SUMMARY: Sun CONSOLE Security Question

From: Damon LaCaille (Damon_LaCaille@dgii.com)
Date: Wed Apr 21 1999 - 15:07:16 CDT


ORIGINAL QUESTION
====================================
I have a security question relating to having a console-server hooked up to a sun serial port.

If you have a Sun box on the outside of your firewall and you want to hook up a console server to it's console port, though the console server itself is on the inside of the firewall, what type of security concerns are there? The console server has an ethernet connection to the inside of the network, while one of it's serial ports is connected to the console port of a sun via the serial connection.

I would imagine that only if somebody could gain access to the SUN CONSOLE device itself through the network could they compromise security, correct? The console server is a bidirectional connection behind the firewall, though it would essentially be being used as a one-way telnet session to the console port.

I would also imagine however, that the only sure-fire way of keeping that a non-issue is to have it's own terminal/display, though that defeats the purpose of easy access to the console port from remote areas.
======================================

The majority of responses I have received tended to lean away from having any terminal server in this situation. The problem is that even though the terminal server is only connected to the machine via the serial port as a keyboard/display, the terminal server is still connected to the internal network via ethernet - so if somebody gained root access and your terminal server wasn't configured properly, they could gain read/write access to the CONSOLE/serial port via tip, cu, etc and possibly hack in behind your firewall.

The best solution seems to be having a dedicated terminal server, and the only connections you have are to the console port of the server, and possibly a dial-in modem with password protection. This way the terminal server is not connected to the internal network at all, especially not behind the firewall, and can still be accessed through home/office use via modem.

Thanks to the following people for responding!

Eric Pancer, Dave Harrington, Seth Rothenberg, Ronald Loftin, Greg Polanski, James Neal

I did not mean to leave anyone out, please forgive me if I did. Thanks so much to everyone on this list!



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:13:18 CDT