Out-of-band access gives you an alternative path to manage your critical remote infrastructure at data centers, branch offices, and other distributed locations. However, that management link creates an additional point of entry for malicious actors to breach and even control your network.
That’s why secure out-of-band management solutions must include features like onboard firewalls and zero trust security to keep your network protected while still giving you remote management access. Let’s take a look at the many secure out-of-band management features and why they’re crucial to the security of your enterprise network.
What is out-of-band management?
Out-of-band (OOB) management separates your production network from your management plane, giving you a dedicated remote connection to your infrastructure even during an outage. The OOB network is completely independent of your primary network and is specifically dedicated to infrastructure management. That means you can administer your critical remote infrastructure without affecting production network performance. You can also remotely troubleshoot and recover from outages, preventing expensive and time-consuming truck rolls.
OOB management typically uses serial console servers at data centers and remote offices to create an alternative path to critical network infrastructure. For example, using a DSL modem or 4G cellular connection to provide uninterrupted access. Secure out-of-band management solutions offer additional functionality like zero touch provisioning and onboard firewalls to ensure malicious actors cannot use your OOB access.
How to choose secure out-of-band management
Since an out-of-band management solution provides access to an entire network plane that’s dedicated to managing your critical infrastructure, you must keep this power out of the wrong hands. Here are five secure out-of-band management features to help you defend your network.
1. Third-party security integrations
The most secure OOB platforms are vendor-neutral and support integrations with third-party security solutions. That means you can extend the security functionality of your OOB device to take advantage of technology like next-generation firewalls (NGFW) or security service edge (SSE). A vendor-neutral out-of-band solution lets you keep up to date with security best practices and innovations without needing to replace your OOB hardware. It also conveniently creates a fully integrated platform to manage all your branch network security solutions.
A truly secure out-of-band management solution will address security threats from all angles, including provisioning, patching, intrusion detection, and advanced authentication. In addition, a secure OOB platform should support vendor-neutral integrations with third-party security solutions so you can extend your defensive capabilities.
2. Secure zero touch provisioning
One of the challenges of deploying and managing remote infrastructure is configuring and installing new network devices. Unless you have IT staff at each location to install your bare-metal devices, you’re usually left with two options:
- Pay for your engineers to travel on-site to deploy the new systems. This option is expensive and time-consuming since it can take full day’s of work or weeks.
- Pre-stage your devices at the home base and then ship them preconfigured. This option is a huge security risk. If a pre-configured OOB serial console is intercepted in transit, an attacker could potentially use it to access your management network.
Zero touch provisioning (ZTP) solves these problems by automatically deploying new device configurations over the WAN. You can ship a bare-metal OOB appliance to your remote site, have a local employee plug it into the power and network, and then the ZTP device will download its configuration from a remote server (such as a TFTP server). However, not all zero touch provisioning solutions are equally secure. Theoretically, a hacker could still intercept your factory-default appliance, use ZTP to download its configuration, and breach your enterprise network.
A secure ZTP solution uses features like encrypted hardware boot sequences to prevent unauthorized users from being able to fully boot up and configure a stolen OOB device. Additional security features like cloud-based provisioning with 2FA (two-factor authentication) also ensure that your network will be protected even if your OOB serial console falls into the wrong hands.
3. Up-to-date OS and fast patches
One of the most straightforward security features in an OOB solution is a frequently patched and up-to-date OS (operating system) kernel. This is important because hackers often look for OS vulnerabilities to exploit. If such a vulnerability is discovered in your OOB device, an attacker could potentially use it to gain administrative control over your entire network.
You should always look for a secure out-of-band management solution with an up-to-date OS kernel and frequent patch releases. Even better, you could get a managed OOB solution that’s updated by the vendor as soon as they become aware of a security vulnerability, so you don’t need to spend the time or manpower to frequently monitor and patch your OOB device’s OS.
4. Onboard firewall features
A secure out-of-band management solution should also have some onboard firewall functionality to further protect your network. An onboard firewall should protect both the OOB network and the primary network by scanning traffic on both connections.
On the OOB connection, the firewall acts as an additional layer of security that prevents malicious actors from gaining access to your management network. An onboard firewall allows you to consolidate your tech stack by reducing the number of separate devices at each remote site from your main network connection.
5. Zero trust security
Zero trust is a network security paradigm that addresses the challenges of protecting distributed enterprise networks from modern, sophisticated cyberattacks. Zero trust security is based on the principle of “never trust, always verify.” Meaning, all network entities—users, devices, applications, etc.—must be verified every time they connect, even if they’re on your internal network. This limits how much damage a compromised device or account can do to your network.
In addition, zero trust security focuses on shrinking your defensive perimeter into a series of smaller micro-perimeters around the critical data, systems, and resources you’re protecting. This enables you to implement highly specific security policies and controls to address the individual vulnerabilities and risks of each network asset.
A secure out-of-band management solution should support zero trust security principles by allowing you to implement advanced authentication methods like SSO (single sign-on) and 2FA. It should allow you to monitor and control devices across network micro-segments. And, assuming your secure OOB solution includes an onboard firewall, you should be able to apply granular security policies and firewall rules to each of your micro-segments to create micro-perimeters even at your network edge.
How Gen 3 out-of-band management delivers secure, reliable remote access
The Nodegrid secure OOB solution from ZPE Systems combines innovative security features with end-to-end automation support to deliver Gen 3 secure out-of-band management.
Nodegrid uses secure, cloud-based zero touch provisioning so you can safely ship factory-default appliances around the world and deploy them in moments. Nodegrid ZTP uses features like:
- Secure boot, custom security profiles, and port authentication
- Password protected BIOS/Grub and signed software
- Geofence perimeter crossing detection and security prevention
- Solid state disks (SSDs) with self-encrypted hardware controllers
Nodegrid OOB runs on a modern, 64-bit OS based on the latest Linux Kernel, with all security patches quickly applied. The embedded firewall supports IPSec, Fail2Ban, IP filtering, and advanced authentication via RADIUS, TACAS+, and Kerberos. In addition, Nodegrid is protected by the Zero Trust Security Framework Foundation and works with leading SAML providers like Duo, Okta, and Ping.
Nodegrid’s open architecture makes it easy to integrate your third-party security providers, including NGFWs and SSE platforms. That means you can create a completely customized branch network security solution that’s fully integrated with your out-of-band management. Nodegrid also supports third-party automation and orchestration through tools like Chef, Ansible, and RESTful. All of this can be managed from anywhere in the world, behind one pane of glass, through the ZPE Cloud platform.