+ Reply to Thread
Results 1 to 5 of 5
  1. Senior Member jude56g's Avatar
    Join Date
    Nov 2011
    Location
    Providence, RI
    Posts
    107

    Certifications
    CCNA Security, CCNA R&S, CCENT,Citrix CCP-N, Alcatel-Lucent NRS I, Juniper JNCIA
    #1

    Default Out Of Band management network

    Hi All,

    I have been tasked with implementing an access policy for Out Of Band management to our network devices in the event of a critical emergency.

    The idea is that engineers will be connecting to a central console server over the public Internet using an always on DSL connection. My question is how are others implementing this type of access while not exposing the network unnecessarily?

    The idea at present is to have a jump box connected to the Internet with a 2nd interface connecting to the OOB LAN (stick figure below). Aside from protecting both of these devices (server & OOB) with usernames and passwords, what other methods would be worth investigating? I was thinking 802.1x may be an option, but i have not found any precedent of using that technology to authenticate devices/users coming in from the Internet as opposed to the LAN. Unfortunately 2FA is not an option because the RADIUS/TACACS server may become unreachable if the scope of the outage is large enough...

    [DSL]---[JumpBox]---[OOB Switch]---[Router/Switch console]

    Any ideas would be greatly appreciated!
    Reply With Quote Quote  

  2. SS -->
  3. Went to the dark side.... Moderator networker050184's Avatar
    Join Date
    Jul 2007
    Posts
    11,645

    Certifications
    CCNA, CCNP, CCIP, JNCIA-JUNOS, JNCIS-SP, JNCIP-SP, MCA200
    #2
    Why not just thrown a remote access VPN in there?
    An expert is a man who has made all the mistakes which can be made.
    Reply With Quote Quote  

  4. Member
    Join Date
    Jul 2012
    Location
    Las Vegas, NV
    Posts
    60

    Certifications
    CISSP, CCNP, CCDP, PCSNE, MCITP:SA, RCDD
    #3
    Depending on the client and budget, I use a small ASA5505 and just SSL VPN in or you can go with a Linux software firewall on a small appliance with a separate ISP / Internet Circuit.
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    May 2009
    Location
    DMV
    Posts
    2,202

    Certifications
    CCNP, CCNP(V), S+ CCIE V(written)
    #4
    no Jump box that is a pain in the ass and I wish people would not use them, often times during certain outages the jumpbox is down as well. Like nerdinhiding said above buying a ASA 5505 and using a VPN from that box is your best bet. You can setup local accounts on box so users don't have to worry about TACACS or Radius
    Currently Reading

    CUCM SRND 9x/10, UCCX SRND 10x, QOS SRND, SIP Trunking Guide, anything contact center related
    Reply With Quote Quote  

  6. Network Engineer Hondabuff's Avatar
    Join Date
    Aug 2012
    Location
    USA
    Posts
    637

    Certifications
    CCNA:S, CCNA, CCENT, CCNP:R&S,MECP, A+, Network+, Security+, Network Security Diploma
    #5
    Digi WAN3G Modem/Router with a Console cable pluged into the edge routers Console port. Faster then DSL and is on a Verizon private network that can only be reached from our LAN address.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks