| |
Securing the Management of Remotely Located Network Devices
By Jeff Carley
The vast majority of networks have remotely located equipment such as routers, switches and other network devices that are not in the same geographic location or easily accessible by skilled technicians. The network devices can be tens or hundreds of miles away from the network administrator. Network technicians and administrators require regular access to remotely located routers and switches, as well as more immediate access when problems arise in order to troubleshoot, resolve those problems and restore operations. The more quickly a network administrator can access and troubleshoot remotely located devices in the network, the quicker the mean-time-to-repair (MTTR) and the higher the availability of the network.
The secure management of remotely located routers, switches and other network devices is essential for reliable, dependable, and high availability networks. Networks need to be resilient in attack, responsive to customer's needs and affordable to operate. The methods to date for remote management have not had the appropriate level of security required of such a vital function. Engedi Technologies, Inc. provides a solution with the Secure Remote Management appliance (SRMa™). The Engedi SRMa™ delivers the cost saving advantages of remote management while eliminating potential security vulnerabilities.
Background
It is not cost effective or desirable to require physical visits to remotely located routers, switches or other network devices for troubleshooting or maintenance. Costs are prohibitive, both in time and personnel, for a skilled technician to be dispatched to the remote site for administration and maintenance of every remotely located router, switch or other network device. Time and cost constraints necessitate that network devices be managed remotely. A solution for remote management of devices will ideally support multiple communication paths such as an in-band and a back-up out-of-band path. During in-band access the remote administrator communicates with the router or switch using the same network path as the data the router or switch is transporting uses. During the use of the back-up out-of-band path the remote administrator communicates with the router or switch using an alternate communication path from that used to transport the network data.
Industry's efforts to achieve cost effective remote management have most often implemented an in-band data network solution for the management of the remotely located devices. Typically, and unfortunately, many of the methods employed do not protect the management data, or authenticate users effectively to ensure the administrator is who they say they are. The time when these and other insecure network structures and practices were acceptable is long past. Companies must take a hard look now at how best to provide secure, cost effective remote management of their networks. Compromising on security for the convenience of remote access to the network devices is not acceptable. Too many network administrators have compromised network security by employing remote management solutions that are not secure.
The industry has struggled to find a workable compromise between the operating requirement for remote management of routers, switches and other network devices and the need to maintain security during access. The National Security Agency (NSA) published guidelines for router security recommending restricting router and switch management access to technicians physically on site, even though that requires the technician to travel to that site. While that is the most secure, it is not necessarily practical in the commercial world. Realizing this, the NSA recommends an alternative level of security using a dedicated network for remote network device administration, limiting access to network administrators. Build-out costs for a dedicated network for management would be too expensive for most companies. Another solution is required. The Engedi Secure Remote Management appliance (SRMa™) is that solution. (http://engedi.net/focus.htm)
Security Issues
The security of remote management implementations must be carefully considered. The security of access to the routers and switches is a particular concern when enabling remote management.
In most networks, limiting device management to physical access alone is not practical due to the costs. Enabling a device for remote management to avoid the cost and delay of dispatching a person to the remote site could potentially allow a determined intruder to utilize that remote access means for an attack if the remote management solution is not highly secure. The Engedi Secure Remote Management appliance (SRMa™) is "purpose built" to provide the required security for remote management.
Physical Security Required
For network elements to be secure they must, first of all, be physically secure. Without physical security, it is almost certain an attacker can compromise a router or switch. The facilities that house remotely located network devices must be secure. That is a fundamental requirement for network security.
Enabling Out-of-Band Network Management
Out-of-band remote management typically has the administrator connecting to a console or management port on the router or switch over a public or shared network. While a dedicated out-of-band network would be the most preferable solution for out-of-band management from a security standpoint, the cost is generally prohibitive. Some form of public shared network such as the PSTN or an Integrated Services Digital Network (ISDN) can provide the more cost effective solution for an out-of-band connection. The security of such a remedy, however, is a major concern. The Engedi SRMa™ is purpose built to address the security concern and provide the cost effective solution.
Though the most straightforward means of providing out-of-band connectivity to a remote router or switch is to place a modem on the console port of the device connecting it to the Public Switched Telephone Network (PSTN), any perimeter security for the network, such as a firewall or access list, has just been completely bypassed, thus providing a vulnerable pathway for intruders to attack the network. If an attacker knows or can determine the phone number of the modem then the only security is the logon protection on the router. War dialers can generally find the phone numbers of such modems. The modem is not a good solution, but it is one that many network administrators have actually implemented on their networks. Even with the security risks, some network administrators put modems on the console ports of routers and other devices in the network. For them, the operating advantages of having the modem on the network device outweighed the risks. They needed the ability to remotely access and manage the network devices and were willing to compromise on security because there was no better alternative. Other network administrators elected to use modems that require either a user name and password, require unique tokens be generated, or use smart cards for access. Usually only top-of-the-line modems provide this feature, and even those have a limited number of users that can be configured. The administration of the user names and passwords is often such a nightmare that only one user name and password gets configured and every user shares the same password. That creates a real security problem that is all too common in many networks today. That security compromise is no longer necessary when the Engedi SRMa™ is placed in network.
Placing a modem on the console port of a networking device, such as a router, may not always indicate whether the modem and analog line is working correctly prior to a network outage. If the modem does not answer during problem determination, it is not as strong an indicator as one would like that the site has lost power. It could be that some portion of the "out-of-band" connection has malfunctioned or been disconnected without being detected. It is not unheard of for a telephone line attached to the modem on a router to be "borrowed" for some other purpose and never "returned". If there is a problem with the "out-of-band" path it needs to be discovered and corrected before there is an outage in the data network, not when there is an outage. Monitoring and testing of the out-of-band connection would solve this. The Engedi Secure Remote Management appliance (SRMa) does this.
In large enterprise networks the decision might be that the risks are too great to permit installation of a modem, and they are not allowed. They have given up the ability to remotely access and manage network devices, requiring instead the slow and expensive site visit. No better or acceptable alternative has been available, until now: the Engedi Secure Remote Management appliance (SRMa).
Securing all Network Management Protocols
Network management protocols must be secure. Most protocols involved with the remote management of routers and switches do not provide for the confidentially or integrity of the information transmitted between the remote administrator and the network device, or for confirmed authentication of the parties involved. This is especially critical if a public shared network, such as the PSTN, is utilized for the out-of-band connectivity.
RESOURCE GUIDE:
- Secure Remote Management appliance (SRMa™)
- Engedi Technologies, Inc... ( http://engedi.net )
The Solution
The Engedi Secure Remote Management appliance (SRMa™) is a "purpose built", embedded appliance providing highly secure, multi-pathed, cost-savings remote management for network devices. The Engedi SRMa™ protects the management interfaces of the network device.
In today's environment companies worldwide are reexamining and reevaluating all aspects of network security as the costs of security vulnerabilities escalate. High availability of the network is also desired and required. Engedi Technologies' Secure Remote Management appliance (SRMa™) enables fully capable remote network management delivering secure, high availability networks. The SRMa™ delivers the needed reliabl
About the Author
Mr. Jeff Carley has over 20 years of experience designing and developing communications protocols, establishing and validating architectural standards, and designing large enterprise networks. He is a technology patenting and development consultant to Engedi Technologies, Inc. ( http://engedi.net )
Article Source: http://www.simplysearch4it.com/article/23986.html
| If you wish to add the above article to your website or newsletters then please include the "Article Source: http://www.simplysearch4it.com/article/23986.html" as shown above and make it hyperlinked. |
| |
|
|
|
