the Xio UAG. This method of implementation offers a number of benefits: 1. No need to replace the 100s of legacy terminal servers. This eliminates the high cost of purchasing new terminal servers with built-in encryption. This also eliminates the need to rewire cables between the terminal servers and the backend devices. 2. Each authorized user for out-of-band access is registered with the Xio UAG. Xio UAG s user profiling enables the company to establish a policy-based control for all serial out-of-band access. 3. All terminal servers, backend devices, user profiles, and access policy are centrally managed. 4. Authorized sessions are protected by a 128bit encryption between the user and the Xio UAG. Snooping is effectively eliminated. 5. Xio UAG supports Radius so token security can be used to enhance access control for mission critical computing environments, internally. 4 Xio UAG Enhances Legacy KVM Switches Leveraging the Xio UAG, along with the dedicated out-of-band network created for complete control of remote out-of-band access for terminal servers, the company can now effortlessly extend its access control to include remote KVM console access for all the Intel servers. Working in conjunction with one of Xceedium s add-on options, a KVM-over-IP module, the company s legacy KVM switches can be accessed over the network. Figure 4 illustrated how KVM out-of-band can be incorporated into the Xio framework. Figure 4: Extending Xio UAG to centrally manage all remote out-of-band access Each KVM-over-IP module supports one legacy KVM switch, which may be shared by 8,16,24,32 or more Intel servers (depending on the capability of the existing legacy KVM switch). This module takes advantage of the central access management framework provided by the Xio UAG already deployed. The follow benefits are immediate attainable with such a simple extension of the Xio UAG s capability: 1. KVM console can be access remotely using a browser. There is no more distance restriction. 2. The KVM console sessions are immediately protected by the Xio UAG s security framework: policy-based access, central management, user profiling, encrypted data transmission, and session auditing. 3. A local KVM port is available on the module for connecting a monitor, keyboard, and mouse. 4. KVM access becomes an integral part of the company s new secure out-of-band infrastructure.

Xio UAG Controlling Remote Power Access 5 Additional add-on power control options can further the company s centralized management of remote access security. Figure 5 illustrates the ease of incorporating remote power control into the existing Xio framework. Figure 5: Extending Xio UAG to centrally manage all remote power control There are a variety of add-on power modules available to meet different setup requirements. The Xio UAG supports Xceedium-brand power modules as well as some 3 rd -party network-enabled power management products. Remote power control access is managed by the same security policy defined in the Xio UAG. The Complete Xio Secure Out-of-Band Access Framework With the Xio framework in place for LAN-based remote out-of-band access, centralized management can accommodate for all external use. By utilizing the 3 rd network interface on the Xio UAG, the company can safely extend its secure out-of-band access framework to facilitate many remote applications. Figure 6 illustrates the complete Xio framework for all remote out-of-band access and power management. Incoming sessions, originated from either the Internet or Extranet, from authorized users (such as vendor support engineers or mobile IT resources) are secured without requiring a VPN setup or a dedicated dialin facility. The Xio UAG supports Radius for token security as well as provides for multi-level authentications. Combining the user profiling and policy-based access control, authenticated remote users can only access specific IT devices via the specific allowed access methods defined in the profile. This type of remote access provisioning is more suitable for non-trusted user than a VPN solution. WAN applications include remote IT administration and troubleshooting. Xio UAG enables engineers to respond to remote IT issues in real time, thereby eliminating travel time and associated expenses. Colocated IT facilities can be fully accessed for remote IT administration by the company s in-house engineers. This eliminates the dependency on the providers potentially limited technical capability. Beyond the Out-of-Band Access While this documentation introduces the Xio framework specific to seizing full control of all remote out-ofband access, the Xio UAG can fully support virtually all known in-band access methods such as graphical sessions in X, Windows, and Mac; and text-based sessions by Telnet, SSH, and 3270. Informational

documents are available for implementing the Xio framework solution for all in-band and out-of-band access management. Please check our website for additional detail: http://www.xceedium.com. 6 Figure 6: The Complete Xio Secure Out-of-Band Access Framework Implementation

APPENDIX A: Practical choke point Application for SAN environment 7 A typical SAN infrastructure can be secured by creating an access choke point to enforce security and manage access control. The follow simplified diagram illustrates the vulnerability within the SAN infrastructure and how it can be addressed using the Xio framework. Figure 7: Securing administrative access to all SAN components

APPENDIX B: Practical choke point Application for Enterprise Access Control 8 An enterprise implementation of the Xio framework would require the Management Console (MC) unit to centrally manage users, devices, and access policies. Additionally, the MC provides a central repository for logs from all managed Xio UAG devices. The MC offers enterprises the ability to deploy n-active Xio UAG devices without the limitation generally found in active-passive pair configuration architecture. Figure 8: Securing administrative access to all SAN components

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback