Specifications
©
2002, David K. Z. Harris
29
Pg. 29
© 2002
David K. Z. Harris
Terminal Servers and Security
Ø Some vendors have added SSL
and SSH to their devices
² How will you manage accounts
across many boxes?
² Can they authenticate against an
existing server?
² What happens if they can’t reach the
authentication server?
² Do you have assorted hardware?
Ø Security is still new here...
SSH has become a vital checkbox for many vendors to add to their terminal
servers and other network devices, but interoperability is still far from good.
You can get some single-vendor solutions running if you need them today, but
you may not be able to integrate it later with other gear that you’ll want or
need. It’s also not clear whether Console Server hardware SSH V2
implementations are vulnerable to issues on the security bulletins, since most
will not disclose where they get their SSH V2 source code.
Ask your vendor how to manage multiple accounts across multiple terminal
servers. What happens when a user changes their password on one
device…how does the change propagate to the other devices?
If you authenticate against a central authentication server (ala Cisco
TACACS+, or RADIUS), what happens to user authentication if contact with
the authentication server is unavailable? (This is an issue for terminal servers
in remote offices if the WAN should fail...do you want to install and maintain
multiple authentication servers in various offices? Can that management be
automated?)
You will have more flexibility if you can implement a management network,
to provide the level of security for physical access to the logging and client
session data streams. This may still be the most practical way to secure access
to your sensitive consoles and data.
If you feel you need to add SSH today, you may be limiting your options. Of
course, this will change over time, as customers push vendors to address the
interoperability issues.