Challenge

Let’s say you are an Infrastructure as a Services (IaaS) or a Managed Services Provider (MSP) with equipment in multiple physical locations.  Some of the equipment is in data centers that you use for serving your clients and some is on your customer’s premises.  Wherever the equipment is, you want a secure management connection to all of it to ensure it is running smoothly and maintained properly given the specific loads on each of the machines.

The management channel is usually an IPMI (Intelligent Platform Management) compliant interface allowing you to remotely monitor machine health and manage and reboot servers even when they are turned off.  Many vendors have versions of this management interface such as the IBM IMM (Integrated Management Module), HP iLO (Integrated Lights-Out), and Dell IDRAC (Integrated Dell Remote Access). Some applications running on your servers are known to be hard on the CPU and others present a challenge to memory, so close monitoring of machine health is important to maintain uptime and client satisfaction.

Security is important for management connections because their power and capability over servers and because this connection goes right into the heart of your internal management system.  A breach could be catastrophic not only to you, but to the operations of all your customers.

Other challenges to a successful management connection include the interaction with each individual client to obtain the appropriate network access and security as each client may have unique compliance and security requirements that affect management connections into their environments. The clients should also have no ability to access the management connection and will want to be assured that you have no ability to access their data.

Traditional Solution

A typical approach to gaining remote access to the management ports on remote servers is to deploy a firewall based VPN, however, standard firewall based VPNs take time to configure, deploy and maintain and the ongoing support requirements require additional personnel focus to maintain the VPN infrastructure.  Firewall based VPNs also require certificates or a full Public Key Infrastructure (PKI) to be properly secured but still have a visible footprint on the Internet and the client’s network. They are vulnerable to remote queries and brute force attacks especially when shared secret authentication mode is used.  Traditional VPNs are also rendered insecure when the 3rd party certificate authority is compromised and it may be years until the compromise is known.

Vericlave Solution

The most direct and secure approach to remote management is to use drop-in Vericlave remote devices to securely extend your management network directly to the servers to be managed. The Vericlave solution works across the Internet, or other communication channels, without allowing interactions with the client network. Vericlave features a preconfigured, high security network connection fabric with a self-contained PKI that requires very little setup or maintenance as compared to a firewall based VPN.

A Vericlave enabled management network connects remote sites via layer 2 bridging for direct access and scales to thousands of locations and devices.  It allows any type of traffic to be securely transferred between multiple locations, even traffic that is typically considered non-routable.  It also works over many media types including Internet, satellite, MPLS and dialup and is extremely resilient to communications infrastructure induced latency and jitter.

Figure 1 – Vericlave Enabled Management Network

Security is ensured with standards-based AES 256-bit symmetric encryption and asymmetric encryption using keys of up to 4096 bits with a secure mutual simultaneous key exchange to ensure there are never any unencrypted packets.  No in-the-clear packets and no responses to unauthenticated connection requests means no foothold for a bad actor to gain access to the management network.

Vericlave has a stealthy footprint on your client’s network so other users are not aware of the system’s existence. The drop-in devices will not respond to other systems they are not preconfigured to work with, only communicating with other configured Vericlave devices.  It includes full IP address space separation so no changes in the client network can ripple across and affect your management network or vice versa.  This means no vulnerabilities within the client network nor any of the client’s network security scans will see or affect the equipment in your management network.

Conclusion

System administrators need a trusted solution for secure remote access to equipment located in their client’s networks or at remote data centers that is simple to deploy and streamlines overall operations. The access solution needs to be secure while not opening holes or adding vulnerabilities to the enterprise being supported. With Vericlave supporting your management network, you can count on simplicity, streamlined operations, and above all, security.