Secure Remote Access to your Serial Console Ports

Secure Remote Access to your Serial Console Ports "You progress not through improving what has been done, but reaching toward what has yet to be done. " -- Kahlil Gibran (1883 -1931)

Big. Band Networks Overview l Based in Tel Aviv, Israel – US main office is in Redwood City l Manufactures Digital Video Processing Hardware, primarily used by the Cable TV industry – Chassis are SNMP managed, but can also be controlled using a Command Line Interface (CLI) – We’re installing remote access for ‘local’ use, but Tel Aviv engineers will benefit as well. Big. Band Networks Confidential

Who’s on first (call) tonight? l How many of you could be paged tonight, to go back to work to help restore an ailing machine to service? l How many could check the status of that ailing machine from the podium, now? l How many wouldn’t worry about exposing your root passwords while doing it? l How many folks would like to be able to do it, without worry? Big. Band Networks Confidential

Don’t Worry, it’s easy! Big. Band Networks Confidential

Why consoles are important l Local consoles (serial port, or keyboard and screen) are needed when network access and remote control applications have failed. l When in-the-middle network gear has failed l Secure devices want to be configured using a ‘local’ connection. l Some devices don’t have network stacks Big. Band Networks Confidential

Remote Access to Serial Consoles l Most Unix machines support a serial console during operation. l Most non-Intel platforms support boot-up control using the serial console. l Many Intel platform BIOS makers are offering an option for serial console redirection of Power-On Self-Test (POST) messages, but there are limitations, and they are not consistent. l Add-in cards for PCs can provide access! Big. Band Networks Confidential

Virtual Presence l If you can remotely access serial consoles – No need to run to the server rooms – Your response to outages/problems is faster – You can easily check machines in other buildings, even in other cities – Reduced downtime saves the company money! l Time = Money l Downtime = Anti-money – Believe me, it gets measured, somehow Big. Band Networks Confidential

Terminal Server Review l How terminal servers provide remote access to consoles – Reverse Telnet l l l Workstation telnets to Terminal Server address: port 7 -bit session? 8 -bit clean? Can you escape from the session? – Vendor-specific port formulae l Different ranges for 7 -bit, 8 -bit. . . – Vendor-specific features Big. Band Networks Confidential

Terminal & Console Servers l Terminal Servers were designed to allow ‘dumb terminals’ to access hosts on IP networks. l Reverse Telnet allowed users on the network to connect to serial ports on terminal servers l Console Servers are a newer, enhanced Terminal Server, meant for supporting console access. Big. Band Networks Confidential

Basic Serial Hookups l Console Server connected to the same LAN with the hosts l Serial connections from the consoles of each host to the Console Server Big. Band Networks Confidential

Security is already available l Most Console Servers have SSL and/or SSH implementations for access l Many have IP access control, so you can allow connections only from ‘trusted hosts’ to the high TCP ports l You can also set up your access so users need to use SSH, or other secure methods to authenticate on the trusted host before they can connect to the Console Server l Physical access should be part of your plan Big. Band Networks Confidential

Advanced (Security) Architecture l Addressing Security Concerns – Add a management Network – Put console server and clients there – Added security costs money… Big. Band Networks Confidential

Logging Adds Value to your Access l With the Terminal/Console Server, only one person can be connected to a single port at any given time. l Using an intermediary server allows for logging, and multi-user access, and easier access/restriction authorization. l Logging mechanisms make it easier to automate monitoring and reporting, and provide forensic details for post-event analysis of events. Big. Band Networks Confidential

Advanced Architecture, Part Two l Adding a Conserver host – – Conserver host makes all Reverse TCP calls CC is now a Conserver client Client connects to Conserver host Clients are connected to logging streams Big. Band Networks Confidential

Connecting Serial Devices l Most Console Server hardware vendors don’t have a wide variety of cables and adapters l Usually left as an exercise for the hardware buyer l Pre-wired adapters will make your life easier! l Check the host-to-adapter web pages for more clues. Big. Band Networks Confidential

Connecting Consoles/Devices l Establish the Physical Link First. l Use Pre-wired Adapters. l Use Passive Signal Tracers. l Use 8 -wire cable, CAT-5 preferred Big. Band Networks Confidential

Establish a Physical Link First l It’s easy to debug software settings when you know the physical link is in place. l It’s easy to establish the physical link with pre-wired adapters. l Testing the physical link is easier with an RS-232 Signal Tracer. Big. Band Networks Confidential

So Many Possibilities l Not only are the choices finite, but the number of choices is rather small. l Four choices for each connector type. Big. Band Networks Confidential

Whittling down the list l When connecting devices, you know the connector type, and the gender(s)… l Pick one connector for one end, and take one of each for the other end! Big. Band Networks Confidential

Use Pre-Wired Adapters l Saves time (no assembly) l Consistent wiring (no mistakes) l Consistent colors and labels. l Assortments make it easy. l Console guides available – http: //www. conserver. com/consoles/ – http: //www. stokely. com/ Big. Band Networks Confidential

Time Synchronization l Important for logging – backup and file sharing too l Comparing logs from many devices after an ‘event’? – – Security devices Hosts, servers Network (routers, switches, load balancers) Check non-network devices often Big. Band Networks Confidential

Real World Examples l There are many sites around the world using Conserver today, to control enterprise installations, as well as running small-but-vital server cores. l Conserver. com has a searchable email digest, if you want to go digging… Big. Band Networks Confidential

Synopsys l Multiple distributed data centers l 35+ field offices l Field sites host a Conserver l Router supports – Dial-in/out ISDN access – Local authentication – Console ports Big. Band Networks Confidential

Synopsys Basic Field Office l WAN for main traffic l PSTN (ISDN) for field dialup – l (Public Switched Telephone Network) Local Conserver Host Big. Band Networks Confidential

Tellme l Two main data centers l 1700+ consoles l Secure access to each center l Not distributed mode l PIC Dog! – – LCD display Temperature Soft power control Messaging and more Big. Band Networks Confidential

Web. TV/MSNTV l Three data centers (distributed) – Dedicated management network l 2000+ console ports l 25+ terminal servers l Centralized change control l Backup hosts at each data center – Backup host can also mange the console of the primary host! Big. Band Networks Confidential

Wrap-up l Suggested Reading and Vendor Info pages are at the rear of the presentation. l Q&A? l Thanks for your interest! Big. Band Networks Confidential

Suggested Reading l Aurora Technologies – http: //www. auroratech. com/ – A good primer for console services, and an even-handed discussion of “Distributed Servers” versus “Console Servers plus Terminal Servers” topic l Cyclades – http: //www. cyclades. com/ – A different view, discussing remote management in terms of consoles, remote power, and remote control applications. Big. Band Networks Confidential

Web Links l Stokely Consulting – http: //www. stokely. com l Conserver. Com – http: //www. conserver. com/consoles/ Big. Band Networks Confidential

Vendor Links l Cisco Systems – The 2600 and 3600 series. – Use the NM-32 A 32 -port modules. – Americable sells patch panels. l Xyplex, i. Touch Communications – The In. Reach line is now “Sun-safe” – The older Xyplex line is NOT! Big. Band Networks Confidential

Vendor Links, cont’d. l Cyclades – – l Built-in Linux core TS 2000 is a great device! PC multi-port cards available Most products are Sun-safe Digi Communications – Many devices available – Port. Server CM is a good tool – Many products are now Sun-safe Big. Band Networks Confidential

Vendor Links, cont’d. l Perle (Perle Systems Ltd. ) – CS 9000 is Sun-safe – Cables, status LEDs on same side l Good or bad? You decide… – Good integration with MS Windows l l May be useful in a mixed environment Lantronix – Still a workhorse in the industry Big. Band Networks Confidential

Accessory Vendor Info l Nu-Data non-BREAK adapters l PC Weasel in-server cards l ASP Technology – Cat. Walk interface – Power interface for Xyplex, Digi l Data. Tran passive signal tracers Big. Band Networks Confidential

Accessory Vendor Info l Weeder Technologies – Serial interfaces for process control – Counters, timers, motor control – Analog and digital I/O l Black Box Corporation l Patton Electronics Big. Band Networks Confidential

Remote Power Control l American Power Conversion – Master. Switch line l Bay. Tech – RPC product line l Server Technologies – Sentry product line Big. Band Networks Confidential

Americable l Custom cables and adapters – Serial adapter kits for consoles l l Annex/Bay/Nortel Cisco/Lantronix IOLAN i. Touch/Xyplex l Short power cords l Fiber and Ethernet gear/cables l Fast turnaround Big. Band Networks Confidential