secure remote network device management
DESCRIPTION
TRANSCRIPT
Secure Remote Network Device Management
A Solutions White Paper by CCC Network Systems, Inc.
www.cccnetsys.com
2
Secure Network Device Management with FreeVision
Overview.......................................................................................................................3 ‘KVM’-Why it is used for remote control of servers .........................................3 Diagram 1: Earliest Keyboard, Video and Mouse Control ..............................4 Data Centers with KVM-BEFORE FreeVision---‘Virtual Chaos’ .....................5 Diagram 2: ‘Virtual Chaos: The KVM Free for All’ .....................................5 FreeVision delivers ‘Virtual Proximity’.................................................................6
“Just like being there!” .............................................................................................6 Diagram 3: After FreeVision---‘Virtual Control’ ..................................................7 Diagram 4: Optimum Security: “Lights Out” Environment ............................7 The dilemma: Provide access, but prevent access ..........................................7 Risking the business.................................................................................................8 Some unique concerns in the Data Center environment ................................8 Electronic Intrusion ...................................................................................................9 Security is a cornerstone of development ..........................................................9 NCSC Class C2 ...........................................................................................................9 OS log-on/password................................................................................................10 Application log-on/password................................................................................10 Secure Socket Layer for IP connections ...........................................................10
Diagram 5: SSL runs above TCP/IP and below high-level application protocols ....................................................................................................................11 CCC Architectural & technology-based security enhancements ...............12
System Architecture ...............................................................................................12 Diagram 6: Simple ‘Blocked’ Configuration .....................................................13 Proprietary technologies .......................................................................................13
SQL database .........................................................................................................13 Proprietary and complex algorithms....................................................................13 Authentication .........................................................................................................13 Usage Auditing and reporting ...............................................................................14 Real-time user monitoring .....................................................................................14
An Important Note About Tivoli, Unicenter TNG, OpenView…etc..........14 Conclusion.................................................................................................................15
Information in this document is subject to change. No part of this document may be reproduced through any means including (but not limited to) electronic or mechanical, without expressed written permission from CCC Network Systems Group, Inc. CCC Network Systems may have patents, patent applications, trademarks, or copyrights, or other intellectual property rights covering subject matter in this document. FreeVision and FreeVisionIP are registered or pending trademarks of CCC Network Systems Group, Inc. Other product names and company names listed within this document may be trademarks of their respective owners. © 2002, 2003 CCC Network Systems Group, Inc.
3
Secure Network Device Management with FreeVision
Overview This document explores and defines issues and terms surrounding security in the remote access, control, and management of the networked information and communications devices that are at the heart of virtually all businesses today. It describes how keyboard, video and mouse (KVM) signals have been used for remote access and control. It further identifies two critical areas of concern: physical access as well possible electronic intrusion (hacking, theft or corruption of data) via the remote access system. This document also discusses how FreeVision, the enterprise-class KVM and network device management system developed by CCC Network Systems, uniquely addresses these issues and concerns.
‘KVM’-Why it is used for remote control of servers Most Windows or Unix type servers are basically high-powered and specialized PCs that require a Keyboard, Video and Mouse (KVM) to operate. Although many server management functions can be performed remotely through network management systems (NMS) tools such as TIVOLI, CA Unicenter, or HP OPENView, some specific tasks and server configurations can be only be done through KVM access. An example of this is the boot process in which the BIOS and the Operating System configuration and set-up take place. This process occurs before the networking layer is operational on that system, so that network-based tools cannot be used. Some other tasks and functions that KVM access provides are:
q Initial operating system configuration q Re-boot server after system crash q Monitor system boot q Monitor server performance q Access BIOS to alter server hardware configuration
Once servers are up and running, the need to utilize the system-level access, while crucial to maintaining high availability, is relatively infrequent. Therefore allocating the facility space for a keyboard, video display and a mouse for each server is unacceptably expensive. To solve this, the market proposes systems that allow sharing those KVM apparatus among several servers. The basic objective of a KVM system is to provide access to more than one server, reducing the real estate requirement within the data centre by removing the need for individual keyboard, video and mouse. While simple KVM switching systems are capable of meeting this objective for a few servers, they are not scaled to meet the needs of the Data Centre or Server Farm environment. Advanced server management systems that utilize KVM switching provide additional security, scalability and productivity capabilities beyond this basic objective. By adding true management capabilities these advanced KVM-based tools must be
4
considered mandatory for the implementation of a Server Farm. A modern KVM-based Remote Server Management provides:
q Dramatically improved productivity and security – An advanced KVM-based solution enables support staff to be grouped into a standard work environment suitable for support of all contracts and for many services (e.g. Help Desk, Server Support, etc.) while enabling people to assume multiple roles. It also enables and facilitates the redeployment or consolidation of staff across multiple contracts into a centralized support location. This limited, centralized headcount obviously decreases the security ‘risks’ present when larger numbers of uncontrolled users are allowed into the data center or server farm area.
q Remote Site Support – An extension of this architecture facilitates
complete lights-out support for remote servers, including remote power-on, power-off, reboot capabilities. Remote server management enables secure, lights-out, access of sites with a small number of servers.
Diagram 1: Earliest Keyboard, Video and Mouse Control
KVM Cables
(maximum distance: 10’)
Console
PC or Server Bios Ver Video RAM Configure
5
Data Centers with KVM-BEFORE FreeVision---‘Virtual Chaos’ Traditional KVM switches are simple devices. They are typically located in each server rack or next to a bank of servers. Along with a switch, each rack or storage unit contains a keyboard, monitor and mouse that will be connected to the servers in that rack. Therefore in a traditional KVM environment, a user must get up from his/her desk, walk over to the data centre, find the server to be used, and stand while they type in front of the enclosure. Some environments eliminate the KVM from the rack, but use a ‘crash cart’, a cart with keyboard, video display, and mouse on it. This cart gets rolled up to a rack when a server crashes, and the technician identifies the faulting server, plugs in the cart’s KVM and takes local control of the server. These work environments are not only uncomfortable and insecure, they also result in higher support costs from reduced productivity, higher facilities cost from storing numerous monitors, keyboards, mice, and switches in each rack, and increased risk of physical hazard due to rolling a cart through and around racks.
Diagram 2: ‘Virtual Chaos: The KVM Free for All’
q Security is at risk just from the physical complexity q Administration, audit and management tools almost non-existent q Virtually zero flexibility in architecture (lack of scalability) q Highly complex, difficult to install and maintain cabling infrastructure
6
An advanced KVM-based server access and control solution should allow any authorized individual to have direct access to any server with no single point of contention without having to move from his/her desk. IBM’s selected FreeVision Server Management System from CCC Network Systems delivers an out-of-band (off the data network) connection to groups of networked servers and other network devices. It carries KVM (or serial console) signals from each server or device to a sophisticated intelligent matrix switch, which is in turn connected to system users. Users can connect only to the servers that are specified in a SQL Server database, and only after successful domain identification, providing outstanding system security. A Network Operator has immediate access from his/her desktop and connects to any server within the data centre. Any number of Network Operations personnel can have access to any number of servers without impacting and limiting the workload of others reducing any down time to your client’s servers. The FreeVision Server Management System architecture could not be simpler. The KVM signals are delivered from a variety of active transmit devices over a single Category 5 twisted pair cable to the switch. This allows fast and easy connection of servers over a simple, cost-effective and de-facto standard cabling infrastructure. From the switch the connection to each desktop receiver that connects to the KVM is again, a single Category 5 twisted pair cable connection. The intelligence of the FreeVision system is delivered by a sing le NT server with SQL database, which translates the key commands from the operator, and switches servers to requested users. The role of the SQL database is two-fold; it holds all the access rights for users and servers for security and it logs all transactions made by the switch. The hardware and software work together to deliver a global, enterprise-class solution.
FreeVision delivers ‘Virtual Proximity’
“Just like being there!” FreeVision puts control into the hands of specialists through KVM access of distant or remote devices. The performance and quality of these remote sessions is so good that no matter how distant the operator or administrator is from the target device, the look and feel AND control are as if he or she is sitting at the target device. By providing this robust, high-quality connection, there are fewer reasons to physically visit the target device. Reduced visits clearly equal greater security.
7
Diagram 3: After FreeVision---‘Virtual Control’
Diagram 4: Optimum Security: “Lights Out” Environment
The dilemma: Provide access, but prevent access No one argues against the need for network device management, just as no one argues against the need for network security. Even before the attacks of September 11, when interviewed during Gartner’s Data Center Conference 84% of the responding network and data center managers said that security is one of their top three ‘keep-me-awake’ concerns (Gartner 1/01.) A dilemma arises because access for management provides a possibility for access for mischief, vandalism… or even terrorism. An effective solution must
8
ensure that the remote device access system includes additional layers/levels of security functionality to eliminate risk of intrusion through the system.
Risking the business Much of the early concern for security on the network centered on protecting the proprietary data that flows across the network from storage to user and from user to user. The second area of concern has been to protect the data from corruption, usually by a virus. Effective encryption and ever-vigilant virus protection applications have generally done an excellent job (WHEN vigilantly applied!) in preventing serious widespread damage. More recently, as businesses have become increasingly dependent upon the performance, reliability, and INTEGRITY of the network, other concerns have come to the forefront. Direct attacks, such as Denial of Service (DoS), have temporarily, but expensively, crippled well-known web-based businesses. Today all network management is in a heightened state of awareness to the vulnerabilities of their architecture and infrastructure as a result of the pervasive and incomprehensible threat of irrational terrorist behavior. According to a 2000 survey and study of 250 Fortune 1000 companies by The Standish Group, losses due to downtime average between $1,000 and $27,000 per minute. Gartner/Dataquest found that downtime in general varied between $11,000 and up to $7 million an hour. In times of tight operating profits, risking downtime for any cause, especially due to potential security breaches, may very well be putting the entire business at risk. An effective remote device access and management system must not provide an opportunity for breaching the network; it must add to, not diminish, the overall security of the network environment.
Some unique concerns in the Data Center environment As mentioned, network security has been a concern from the earliest days of simple print and file sharing. But, along with the many technical and business benefits that are achieved by centralizing and consolidating network assets into a data center environment, some additional security concerns emerge. The first is the inadvertent, accidental bump or trip into a device while legitimately accessing another proximate device. While connecting a local keyboard, video and mouse from a ‘crash cart’ to reboot a racked server, for example, a technician might accidentally nudge a cable on the next device in the rack. Despite the ‘domino effect’ this has… causing another device to fault, alerts to be sent, trouble tickets to be generated, and another dispatch of a technician into the data center, (not to mention service disruption and possible SLA implications)… that unintentional disconnect is, perhaps, the least worrisome. Of greater concern is the enormous potential for damage to business-critical devices concentrated in rows of racks and cages with common physical access. Once in, someone with malicious intent could wreak havoc. The common thread
9
in both these scenarios is physical access. The ideal data center strives to achieve ‘lights out’ security. Simply defined, lights out refers to a condition not requiring lighting… because there is no staff needed in the operating data center itself, except under extraordinary circumstances. That condition requires a remote system for accessing and managing the devices in the data center, eliminating, as much as possible, the need for staff to enter. The remote access system has to allow ‘smart hands’ to have any time, anywhere ‘global reach.’ The relationship between the number of people physically accessing the data center and the risk is direct: the more people, the greater the risk. Providing an effective offsite remote device management strategy can add significantly to the security of the data center site itself. An effective and secure remote device management system allows the data center to be situated distant from high-risk urban areas, providing an additional barrier to physical access as a layer of protection.
Electronic Intrusion Clearly not every potential risk is that of unauthorized or inadvertent physical contact with the devices on the network. The financial cost both in terms of revenue and loss of customers (and their confidence) caused by recent massive Denial of Service (DoS) attacks, and virus and worm dissemination has been well-documented elsewhere. Securing against unauthorized electronic access becomes paramount, especially as the data center itself becomes more physically secure and Internet access becomes so widely and readily available. The network device management system must be built so that no additional access risk is incurred.
Security is a cornerstone of development Security of the network was a design criterion for the first iteration of FreeVision when it was developed for use in Microsoft’s MSN software development lab in 1996 and 1997. Enhancing security is a key goal in the ongoing development of FreeVision. CCC identifies industry standard approaches to additional security that are applicable to the platforms and architecture of the FreeVision System. Acronymic protocols such as C2 and SSL and operating system and applications protocols such as log-on and password protection are among those approaches. Further, the CCC engineers work to augment those industry standard practices by leveraging architecture and developing proprietary techniques and technologies to exceed the goal.
NCSC Class C2 Class C2 is a rating granted by the National Computer Security Center (NCSC) for products that have been evaluated against the Department of Defense Trusted Computer System Evaluation Criteria (TCSEC). The standard TCSEC evaluation is frequently referred to as the "Orange Book."
10
These criteria are the measurement against which products are evaluated for degrees of trust that can be placed on any given computer system to provide a level of confidence for government offices and businesses that process classified or other secure information. The Class C2 evaluation criteria are the minimum security rating required by many government agencies and offices (branches of the military, IRS, Federal Reserve, intelligence agencies, etc.) and by many corporations. Products achieving a Class C2 security rating have been evaluated and tested by an independent third party against a known criterion. Here, the third party is the United States federal government. This independent evaluation allows customers to make good purchasing decisions with a basis of trust established by an objective analysis, not just on claims of the vendor. The NCSC grants several levels of security ratings; For additional information on these security ratings, contact the NCSC at http://www.radium.ncsc.mil/tpep/epl or by calling + 1 410-859-4458. FreeVision utilizes access control, consistent with C2 Classification, to ensure that users only ‘see’ or access servers and devices for which they are authorized. Based on feedback from corporate customers and service provider customers, consistency with Class C2 meets the needs of CCC's customer base for commercial systems.
OS log-on/password The FreeVision application runs on a client pc/workstation under WindowsNT/2000. The user workstation is protected by the Operating System, requiring both a log-on and password to access the machine, even before attempting access to any of the applications on the machine.
Application log-on/password The FreeVision application itself utilizes a Windows application standard log-on and password to open the application itself.
Secure Socket Layer for IP connections Secure Sockets Layer is a protocol developed by Netscape for transmitting private documents via the Internet. SSL creates a secure connection between a client and a server, over which any amount of data can be sent securely. SSL works by using a public key to encrypt data that's transferred over the SSL connection. Both Netscape Navigator and Internet Explorer support SSL, and many Web sites use the protocol to obtain and protect sensitive and confidential user information, such as credit card numbers.
11
Diagram 5: SSL runs above TCP/IP and below high-level application protocols
(source: Netscape)
The SSL protocol runs above TCP/IP and below higher-level protocols such as HTTP or IMAP. It uses TCP/IP on behalf of the higher-level protocols, and in the process allows an SSL-enabled server to authenticate itself to an SSL-enabled client, allows the client to authenticate itself to the server, and allows both machines to establish an encrypted connection. These capabilities address fundamental concerns about communication over the Internet and other TCP/IP networks: SSL server authentication allows a user to confirm a server's identity. SSL-enabled client software can use standard techniques of public-key cryptography to check that a server's certificate and public ID are valid and have been issued by a certificate authority (CA) listed in the client's list of trusted CAs. This confirmation might be important if the user, for example, is sending a credit card number over the network and wants to check the receiving server's identity. SSL client authentication allows a server to confirm a user's identity. Using the same techniques as those used for server authentication, SSL-enabled server software can check that a client's certificate and public ID are valid and have been issued by a certificate authority (CA) listed in the server's list of trusted CAs. This confirmation might be important if the server, for example, is a bank sending confidential financial information to a customer and wants to check the recipient's identity. An encrypted SSL connection requires all information sent between a client and a server to be encrypted by the sending software and decrypted by the receiving software, thus providing a high degree of confidentiality. In addition, all data sent over an encrypted SSL connection is protected with a mechanism for detecting tampering--that is, for automatically determining whether the data has been altered in transit.
12
The SSL protocol includes two sub-protocols: the SSL record protocol and the SSL handshake protocol. The SSL record protocol defines the format used to transmit data. The SSL handshake protocol involves using the SSL record protocol to exchange a series of messages between an SSL-enabled server and an SSL-enabled client when they first establish an SSL connection. This exchange of messages is designed to facilitate the following actions:
q Authenticate the server to the client. q Allow the client and server to select the cryptographic algorithms, or
ciphers, that they both support. q Optionally authenticate the client to the server. q Use public-key encryption techniques to generate shared secrets. q Establish an encrypted SSL connection.
(developer.netscape.com/docs/manuals/security/sslin/contents.htm) FreeVisionIP versions 1.2 (March 2001) and higher and FreeVision Enterprise Navigator support SSL to additionally ensure the security of the device management and serial console signals that pass over the Internet for FreeVision’s remote solution.
CCC Architectural & technology-based security enhancements In addition to these industry standard protocols, CCC leverages system architecture and adds proprietary technology to further ensure the integrity and security of network device management.
System Architecture FreeVision is engineered to deliver keyboard, video and mouse (KVM) and serial console signals over industry standard Category 5/6 unshielded twisted pair (UTP) cable. However, it operates ‘Out-of band,’ that is, off the data network. It is not connected to the hubs, the routers, or the switches that move sensitive organizational data. Therefore, only KVM or serial console display signals are traveling on the ‘maintenance network’—the separate CAT5 cabling dedicated to managing the network devices. This architecture allows access to the content of each screen, but prevents access to the content of disk drives or memory. The ‘non-blocked’ architecture described above provides maximum flexibility in assigning server assets to users, relying on significant software techniques to secure and manage users and servers. Implementing a blocked or blocking architecture (as pictured below) by deploying smaller Satellite feeder and blocking switches reduces flexibility, but increases security by creating a ‘hard-wired’ connection between specific servers and users.
13
Diagram 6: Simple ‘Blocked’ Configuration
Proprietary technologies
SQL database The FreeVision System Software Suite that manages the access to the various connected network devices runs on a separate server, dedicated to this function. One of its core applications contains a sophisticated, powerful, and secure MS SQL database that, in conjunction with the FreeVision Matrix switch family, authenticates and routes users to their authorized devices. No other device management system deploys so robust a platform for true device management—access, control, auditing, and reporting.
Proprietary and complex algorithms One of CCC’s historical core competencies is developing high performance algorithms for moving analog video signals over copper wire. With CCC’s patented OptiPal™ Compression Engine, the algorithms for compressing and decompressing video and for negotiating and navigating the characteristics of copper, have become increasing ly more powerful and complex. This level of complexity alone would make decryption challenging for a supercomputer. When added to the other techniques included in FreeVision specifically to ensure security, the video signals traveling over FreeVision are virtually impenetrable.
Authentication As an NT/2000 application, FreeVision requires user log-on and password authentication. Authentication also takes place under the SSL protocol between the target server and a FreeVisionIP client.
14
Usage Auditing and reporting FreeVision’s management tools permit an authorized administrator to pull usage reports from the system. These reports identify the user, the devices accessed, and the date, time and duration of access.
Real-time user monitoring By utilizing FreeVision’s unique shared access, read-only functionality, administrators can view the usage activity in real time, monitoring which users are accessing which devices.
Of all the device access and management products and solutions available, FreeVision does more to enhance the security of the network by uniquely combining industry standard security techniques with CCC’s proprietary technologies and approaches.
An Important Note About Tivoli, Unicenter TNG, OpenView…etc. The world-class network management system (NMS) tools that Tivoli, CA, HP, BMC, Micromuse and others deliver do not replace the functionality of FreeVision. Nor does FreeVision replace their functionality. FreeVision is a companion product to all these excellent monitoring and alerting solutions. They focus on providing monitoring and alerting services and tools for the entire network population, FreeVision provides the access and control of the central devices---servers, routers, switches, etc.--- needed to resolve a faulting device identified by one of the NMS tools. By providing additionally secure access to those devices, FreeVision adds a level of management control unachievable by any other tool. Together, NMS tools and FreeVision provide a complete and unrivalled device management solution.
15
Conclusion Since the network, its infrastructure, and the data that passes over it are elemental to the enterprises that deploy them, attention must be given to security at every point on and connected to the network. Enterprise network managers are responsible for ‘managing’ this business critical asset. Traditional device access tools, such as KVM switches, must be viewed in a new light. And, when put to the test, they alone cannot meet the rigid standards for access prevention---unauthorized access prevention---while providing a seamless management tool. Given this ever-greater need to ensure the continuity of the enterprise by assuring the integrity of the network, the security standards of the remote network device access and management system can uniquely be met by the only true enterprise solution –FreeVision.