Re: Proper authentication model
Think methodology, as least amount of failure points, less capex, to protect the sla, real or imagined. Bellcore/Telcordia guidelines for RBOC CO's are very suitable for datacenters/colo. Hybrids. --- Martin Hannigan hannigan@verisign.com Verisign, Inc. -----Original Message----- From: owner-nanog@merit.edu <owner-nanog@merit.edu> To: erik@office.is.nl <erik@office.is.nl> CC: NANOG list <nanog@merit.edu> Sent: Wed Jan 12 14:35:21 2005 Subject: RE: Proper authentication model On Wed, 12 Jan 2005, Hannigan, Martin wrote:
Out of band management isn't telnetting from your desktop to the serial port.
Mgmt and surveillance is the Bellcore standard for out of band. It means your M/S is not riding your customer or public networks, and it's physically seperate. Yes, this is the cadillac method, but the only way to support five nines IMHO.
If you have 3 sites and they're interconnected via an OC3 and the internet, you would also have 2 frame or ppp circuits seperately connecting the terminal server network. You'd do the different path, different provider, etc. on these circuits.
Recently I've been doing this by tunneling over ADSL circuits from the local telco. At around $60 per month per location with static IP addresses it's cheap. Since the tunnels go between two ADSL lines, they're limited to circuits' 128Kb/s upload speeds, but that's generally ok for management traffic. I've also been connecting bastion hosts to the DSL lines. This way, all that's required to get into the OOB network is Internet connectivity through some other network, rather than having to hunt around for a POTS phone line to plug a modem into in an emergency. Obviously, if you are the local telco this isn't really out of band, but works well for others who aren't sharing the local telco's infrastructure. Is it as secure as having your own diverse-path management network of private point to point circuits? Probably not, but with sufficient firewalling and encryption on the tunnels, it's good enough, and cheap enough that it's possible to talk ISP owners into paying for it. -Steve
participants (1)
-
Hannigan, Martin