North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Proper authentication model

  • From: Steve Gibbard
  • Date: Wed Jan 12 17:36:44 2005

On Wed, 12 Jan 2005, Hannigan, Martin wrote:

> Out of band management isn't telnetting from your desktop to
> the serial port.
>
> Mgmt and surveillance is the Bellcore standard for out of band.
> It means your M/S is not riding your customer or public networks, and
> it's physically seperate. Yes, this is the cadillac method, but the
> only way to support five nines IMHO.
>
> If you have 3 sites and they're interconnected via an OC3
> and the internet, you would also have 2 frame or ppp circuits
> seperately connecting the terminal server network. You'd do the
> different path, different provider, etc. on these circuits.

Recently I've been doing this by tunneling over ADSL circuits from the
local telco.  At around $60 per month per location with static IP
addresses it's cheap.  Since the tunnels go between two ADSL lines,
they're limited to circuits' 128Kb/s upload speeds, but that's generally
ok for management traffic.

I've also been connecting bastion hosts to the DSL lines.  This way, all
that's required to get into the OOB network is Internet connectivity
through some other network, rather than having to hunt around for a POTS
phone line to plug a modem into in an emergency.

Obviously, if you are the local telco this isn't really out of band, but
works well for others who aren't sharing the local telco's infrastructure.

Is it as secure as having your own diverse-path management network of
private point to point circuits?  Probably not, but with sufficient
firewalling and encryption on the tunnels, it's good enough, and cheap
enough that it's possible to talk ISP owners into paying for it.

-Steve