Out of band management summary

John Kristoff jtk at depaul.edu
Tue Apr 29 21:31:20 GMT 2003


A while back I asked for recommendations and information regarding
out-of-band (OOB) management.  I received about a half dozen replies,
with a fairly significant variation in gear people are using.

I was most interested in two things.  First, I was curious how people
build OOB management networks when there are distant sites involved.  As
might be expected, most respondents are relying on POTS to get access to
some modem(s) at far away places, which are in turn attached to some
terminal server(s).

Second, I was interested in how people manage authentication and
authorization onto the OOB management network and to the devices
themselves.  I received less information here, but generally most people
seem to shield these management networks using separate physical layer
connections, VLANs and/or IP networks.

Generally, respondents indicated setting up small, dedicated LAN
switches, where either the network device ethernet management ports can
plug into or a terminal server to plug into.  Some indicated separate
physical networks, which consisted of using spare fiber/copper to tie
switches and terminal servers together.  One person indicated that they
provide DHCP on the OOB management network so that an admin can easily
plug them workstation/laptop into it.  Most respondents indicated the
use of async dial access from non-PBX telco lines into terminal servers
as a way to get into remotely located sites.

Some indicated that they create separate, secured (e.g. via IP address
controls) VLAN configurations on the switches/routers that are used for
the rest of the instracture network.  Technically, depending on how this
is implemented it may not really be out-of-band.  

One person indicated that they dual-connect their terminal servers to a
dedicated OOB management network and the production network.  Presumably
this was done for ease of access to manage devices without having to go
dial-up in the case of a functioning in-band management network, with
the in-band production side heavily protected via access controls.

One person indicated the use of a Linux box as the terminal server (as
opposed to something from the likes of Cisco, which was frequently
mentioned).  The idea here was the same however, install a multiport
serial card in the linux box and attach those to the various devices to
be managed.  This respondent indicated that they had used other terminal
servers in the past, but liked the flexibility a Linux box gives.

Some mentioned RADIUS or TACACS+ and a LDAP/directory back end for doing
authentication to the OOB management network.  At least one indicated
that they have local accounts on terminal servers as a fall back in case
the centralized AAA servers are unavailable.

One respondent indicated the use of remote power bars and remote
KVM-style boxes for remote power and console control.  Battery backup
for power and DC supply were also mentioned in some configurations.

There was mention by one respondent that they may use IPSec to allow
remote console access from home.

As modems seem to be a popular way of gaining access to the OOB
management network by respondents, a few identified interesting products
that they are using or planning to use.  For example, the following
product may be used to help secure access to modems (through the use of
touch-tone access codes and dongles):

  <http://www.cpscom.com/gprod/challtt.htm>

Another respondent indicated the use of long-haul line drivers for
gaining remote access via dedicated copper over long distances (up to a
few miles):

  <http://www.rad.com/Article/0,6583,11205,00.html>

John



More information about the unisog mailing list