Specifications
©
2002, David K. Z. Harris
35
Pg. 35
© 2002
David K. Z. Harris
Advanced Architectures (#5)
Ø Addressing Security Concerns
² Add a management Network
² Put Network Management Station on
this network
² Put Console Server and clients there
H
1 2 3 4
H H H
LAN
serial
session
MGMT
TS
A
CS
1
NMS
logging
R
1
CC
If you are concerned about someone sniffing the client-to-server connections,
or the logging streams, then you probably already have a control/management
network in place, where your monitoring and control activities take place.
If you are concerned about someone sniffing your console port sessions, and
you don’t have a dedicated management network, you may be able to
implement one easily with a small, robust router, and another Ethernet switch.
You need to decide which host(s) can pass traffic through that router…
In this model, the console server (CS), and the client(s) all live on the
management network along with the terminal server(s), so that the client
sessions, and the logging activity, all happen on the management network.
A good practice is to ensure that your management network is connected using
switches, rather than hubs…
Few console servers use SSL or SSH for the client-to-server connections, so
these sessions travel in clear text. For this reason, if you are located outside of
the management (or security) perimeter, you should consider making an SSH
connection to a client host that is on the management net, and then making the
client connection from there.