WIXLIB

1Xceedium Xio Framework:Securing Remote Out-of-band AccessCommon ScenarioA major corporation, with many domestic and international offices, has a massive network infrastructurethat spans across many regions, such as America, Europe, and Asia/Pacific. For each of its numerousserver rooms, redundant data centers, disaster recovery sites, and some co-location facilities foundthroughout the world, the company has, over time, deployed 100s of terminal server devices (aconservative estimate) to enable out-of-band access for administration and maintenance purpose. Theterminal servers are for their network and telecommunication equipments, as well as many UNIX servers.For their Intel-based server environment, numerous KVM switches have also been deployed to allowaccess to multiple servers by the sharing of keyboard, video, and mouse (KVM).Typically, a terminal server (sometime also known as a console device) has a network interface andseveral serial ports. Each serial port is for connecting to the console port commonly found on networkand UNIX-based devices. The console port on each device is intended for allowing access to the devicewithout relying on the network interface on the device. For Intel servers connected to a KVM switch, thesystem administrator is physically working in front of the KVM. These are two common methods of outof-band console access.Securing Terminal Server AccessNetwork engineers and UNIX administrators traditionally access via the out-of-band method byestablishing a Telnet session from a desktop to the particular terminal server that has a serial connectionto the console port on the backend device. Figure 1 illustrates a typical out-of-band configuration.Figure 1: Standard Out-of-Band ImplementationXceedium Xio Framework: Securing Remote Out-of-band AccessCopyright 2002, Xceedium Inc. All Rights Reserved

2Known IssuesAs showed in Figure 1, this type of setup has several known security concerns and limitations:1. The Telnet session over the network, which is a clear text stream, can be easily snooped byanyone on the network with minimal effort. Information such as login account and passwordentered during the session can be discovered over the wire. This issue is particularly significant tothe security infrastructure, where network and firewall devices have to be guarded against bothexternal and internal users.2. The terminal server devices are generally connected to the corporate backbone, which can beaccessed by anyone on the network. One major issue concerning unauthorized access is thatmost legacy terminal server devices do not support per-port authentication. This means that ifthe IP address of a terminal server is known, then someone on the network can attempt to accessthe back-end devices connected to the terminal server by issue the following command: “telnetip of terminalserver port”, where port is a number associated to the serial port number on theterminal server. In some cases, when the console of the back-end device is open, theunauthorized person can gain access to the device with the highest level of access right.3. Telnet is generally blocked by the corporate firewall so off-site engineers are not allowed to gainaccess to the terminal servers over the Internet. Remote access into the private network byoffsite engineers must rely on either a VPN or a dial-in facility.4. Auditing of all out-of-band access sessions from anywhere to anywhere by anyone is animpossible task.Solutions Proven IneffectiveTo address these age-old issues, a new breed of terminal server device has emerged from variousvendors. The new “generation” terminal server is basically a legacy terminal server with Telnet beingreplaced by the Secure Shell (SSH) or another form of built-in encrypted access. This new capabilityprotects the transmission over the network by encrypting the session between the authorized user andthe connected terminal server.Figure 2: Replacing Legacy with New SSH-enabled Terminal ServersNote:1. Encrypted session prevents snooping.2. SSH-enabled terminal server devices can still be reachable by anyone on the network.Xceedium Xio Framework: Securing Remote Out-of-band AccessCopyright 2002, Xceedium Inc. All Rights Reserved

3As illustrated in Figure 2, the encrypted connection between the authorized user and the new terminalserver device is protected. Therefore, security vulnerability associated with network snooping is resolved.However, because the new terminal servers are still connected to the corporate network, unauthorizedaccess attempts can still occur simply by using a SSH client installed on a workstation residingsomewhere on the network.One major issue pertaining to this solution is costs. In order to adopt this type of solution, the companyhas to purchase 100s of the new generation terminal servers, which can be as much as 3000 for eachunit. Furthermore, previous investment on the existing 100s of legacy terminal servers is immediately lost.As such, this solution becomes economically ineffectively.Another potential issue is the amount of manual labor required to perform the terminal serverreplacements. As each terminal server generally connects to at least 8 backend devices, rewriting andreconfiguring 100s of new devices may necessitate a dedicated effort as well as possible service outagedue to hardware downtime.Other issues exist with this solution. Such as: No Centralized Access Management for all out-of-band access.Can not easily establishing a Policy-based Access Control to differentiate authorized users.Limited expandability to include non-serial out-of-band access methods, such as kvm-over-ip andremote power control.Lack of integrated access control to incorporate other methods of access.Due to the high costs and labor intensiveness of this solution, very few companies have adopted it today.Xio UAG Enhances Legacy Terminal ServersXceedium’s Xio UAG can be easily applied in this scenario to completely eliminate the need to replacethe existing terminal servers. Furthermore, the resulting benefit can be extended beyond securingconsole access for network devices and various UNIX servers. Figure 3 illustrates the simplicity ofutilizing the Xio UAG as a gateway for controlling access, and the flexibility it offers for future extension ofcontrol.Figure 3: Xio UAG secures and web-enables all existing terminal servers with centralized controlXceedium Xio Framework: Securing Remote Out-of-band AccessCopyright 2002, Xceedium Inc. All Rights Reserved

4In Figure 3, the Xio UAG can be setup to use its 1st network interface to connect to the corporate network;and the 2nd network interface is used to create a dedicated out-of-band network segment where allterminal servers are attached. This isolated network can not be accessed by anyone without goingthrough the Xio UAG, and only authorized users can access the Xio UAG.This method of implementation offers a number of benefits:1. No need to replace the 100s of legacy terminal servers. This eliminates the high cost ofpurchasing new terminal servers with built-in encryption. This also eliminates the need to rewirecables between the terminal servers and the backend devices.2. Each authorized user for out-of-band access is registered with the Xio UAG. Xio UAG’s userprofiling enables the company to establish a policy-based control for all serial out-of-band access.3. All terminal servers, backend devices, user profiles, and access policy are centrally managed.4. Authorized sessions are protected by a 128bit encryption between the user and the Xio UAG.Snooping is effectively eliminated.5. Xio UAG supports Radius so token security can be used to enhance access control for missioncritical computing environments, internally.Xio UAG Enhances Legacy KVM SwitchesLeveraging the Xio UAG, along with the dedicated out-of-band network created for complete control ofremote out-of-band access for terminal servers, the company can now effortlessly extend its accesscontrol to include remote KVM console access for all the Intel servers. Working in conjunction with one ofXceedium’s add-on options, a KVM-over-IP module, the company’s legacy KVM switches can beaccessed over the network. Figure 4 illustrated how KVM out-of-band can be incorporated into the Xioframework.Figure 4: Extending Xio UAG to centrally manage all remote out-of-band accessEach KVM-over-IP module supports one legacy KVM switch, which may be shared by 8,16,24,32 or moreIntel servers (depending on the capability of the existing legacy KVM switch). This module takesadvantage of the central access management framework provided by the Xio UAG already deployed.The follow benefits are immediate attainable with such a simple extension of the Xio UAG’s capability:1. KVM console can be access remotely using a browser. There is no more distance restriction.2. The KVM console sessions are immediately protected by the Xio UAG’s security framework:policy-based access, central management, user profiling, encrypted data transmission, andsession auditing.3. A local KVM port is available on the module for connecting a monitor, keyboard, and mouse.4. KVM access becomes an integral part of the company’s new secure out-of-band infrastructure.Xceedium Xio Framework: Securing Remote Out-of-band AccessCopyright 2002, Xceedium Inc. All Rights Reserved

5Xio UAG Controlling Remote Power AccessAdditional add-on power control options can further the company’s centralized management of remoteaccess security. Figure 5 illustrates the ease of incorporating remote power control into the existing Xioframework.Figure 5: Extending Xio UAG to centrally manage all remote power controlThere are a variety of add-on power modules available to meet different setup requirements. The XioUAG supports Xceedium-brand power modules as well as some 3rd-party network-enabled powermanagement products. Remote power control access is managed by the same security policy defined inthe Xio UAG.The Complete Xio Secure Out-of-Band Access FrameworkWith the Xio framework in place for LAN-based remote out-of-band access, centralized management canaccommodate for all external use. By utilizing the 3rd network interface on the Xio UAG, the company cansafely extend its secure out-of-band access framework to facilitate many remote applications. Figure 6illustrates the complete Xio framework for all remote out-of-band access and power management.Incoming sessions, originated from either the Internet or Extranet, from authorized users (such as vendorsupport engineers or mobile IT resources) are secured without requiring a VPN setup or a dedicated dialin facility. The Xio UAG supports Radius for token security as well as provides for multi-levelauthentications. Combining the user profiling and policy-based access control, authenticated remoteusers can only access specific IT devices via the specific allowed access methods defined in the profile.This type of remote access provisioning is more suitable for non-trusted user than a VPN solution.WAN applications include remote IT administration and troubleshooting. Xio UAG enables engineers torespond to remote IT issues in real time, thereby eliminating travel time and associated expenses. Colocated IT facilities can be fully accessed for remote IT administration by the company’s in-houseengineers. This eliminates the dependency on the providers’ potentially limited technical capability.Beyond the Out-of-Band AccessWhile this documentation introduces the Xio framework specific to seizing full control of all remote out-ofband access, the Xio UAG can fully support virtually all known in-band access methods such as graphicalsessions in X, Windows, and Mac; and text-based sessions by Telnet, SSH, and 3270. InformationalXceedium Xio Framework: Securing Remote Out-of-band AccessCopyright 2002, Xceedium Inc. All Rights Reserved