Out-of-Band Management

---

The secure administrative workstations (SAWs) used as management clients must be tightly locked down.

• ideally installed with only the software required to access the administrative channel
  • minimal web browser, remote desktop client, or SSH virtual terminal
• should be denied Internet access or be restricted to a handful of approved vendor sites for patches, drivers, and support
• must also be subject to stringent access control and auditing so any misuse is detected at the earliest opportunity

Management Methods

• management methods can be:
  • in-band
    • link that shares traffic with other communications on the “production” network
    • improve security by using a VLAN
      • isolates management traffic
      • makes it harder for potential eavesdroppers to view or modify traffic
      • this virtual OOB can be affected by a system-wide network failure
  • out-of-band (OOB)
    • Accessing the administrative interface of a network appliance using a separate network from the usual data network
      • could use a separate VLAN or a different kind of link
    • console port is a physically out-of-band management method
      •  link is limited to the attached device
    • browser-based management interface or a virtual terminal link can be made out-of-band by:
      • connecting the port used for management access to physically separate network infrastructure
      • connecting to a dedicated management VLAN
    • costly to implement
    • more secure
    • access is not affected by problems on production network

Info

• use a secure encrypted connection protocol for the management interface
  • e.g., HTTPS, SSH
  • ensure confidentiality and integrity
• critical for in-band management
  • applies to OOB too