Out Of Band management network

Hi All,

I have been tasked with implementing an access policy for Out Of Band management to our network devices in the event of a critical emergency.

The idea is that engineers will be connecting to a central console server over the public Internet using an always on DSL connection. My question is how are others implementing this type of access while not exposing the network unnecessarily?

The idea at present is to have a jump box connected to the Internet with a 2nd interface connecting to the OOB LAN (stick figure below). Aside from protecting both of these devices (server & OOB) with usernames and passwords, what other methods would be worth investigating? I was thinking 802.1x may be an option, but i have not found any precedent of using that technology to authenticate devices/users coming in from the Internet as opposed to the LAN. Unfortunately 2FA is not an option because the RADIUS/TACACS server may become unreachable if the scope of the outage is large enough...

[DSL]---[JumpBox]---[OOB Switch]---[Router/Switch console]

Any ideas would be greatly appreciated!

Find more posts tagged with

Comments

networker050184

Why not just thrown a remote access VPN in there?

nerdinhiding

Depending on the client and budget, I use a small ASA5505 and just SSL VPN in or you can go with a Linux software firewall on a small appliance with a separate ISP / Internet Circuit.

shodown

no Jump box that is a pain in the ass and I wish people would not use them, often times during certain outages the jumpbox is down as well. Like nerdinhiding said above buying a ASA 5505 and using a VPN from that box is your best bet. You can setup local accounts on box so users don't have to worry about TACACS or Radius

Hondabuff

Digi WAN3G Modem/Router with a Console cable pluged into the edge routers Console port. Faster then DSL and is on a Verizon private network that can only be reached from our LAN address.