[BBLISA] Remote KVM?
John P. Rouillard
rouilj at cs.umb.edu
Sun Nov 25 17:49:32 EST 2012
In message <20658.38626.665668.283205 at quad.stoffel.home>,
"John Stoffel" writes:
>Charles> I'm currently investigating the idea of a "remote KVM" for my
>Charles> servers, to allow our team more direct access when we are not
>Charles> physically on-site. Ideally, it would do the following:
>
>Charles> - Require login
>Charles> - Log all access (user, time, and IP)
>Charles> - Allow (at least) 2 simultaneous connections
>Charles> - Allow me to switch between servers after I am connected
>Charles> - Support at least 16 servers
>
>Charles> I'm torn about putting it behind our firewall, such that I
>Charles> would have to VPN in to get to it, and putting it in a DMZ
>Charles> such that I can get to it without the VPN server being up.
>Charles> My concern is, if the VPN server is down, then I'm stuck (and
>Charles> we are off line until someone can physically arrive on-site.)
>Charles> On the other hand, I don't really want to give unsavory
>Charles> individuals easy access and unlimited time to hack my system.
>Charles> How secure are these things on their own? Can they be made
>Charles> to require certificates, for instance?
>
>I'd put it behind the firewall myself, since you'd be giving someone
>else the keys to your kingdom, esp if there are undocumented backdoors
>in the KVM system.
>
>As for KVMs in general, do your servers have serial console or
>ILO/ILOM type remote management modules? I'd go with those instead of
>dedicate hardware if I could. My current $WORK has some ancient
>Avocent KVMs which I despise and have mostly gotten away from.
We have had at best spotty operation of serial ILOM console
support. It works well for power cycling and monitoring of hardware,
but the console support seems to hang, drops data even at the bios
level. Also we have never had luck getting the ilom's to work on
anything except the local network. Routing has never worked. Also
since the OP is looking for a KVM, I assume he is running windows and
I am noyt sure what support ilom may or may not have for redirecting
video.
Since our boxes run linux we just use serial console servers and
secure them with firewalls or routing changes to be accessible from a
limited set of hosts. The same should be doable with a KVM switch (set
routes to particular networks to your default router and blackhole the
default route). Some KVM's may allow you access to a firewall, it
depends.
>As for problems with the VPN being down and having to wait for someone
>to drive in, don't you have redundant VPNs?
Sadly that may or may not help. It depends on your network topology
and what failed. At one point I had to dial up the console server (via
phone line/modem) and power cycle a switch to get the nework endpoints
back on line and talking to the site.
>Or at least maybe a two
>factor SSH tunnel you could use in the emergency case so you could
>forceably reboot the VPN box if it hangs?
We have a few (openvpn) vpn endpoints at different isolated sites that
we can use to get on the network. Once we have established an
endpoint, those addresses are authorized to access the console
servers.
If you only have one site, maybe getting a host on amazon or somewhere
with a static IP and using that as an access point )perhaps running
vpn so you can have 2 factor auth (certificate and password) may be
viable.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
More information about the bblisa
mailing list