Securing out-of-band device management

In networks with critical core components, securing device access while maintaining the ability to provide emergency maintenance is crucial. Often a console port, craft port, dedicated Ethernet management port or other out-ofband access must be used to recover failed devices or systems. For large networks, these devices are frequently located at remote or inaccessible locations. However, leaving the management ports attached directly or via modem presents a security hole. The network infrastructure may be very secure with firewalls, IDS, and encryption systems while core access to the device's management ports is often neglected. This paper will outline vulnerabilities of out-of-band managed systems and devices, provide worksheets for helping to ensure security and give examples of possible architectures for secure remote access.