OBM (Out of Band Management) Overview



Similar documents
Remote Administration

ADM:49 DPS POLICY MANUAL Page 1 of 5

VPN Lesson 2: VPN Implementation. Summary

VPN Overview. The path for wireless VPN users

Netop Remote Control Security Server

Security Policy Revision Date: 23 April 2009

Using BroadSAFE TM Technology 07/18/05

Understanding the Cisco VPN Client

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Cisco Configuring Secure Shell (SSH) on Cisco IOS Router

PCI v2.0 Compliance for Wireless LAN

How To Secure An Rsa Authentication Agent

Electronic Service Agent TM. Network and Transmission Security And Information Privacy

VPN. VPN For BIPAC 741/743GE

Nokia for Business. Nokia and Nokia Connecting People are registered trademarks of Nokia Corporation

Brazosport College VPN Connection Installation and Setup Instructions. Draft 2 March 24, 2005

Avaya G700 Media Gateway Security - Issue 1.0

Payment Application Data Security Standards Implementation Guide

FileCloud Security FAQ

LogMeIn HIPAA Considerations

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

ipad in Business Security

Linksys WAP300N. User Guide

Remote Access Security

BlackShield ID Agent for Remote Web Workplace

Chapter 1 Configuring Basic Connectivity

CA Performance Center

Security FAQs (Frequently Asked Questions) for Xerox Remote Print Services

CPEi 800/825 Series. User Manual. * Please see the Introduction Section

DCB Ethernet Tunnel Family Configuration Guide

Determine if the expectations/goals/strategies of the firewall have been identified and are sound.

Directed Circuits Meet Today s Security Challenges in Enterprise Remote Monitoring. A White Paper from the Experts in Business-Critical Continuity TM

Configuring a WatchGuard SOHO to SOHO IPSec Tunnel

Chapter 1 Configuring Internet Connectivity

McAfee Firewall Enterprise 8.2.1

How to setup PPTP VPN connection with DI-804HV or DI-808HV using Windows PPTP client

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Experiment # 6 Remote Access Services

Microsoft SQL Server Integration Guide

IIS, FTP Server and Windows

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

ZyWALL 5. Internet Security Appliance. Quick Start Guide Version 3.62 (XD.0) May 2004

McAfee Firewall Enterprise 8.3.1

RSA SecurID Software Token 1.3 for iphone and ipad Administrator s Guide

AlienVault. Unified Security Management 5.x Configuring a VPN Environment

HughesNet Broadband VPN End-to-End Security Using the Cisco 87x

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

Phone: Fax: Box: 230

HIPAA. considerations with LogMeIn

QUICKSTART GUIDE FOR CDI CELLULAR STARTER KIT

Scenario: Remote-Access VPN Configuration

SCADA SYSTEMS AND SECURITY WHITEPAPER

Firmware Release Notes

Technical Note. Configuring Outlook Web Access with Secure WebMail Proxy for eprism

Ti m b u k t up ro. Timbuktu Pro Enterprise Security White Paper. Contents. A secure approach to deployment of remote control technology

Edgewater Routers User Guide

Configuring User Identification via Active Directory

Configuring an IPsec VPN to provide ios devices with secure, remote access to the network

Wireless VPN White Paper. WIALAN Technologies, Inc.

Complying with PCI Data Security

Achieving PCI-Compliance through Cyberoam

If you have questions or find errors in the guide, please, contact us under the following address:

Transition Networks White Paper. Network Security. Why Authentication Matters YOUR NETWORK. OUR CONNECTION.

RSA SecurID Software Token 1.0 for Android Administrator s Guide

Millbeck Communications. Secure Remote Access Service. Internet VPN Access to N3. VPN Client Set Up Guide Version 6.0

External Authentication with Cisco VPN 3000 Concentrator Authenticating Users Using SecurAccess Server by SecurEnvoy

Security Configuration Guide P/N Rev A05

VPN. Date: 4/15/2004 By: Heena Patel

Computer Networks. Secure Systems

Ensuring Enterprise Data Security with Secure Mobile File Sharing.

RSA Authentication Manager 7.1 Basic Exercises

Metalogix SharePoint Backup. Advanced Installation Guide. Publication Date: August 24, 2015

RuggedCom Solutions for

Unisys Internet Remote Support

BlackShield ID Agent for Terminal Services Web and Remote Desktop Web

Configuring Steel-Belted RADIUS Proxy to Send Group Attributes

Virtual Private Networks (VPN) Connectivity and Management Policy

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

NEFSIS DEDICATED SERVER

SECUR IN MIRTH CONNECT. Best Practices and Vulnerabilities of Mirth Connect. Author: Jeff Campbell Technical Consultant, Galen Healthcare Solutions

IP-VPN Architecture and Implementation O. Satty Joshua 13 December Abstract

Smart Telephone System

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

How do I secure and manage an out-of-band connection to network devices?

HIPAA Security Matrix

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

Deploying iphone and ipad Security Overview

DDM Distributed Database Manager for SQL and ODBC. Installation and User Guide Version 5.27.xx

Lesson Plans Managing a Windows 2003 Network Infrastructure

Remote Access VPN Solutions

Security Overview Enterprise-Class Secure Mobile File Sharing

Avaya TM G700 Media Gateway Security. White Paper

GlobalSCAPE DMZ Gateway, v1. User Guide

Department of Supply & Services (CIMS) RSA Web Express User Guide v1.2

Global VPN Client Getting Started Guide

Chapter 3 Connecting the Router to the Internet

Using Rsync for NAS-to-NAS Backups

Transcription:

OBM (Out of Band Management) Overview With the growth of IP, routers deployed into an IP network must not only be accessible by the network operator for maintenance and configuration purposes, but secure according to today s exacting standards. Once the IP address is configured, the router becomes manageable via the IP network. Should at any time, the router become inaccessible due to a network fault, the modem will provide the dial management path to the router. Fig. 1 illustrates how a General DataComm modem is used for the network operator to dial into the router and configure an IP address. modem sends a password prompt to the network operator. The password sent by the network operator will be validated by the modem. With callback security, the network operator s telephone number is stored in the modem. Upon connection, the modem drops the call, retrieves the telephone number and calls the network operator back. Handshake security is proprietary to General DataComm and requires modems at both ends. A password is stored in both modems and embedded into the handshake. The password is validated at both ends and the connection is made. AES encryption requires modems at both ends and uses an encryption key of up to 32 characters stored in both modems to encrypt and decrypt the data. Remotes SCADT SC 2000 Shelf IP Fig. 1 Although traditional OBM solutions provide protection to remote devices, they do not fully comply to the specifications of SAS 70. The specification defines security measures that must be taken to protect data. Audit findings of the traditional OBM solution determine that: There is no proper authentication, authorization and audit trail. A simple password is used to block access to a cluster of remote devices. OBM Modem Security The simple OBM solution shown in Figure 1 supports the following modem security features: With On-line security, a password is stored in the modem and, upon handshake, the The user names, passwords, and stored telephone numbers are widely published and distributed. In order to meet the requirement of SAS 70, General DataComm became part of a joint development effort to develop a security system known as the Secure Access Controller System.

SAC Overview Figure 2 shows a more secure OBM solution using the Secure Access Controller system (SAC). The SAC provides users with secure and authenticated dial access to remote network devices. The solution also provides compliance to SAS 70. Figure 2 illustrates all the hardware components that are required to build a SAC system. Following is a description of each component: The client software is loaded onto the network operator s computer and is used to call the authentication server to obtain a public key. The public key is required to set up a secure tunnel to the Secure Access Modem (SAM) and ultimately establish a communication session to the router. to the and all the users and SAMs dialing in. An SCM card deployed in the shelf allows the network administrator to access and configure the modems through an IP network. SAC Communication Session The SAC system uses a sequence of three secure dial-up calls to establish a successful communication session between the network operator and the router. Central Office Office The modem is upgraded with SAC software and becomes a SAM. The SAM protects the router from unauthorized users. The SAM may also be deployed into a SpectraComm 2000 shelf with a SpectraComm ADT providing the network operator with access to multiple routers. The SAM will also call the authentication server and obtain a private key that is required when the client software sets up a secure tunnel to it. The admin server is the web server interface that allows the network administrator to add SAM configurations and user accounts into the database. Private SCM The authentication server authenticates the users and SAMs calling in by retrieving their information stored in the database. The authentication server also generates the SAM public and private keys required to set-up a secure tunnel between the client software and the SAM. Remotes SAM SCADT SC 2000 Shelf The SpectraComm MS-2 shelf equipped with regular modems deployed at the central site provides the authentication server with an interface Fig. 2

SAC Secure Tunnels The following describes the sequence of events that take place to establish a successful communication session. 1. The SAM supports the remote configuration feature. This feature allows the network administrator to remotely dial into the SAM and configure a SAM ID, SAM PIN, and the primary and secondary telephone numbers of the authentication server. 2. The network administrator then adds the SAM s configuration into the database via the admin server. The admin server supports an Ethernet interface allowing the network administrator to add user and SAM configurations through an IP network. 3. When the SAM is enabled, it will automatically call the authentication server. If authentication is successful, the authentication server will send the SAM a private key and the first call is dropped. 4. The network operator launches the client software and enters a user name, password, and the SAM ID of the SAM that the client will connect to. The network operator instructs the client to call the authentication server and send the information. If authentication is successful, the authentication server sends the client the SAM ID, a public key and the telephone number of the SAM. The second call is then dropped. 5. Using the telephone number it just received, the client automatically calls the SAM and sends the SAM ID. If authentication is successful, the call is maintained and a communication session is established between the network operator and the router through a secure tunnel. At this point the network operator can assign an IP address to the router. Each secure dial-up call uses RSA and AES encryption algorithms for authentication and data transfer. RSA algorithm uses two asymmetric keys: a public key to encrypt the message and an associated private key to decrypt the message. AES uses a symmetric key to encrypt and decrypt the information. Private 1 Fig.3 Fig. 3 shows the first secure dial-up call. The SAM generates a symmetric key that will be used to set up an AES tunnel. Both the symmetric key and the SAM ID are sent to the authentication server through an RSA encrypted tunnel. If the SAM ID is successfully authenticated, an AES tunnel is established and the authentication server sends the SAM a private key.

Fig. 4 shows the second secure dial-up call. The client calls the authentication server and sends a user name, password and the SAM ID that it wants to connect to through an RSA encrypted tunnel. If authentication is successful, the authentication server sends the client the SAM ID, a public key and the SAM s telephone number also through an RSA encrypted tunnel. In this call, all messages between the client and the authentication server are sent through an RSA tunnel only. encrypt the message and the SAM uses the private key also received from the authentication server to decrypt the message. If the SAM ID is successfully authenticated, an AES tunnel is established and all data traffic between the client and the SAM is AES encrypted and decrypted. 3 Fig.5 Private Radius vs SAC 2 Using the Radius Security System, the network operator calls into a modem and sends a user name and password. The user name and password are diverted to the radius server via the SpectraComm Manager Card (SCM). The radius server verifies the user name and password and instructs the SCM to advise the modem to either grant or deny the network operator access to the router. If access is granted, the communication session between the network operator and the router is non secure. (unencrypted) Fig.4 Fig. 5 shows the third and final secure dial-up call. The client also generates a symmetric key that will be used to set up an AES tunnel. The symmetric key and the SAM ID are sent to the SAM through an RSA encrypted tunnel. The client uses the public key received from the authentication server to With the SAC system, the authentication server generates the asymmetric keys required to set up a secure tunnel between the client and the SAM. With the use of these keys, the SAM authenticates the network operator. If access is granted, the communication session between the network operator and the router is secure and encrypted. Fig. 6 illustrates the OBM solution provided by both security systems.

SAC Features and Benefits To summarize the differences, the Radius solution authenticates and provides users with non-secure access to manage devices. (unencrypted) The devices are typically deployed locally to the radius server. The SAC solution authenticates and provides users with secure, encrypted access to managed devices. The devices may be deployed locally or remotely to the authentication server. RADIUS Radius The Secure Access Controller System provides the following features and benefits: The system supports authentication, authorization and accounting. Accounting referring to the database maintaining User and SAM logs. Every call attempt made by the SAM to obtain a private key from the authentication server is recorded with a time stamp that displays the result. As example, the result may indicate success or wrong SAM ID. Every call made by the user to the SAM for authentication is also recorded with a time stamp that displays the result. The result may indicate success or authentication error SAC Fig.6 SCM SAM R/M The system generates private and public keys to set up a secure RSA tunnel between the client software and the SAM. What makes the system very secure is that new keys are issued for each secure tunnel established between the client software and the SAM. The system allows the data traffic between the client software and the SAM to be AES encrypted and decrypted. The system prevents the remote user of having knowledge of the keys or the SAM s telephone number. Only the SAM ID associated to the remote network device is known. The system allows the SAM to be periodically verified through private key requests. Remote modems in service for a long time may at some time become inaccessible due to the power being turned off or the telephone line being pulled out. Therefore, SAM private key requests act as an automatic circuit self test. All specifications subject to change without notice. 2006 General DataComm, Inc. All rights reserved. General DataComm, GDC and the GDC logo are registered trademarks of General DataComm, Inc. Other product names mentioned are for identification purposes only and may be registered trademarks of their respective owners. 0171_SCSAM_AB06.pdf

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information