Out Of Band management network
jude56g
Member Posts: 107 ■■■□□□□□□□
Hi All,
I have been tasked with implementing an access policy for Out Of Band management to our network devices in the event of a critical emergency.
The idea is that engineers will be connecting to a central console server over the public Internet using an always on DSL connection. My question is how are others implementing this type of access while not exposing the network unnecessarily?
The idea at present is to have a jump box connected to the Internet with a 2nd interface connecting to the OOB LAN (stick figure below). Aside from protecting both of these devices (server & OOB) with usernames and passwords, what other methods would be worth investigating? I was thinking 802.1x may be an option, but i have not found any precedent of using that technology to authenticate devices/users coming in from the Internet as opposed to the LAN. Unfortunately 2FA is not an option because the RADIUS/TACACS server may become unreachable if the scope of the outage is large enough...
[DSL]---[JumpBox]---[OOB Switch]---[Router/Switch console]
Any ideas would be greatly appreciated!
I have been tasked with implementing an access policy for Out Of Band management to our network devices in the event of a critical emergency.
The idea is that engineers will be connecting to a central console server over the public Internet using an always on DSL connection. My question is how are others implementing this type of access while not exposing the network unnecessarily?
The idea at present is to have a jump box connected to the Internet with a 2nd interface connecting to the OOB LAN (stick figure below). Aside from protecting both of these devices (server & OOB) with usernames and passwords, what other methods would be worth investigating? I was thinking 802.1x may be an option, but i have not found any precedent of using that technology to authenticate devices/users coming in from the Internet as opposed to the LAN. Unfortunately 2FA is not an option because the RADIUS/TACACS server may become unreachable if the scope of the outage is large enough...
[DSL]---[JumpBox]---[OOB Switch]---[Router/Switch console]
Any ideas would be greatly appreciated!
Comments
-
networker050184 Mod Posts: 11,962 ModWhy not just thrown a remote access VPN in there?An expert is a man who has made all the mistakes which can be made.
-
nerdinhiding Member Posts: 61 ■■□□□□□□□□Depending on the client and budget, I use a small ASA5505 and just SSL VPN in or you can go with a Linux software firewall on a small appliance with a separate ISP / Internet Circuit.
-
shodown Member Posts: 2,271no Jump box that is a pain in the ass and I wish people would not use them, often times during certain outages the jumpbox is down as well. Like nerdinhiding said above buying a ASA 5505 and using a VPN from that box is your best bet. You can setup local accounts on box so users don't have to worry about TACACS or RadiusCurrently Reading
CUCM SRND 9x/10, UCCX SRND 10x, QOS SRND, SIP Trunking Guide, anything contact center related -
Hondabuff Member Posts: 667 ■■■□□□□□□□Digi WAN3G Modem/Router with a Console cable pluged into the edge routers Console port. Faster then DSL and is on a Verizon private network that can only be reached from our LAN address.“The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln