Hello, It seems that the current practice is to use a DSL line, as opposed to a modem, for accessing an OOB a console server at a remote colo. From a security standpoint, what do people generally do - trust the console server, repurpose an old linksys box from my house or put in a full firewall? Eric :)
I have juniper SRX110s that use the magic new multi site IPSec thing. -- Leigh Porter On 23 Apr 2012, at 13:43, "Eric" <eric@roxanne.org> wrote:
Hello,
It seems that the current practice is to use a DSL line, as opposed to a modem, for accessing an OOB a console server at a remote colo. From a security standpoint, what do people generally do - trust the console server, repurpose an old linksys box from my house or put in a full firewall?
Eric :)
______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
On (2012-04-23 12:45 +0000), Leigh Porter wrote:
I have juniper SRX110s that use the magic new multi site IPSec thing.
+1. This is the way to roll OOB, CPE (Cisco ISR, Juniper SRX), RS232 console server (opengear, avocent) and switch if you happen to have modern gear which support proper OOB like Nexus7k, and not enough ports in the CPE. OOB CPE could be reused for other functions to justify cost, like DCN router, both SRX and ISR have models doing CLNS routing. With correct CPE, same CPE can do 3G, ADSL and ethernet, depending on what is available in given site. Some RS232 console servers do deliver subset of needed features, like 3G, IPSEC and Ethernet might be there. But that does not mean that it'll be OPEX nor CAPEX chaper to try to do it all in one box. -- ++ytti
My preferred OOB solution is cellular where possible. (Many companies make such a dedicated product, or roll your own). Most cellular providers can provide a private APN with private IP addresses delivered back to you via a VPN tunnel. In many cases, telemetry (IE: 50Mb or less per month) data plans cost much less than DSL lines or analog lines. In some installations, it's also diverse to backhoe accidents due to it not riding the same copper bundle. Besides, it's easy to install and you don't have to deal with the copper analog handoff. Otherwise... DSL and IPSEC vpn also works. Analog is in the last option for me. On Mon, Apr 23, 2012 at 7:31 AM, Saku Ytti <saku@ytti.fi> wrote:
On (2012-04-23 12:45 +0000), Leigh Porter wrote:
I have juniper SRX110s that use the magic new multi site IPSec thing.
+1. This is the way to roll OOB, CPE (Cisco ISR, Juniper SRX), RS232 console server (opengear, avocent) and switch if you happen to have modern gear which support proper OOB like Nexus7k, and not enough ports in the CPE. OOB CPE could be reused for other functions to justify cost, like DCN router, both SRX and ISR have models doing CLNS routing.
With correct CPE, same CPE can do 3G, ADSL and ethernet, depending on what is available in given site. Some RS232 console servers do deliver subset of needed features, like 3G, IPSEC and Ethernet might be there. But that does not mean that it'll be OPEX nor CAPEX chaper to try to do it all in one box.
-- ++ytti
On Mon, Apr 23, 2012 at 8:40 AM, Eric <eric@roxanne.org> wrote:
Hello,
It seems that the current practice is to use a DSL line, as opposed to a modem, for accessing an OOB a console server at a remote colo. From a security standpoint, what do people generally do - trust the console server, repurpose an old linksys box from my house or put in a full firewall?
Eric :)
There are hardware solutions for this type of install. Often it is best to add/create networks for access from multiple points at once. My suggestion is http://www.lantronix.com/it-management/branch-office/securelinx-slb.html -- ~ Andrew "lathama" Latham lathama@gmail.com http://lathama.net ~
Thanks for starting this discussion Eric. We're just starting to look at upgrading our oob console network and wondering how to provide access from LAN based application monitoring platforms. We're currently looking at installing a VPN appliance between our production network and the "oob network". -Steve -----Original Message----- From: Eric [mailto:eric@roxanne.org] Sent: Monday, April 23, 2012 8:40 AM To: nanog@nanog.org Subject: Securing OOB Hello, It seems that the current practice is to use a DSL line, as opposed to a modem, for accessing an OOB a console server at a remote colo. From a security standpoint, what do people generally do - trust the console server, repurpose an old linksys box from my house or put in a full firewall? Eric :)
participants (6)
-
Andrew Latham
-
Eric
-
Leigh Porter
-
PC
-
Saku Ytti
-
Steven C. Blair