In distributed computer networks the vast majority of the networking elements are not in the same geographic location or easily accessible by the skilled technicians or network administrators typically responsible for normal maintenance of the elements. Not only do these technicians and administrators require regular access to the network elements for maintenance, but they also need timely access to the network elements when problems arise in order to perform trouble shooting and resolving problems. The more quickly a network administrator can access the elements in the network for troubleshooting the shorter the mean-time-to-repair (MTTR) an outage in the network.
In general, it is not practical to require physical access to the systems for general maintenance or troubleshooting and repair. The costs would be prohibitive, both in time and personal, to require a skilled technician to be dispatched for every required activity on a system. This has driven a strong requirement to provide for remote management of network elements and servers. A number of means have been developed to provide for remote management of these systems. Remote management of the elements can be provided in-band (the remote administrator communicates with the system using the same network as the user data for the managed system) or out-of-band (the remote administrator communicates with the system using a means other than the network utilized by the user data of the managed system). Typically, when out-of-band remote management is utilized, the administrator is connecting to a console or management port on the system.
However, the security of the network elements and servers is a concern when remote management is allowed. For a system to be secure, it must first of all be physically secure from attack. Without physical security, it is almost certain an attacker can compromise a system. If management of the system requires physical access to the system then the security of the management is as strong as the physical security. But, as stated above, in most networks this is not practical. It is important, though, to realize that opening up a device to remote management allows a larger window for attackers to utilize in an attack. The use and security of remote management must be carefully considered.
The struggle to find a workable compromise between the utility of remote management of devices and the need to maintain the security of the devices can clearly be seen in “The Router Security Configuration Guide” published by the National Security Agency. On page 49 of the guide it is recommended that a terminal (or computer) be a stand-alone device protected from unauthorized access. This goes back to requiring physical access to the network element in order to access the console or management port. On page 47 the guide also states, “Permitting direct dial-in to any vital piece of network infrastructure is potentially very risky . . . ” In-band management methods often depend to one degree or another on the security of the network the element is a part of to protect the management traffic. While this MIGHT provide a reasonable level of protection from external attacks (initiated from outside the network), it generally will not provide a sufficient level of protection from an internal attack (initiated from inside a network). To help reduce the vulnerability to internal attack, the “The Router Security Configuration Guide” has recommendation using a dedicated network or at least dedicated network segments for remote network administration of routers. Building out a dedicated network for management would be quite expensive for most networks.
There are definite advantages to having an out-of-band remote management connection to network elements that utilize connectivity that is diverse from the primary network connection. One of the primary purposes of the remote management connection is to assist the remote administrator or technician in troubleshooting network problems. With in-band management, if a network problem has hindered connectivity to a network element, management connectivity to that element could be lost when it is needed the most. An out-of-band management solution is more likely to allow the administrator or technician to still remotely access the network element to troubleshoot and resolve the network problem in a timely manner. Also, the out-of-band management connection providing connectivity to the console or management port of an element might be available for the initial configuration of the device whereas an in-band management connection might not be available for initial configuration. It is also possible that some functions can only be performed using the console or management port of the element. An example of this would be Password Recovery on a Cisco router. While a dedicated and secure out-of-band network would be the most preferable solution for out-of-band management from a security standpoint, the cost of such a solution is generally prohibitive. While some form of public shared network, such as the Public Switched Telephone Network (PSTN) or an Integrated Services Digital Network (ISDN) provides the most cost effective solution for a diverse out-of-band connection, the security of such solutions is a major concern.
The most straightforward means of providing out-of-band connectivity to a network element is to place a modem on the console port of a networking element connecting it to the PSTN. However, any perimeter security for the network such as firewalls and access-lists has just been completely bypassed, providing a vulnerable point for intruders to attack. If an attacker knows or can determine the phone number of the modem then the only security is the logon protection on the networking element itself. War dialers will generally find phone numbers connected to modems.
It is important to realize that most protocols used for assisting in the remote management of network elements do not provide for the confidentiality or integrity of the information being transmitted between the remote administrator and the network element or strong authentication of the parties involved. This is especially critical if a public shared network such as the PSTN is utilized for the out-of-band connectivity. For instance, the protocol most frequently utilized for remote login to network elements (Telnet) transmits traffic in the clear (any one who can tap into or sniff the network can capture and understand the traffic). It would not be uncommon for a remote administrator to be transmitting passwords and device configurations over such a connection. If an attacker were able to insert himself in the middle of such a connection, even more attacks would be possible.
In order to control the cost of remote management solutions, user traffic and management traffic are being commingled at multiple locations throughout the management path. The use of the user data network for the transport of management traffic is one place this commingling of data occurs. There is also a commingling of user and management data in the device itself. User traffic and device management traffic comes in over the same user interface, uses the same memory and buffers, and is processed by the same processor. The commingling of user traffic and management traffic can compromise the security of the device management.
Maintenance and troubleshooting of network element problems can often be facilitated by having the element maintain an accurate time clock. One way of keeping the clock accurate on an element is to allow the network to set the clock utilizing a protocol such as Network Time Protocol (NTP). If an attacker were able to alter or interfere with NTP, the smooth operation of the network could be interfered with.
Some network elements utilize Hypertext Transfer Protocol (HTTP) or Hypertext Transfer Protocol over Secure Socket Layer (HTTPS) for managing the network element. HTTP transmits information in the clear and is susceptible to impersonation and data compromise. Often HTTPS is only authenticating the server to the client. For remote management, mutual authentication can be important.
A common difficulty in maintaining the elements of a network is keeping the software on the elements updated with patches that protect them from new exploits by hackers and crackers. One of the functions of firewalls is to protect the elements behind them from these exploits so that it is not as critical to keep protected elements updated. However, this does require the firewalls to be updated regularly to protect the elements from new exploits. Keeping the firewalls updated can be difficult.
Some of these concerns can be addressed by technology existing today. A firewall/Virtual Private Network (VPN) appliance could be utilized to protect management traffic that flows from a user interface on the managed device to a central location providing services for the management of the device. This would protect the management data while it flows over the in-band network. A terminal server could be utilized to allow an administrator to dial into the managed device over an out-of-band network. Some terminal servers will even allow the connection from the administrator to the terminal server to be encrypted for protection of the management data. However, this does not solve all the concerns. The terminal server does not fully support a centralized mechanism to verify an administrator should have access to the managed device, especially if the in-band network is down. The VPN/Firewall does not support connection to the console port of the managed device. Even having both a VPN/Firewall and a terminal server would leave gaps in the protection.
It would take a number of different devices configured to work together to address most of the concerns. This would require a number of additional devices in an environment where rack space is very expensive. Having another two or three devices in the rack is quite expensive in more ways than just the cost of the equipment.
An object of the invention is to provide for the secure management of devices without requiring additional devices taking up additional rack space by embedding the necessary hardware and software for secure management of the device in the device to be managed.
Another object of the invention is to separate user traffic from device management traffic, logically and/or physically, both in the device and while in transit over a network.
Another object of the invention is to establish a network enabled management interface for the secure remote management of the device. While similar to a console interface, the secure interface is to be engineered to secure remote access.
Another object of the invention is to define a virtual management interface for controlling management traffic that will flow over the in-band interfaces. The virtual management interface provides for logical separation of the management data from the user data even when the management data and the user data will transit the same physical network.
Another object of the invention is to utilize standard packet filtering firewall methods to restrict access to the management interfaces of the device, both real and virtual, based on factors such as the source address of the connection request.
Another object of the invention is to use a means of authentication, including the possibility of strong authentication, to verify the identity of the administrator and restrict access to the management interfaces based on the identity of the administrator.
Another object of the invention is to use an Access Control Server (ACS) to allow for centralized authentication and authorization of administrators as well as to log accounting information.
Another object of the invention is to restrict functions and protocols allowed to access the management interfaces to those necessary for remote management of that network element.
Another object of the invention is to dynamically update the rules used for restricting access to the management interfaces.
Another object of the invention is to provide for the confidentiality and integrity of the information transmitted between the remote administrator and the management interfaces.
Another object of the invention is to monitor the management interfaces for proper functioning and alert management software upon failure.
Another object of the invention is to monitor management interfaces for possible attacks and report possible attacks to Intrusion Detection System management software.
Another object of the invention is to provide for secure connections to a network providing network services both utilizing the managed device's user data connections and over a dedicated secure network enabled management connection.
Another object of the invention is to access network services such as ACS, Domain Name Server (DNS), NTP, Network Management Stations, Logging Servers, and Intrusion Detection Systems management stations over either an in-band network connection or over the network enabled management connection (or both) and dynamically switch between which network is being utilized for the service.
Another object of the invention is to allow a remote administrator or technician to access the management interfaces via either an in-band connection or a network enabled management connection (or both).
Yet another object of the invention is to provide auditing information about attempted connections (successful and unsuccessful) to the management interfaces.
Yet another object of the invention is to alert management software on unsuccessful attempts to connect to management interfaces.
Yet another object of the invention is to be able to securely manage the device through in-band connections to the virtual management interface, the network enabled management connection, or the console port.
A further object of the invention is to enable securing a plurality of management protocols for managing the device, both over in-band connections to the virtual management interface and over the secure network enabled management connection. Exemplary protocols to be secured include telnet, ssh, http, https, snmp, dns, tftp, ftp, ntp, and xml.
A further object of the invention is to provide the end-point for an in-band or out-of-band connection between the network segments providing network services and the management interfaces on the managed devices which can be secured using protocols such as IPSec or may be unsecured.
A further object of the invention is to provide the ability for the managed device to switch which management path is being utilized for management network services, in particular, the managed device can utilize in-band connections for management network services when available and switch to using a network enabled management connection for management network services when an in-band connection is not available.
A further objective of the invention is to enable the secure management of other devices that are collocated with the managed device.
A further objective of the invention is to provide for the ability to easily upgrade existing hardware to support secure management of the device.
Finally, it is an object of the present invention to accomplish the foregoing objectives in a simple and cost effective manner.