In computer networks with distributed networking elements such as routers and switches, the vast majority of the networking elements are not in the same geographic location or easily accessible by the skilled technicians or network administrators typically responsible for normal maintenance of the elements. Not only do these technicians and administrators require regular access to the network elements for maintenance, but they also need timely access to the network elements when problems arise in order to perform trouble shooting and resolving problems. The more quickly a network administrator can access the elements in the network for troubleshooting the shorter the mean-time-to-repair (MTTR) an outage in the network.
In general, it is not practical to require physical access to the network elements for general maintenance or troubleshooting and repair. The costs would be prohibitive, both in time and personal, to require a skilled technician to be dispatched for every required activity on an element. This has driven a strong requirement to provide for remote management of network elements. A number of means have been developed to provide for remote management of the network elements. Remote management of the elements can be provided in-band (the remote administrator communicates with the network element using the network of which the element is a part) or out-of-band (the remote administrator communicates with the network element using a means other than the network of which the network element is a part). Typically, when out-of-band remote management is utilized, the administrator is connecting to a console or management port on the network elements.
However, the security of the network elements is a concern when remote management is allowed. For a network element to be secure, it must first of all be physically secure from attack. Without physical security, it is almost certain an attacker can compromise a network element. If management of the element requires physical access to the element then the security of the management is as strong as the physical security. But, as stated above, in most networks this is not practical. It is important though, to realize that opening up a device to remote management allows a larger window for attackers to utilize in an attack. The use and security of remote management must be carefully considered.
The struggle to find a workable compromise between the utility of remote management of network elements and the need to maintain the security of the network elements can clearly be seen in “The Router Security Configuration Guide” published by the National Security Agency. On page 49 of the guide it is recommended that a terminal (or computer) be a stand-alone device protected from unauthorized access. This goes back to requiring physical access to the network element in order to access the console or management port. On page 47 the guide also states, “Permitting direct dial-in to any vital piece of network infrastructure is potentially very risky . . . ” In-band management methods often depend to one degree or another on the security of the network the element is a part of to protect the management traffic. While this might provide a reasonable level of protection from external attacks (initiated from outside the network), it generally will not provide a sufficient level of protection from an internal attack (initiated from inside a network). To help reduce the vulnerability to internal attack, the “The Router Security Configuration Guide” has recommendation using a dedicated network or at least dedicated network segments for remote network administration of routers. Building out a dedicated network for management would be quite expensive for most networks.
There are definite advantages to having an out-of-band remote management connection to network elements that utilize connectivity that is diverse from the primary network connection. One of the primary purposes of the remote management connection is to assist the remote administrator or technician in troubleshooting network problems. With in-band management, if a network problem has hindered connectivity to a network element, management connectivity to that element could be lost when it is needed the most. An out-of-band management solution is more likely to allow the administrator or technician to still remotely access the network element to troubleshoot and resolve the network problem in a timely manor. Also, the out-of-band management connection providing connectivity to the console or management port of an element might be available for the initial configuration of the device whereas an in-band management connection might not be available for initial configuration. It is also possible that some functions can only be performed using the console or management port of the element. An example of this would be Password Recovery on a Cisco router. While a dedicated and secure out-of-band network would be the most preferable solution for out-of-band management from a security standpoint, the cost of such a solution is generally prohibitive. While some form of public shared network, such as the Public Switched Telephone Network (PSTN) or an Integrated Services Digital Network (ISDN) provides the most cost effective solution for a diverse out-of-band connection, the security of such solutions is a major concern.
The most straightforward means of providing out-of-band connectivity to a network element is to place a modem on the console port of a networking element connecting it to the PSTN. However, any perimeter security for the network such as firewalls and access-lists has just been completely bypassed providing a vulnerable point for intruders to attack. If an attacker knows or can determine the phone number of the modem then the only security is the logon protection on the networking element itself. War dialers will generally find phone numbers connected to modems.
It is important to realize that most protocols used for assisting in the remote management of network elements do not provide for the confidentiality or integrity of the information being transmitted between the remote administrator and the network element or strong authentication of the parties involved. This is especially critical if a public shared network such as the PSTN is utilized for the out-of-band connectivity. For instance, the protocol most frequently utilized for remote login to network elements (Telnet) transmits traffic in the clear (any one who can tap into or sniff the network can capture and understand the traffic). It would not be uncommon for a remote administrator to be transmitting passwords and device configurations over such a connection. If an attacker were able to insert himself in the middle of such a connection, even more attacks would be possible.
Maintenance and troubleshooting of network element problems can often be facilitated by the element having the element maintain an accurate time clock. One way of keeping the clock accurate on an element is to allow the network to set the clock utilizing a protocol such as Network Time Protocol (NTP). If an attacker were able to alter or interfere with NTP, the smooth operation of the network could be interfered with.
Some network elements utilize Hypertext Transfer Protocol (HTTP) or Hypertext Transfer Protocol over Secure Socket Layer (HTTPS) for managing the network element. HTTP transmits information in the clear and is susceptible to impersonation and data compromise. Often HTTPS is only authenticating the server to the client. For remote management, mutual authentication can be important.
A common difficulty in maintaining the elements of a network is keeping the software on the elements updated with patches that protect them from new exploits by hackers and crackers. One of the functions of firewalls is to protect the elements behind them from the exploits so that it is not as critical to keep protected elements updated. However, this does require the firewalls to be updated regularly to protect the elements from new exploits. Keeping the firewalls updated can be difficult.
An object of the invention is to utilize standard packet filtering firewall methods to restrict access to the management interfaces based on factors such as the source address of the connection request.
Another object of the invention is to use strong authentication to verify the identity of the user and restrict access based on the identity of the user.
Another object of the invention is to use an Access Control Server (ACS) to allow for centralized authentication and authorization of users as well as to log accounting information.
Another object of the invention is to restrict functions and protocols allowed to access the management interfaces to those necessary for remote management of that network element.
Another object of the invention is to dynamically update the rules used for restricting access to the management interfaces.
Another object of the invention is to protect the console port from privilege hijacking.
Another object of the invention is to provide for the confidentiality and integrity of the information transmitted between the remote administrator and the management interfaces.
Another object of the invention is to monitor the management ports and the network connections the SRMA utilizes for proper functioning and alert management software upon failure.
Another object of the invention is to monitor connections for possible attacks and report possible attacks to Intrusion Detection System management software.
Another object of the invention is to build a secure connection to a network providing network services both over an in-band connection and over an out-of-band connection.
Another object of the invention is to access network services such as ACS, DNS, NTP, Network Management Stations, Logging Servers, and Intrusion Detection Systems management stations over either an in-band network connection or an out-of-band network connection (or both) and dynamically switch between which network is being utilized for the service.
Another object of the invention is to allow a remote administrator or technician to access the management interfaces via either an in-band connection or an out-of-band connection (or both).
Yet another object of the invention is to provide auditing information about attempted connections (successful and unsuccessful) to the management interfaces.
Yet another object of the invention is to alert management software on unsuccessful attempt to connect to management interfaces.
Yet another object of the invention is to provide for protocol conversion between the connection from the remote administrator to the SRMA and from the SRMA to the network element over the management interface.
Yet another object of the invention is to protect the management interfaces from HTTP and HTTPS attacks and authenticate an HTTP/S client.
Yet another object of the invention is to be managed through the in-band connection, the out-of-band connection, or the SRMA console port.
A further object of the invention is to be managed using a command line interface or using HTTPS.
A further object of the invention is to be configured to automatically check for updates to the SRMA software or protection database.
A further object of the invention is to provide the end-point for an in-band or out-of-band connection from the SRMA to the network providing network services which connection can be secured using protocols such as IPSec or may be unsecured.
A further object of the invention is to provide the ability to switch the path being utilized for network services, in particular, the SRMA will be able to utilize an in-band connection for network services when available and switch to using an out-of-band connection for network services when it is not available.
A further object of the invention is to provide a proxy firewall for a command line interface (CLI) via an in-band connection or an out-of-band connection from the remote administrator to the SRMA. All connections to the management interface of the managed device must go through the SRMA. This CLI proxy provides user authentication by whatever means are configured (possibly utilizing a centralized authentication server); the ability to restrict certain commands from being executed; command spoofing from the SRMA to the device being managed (as in spoofing a logoff command when the console connection is disconnected); a secure connection from the remote administrator's network to the SRMA utilizing protocols such as IPSec or SSH; and customized features based upon the device being managed.
Finally, it is an object of the present invention to accomplish the foregoing objectives in a simple and cost effective manner.