Security Best Practices for Console Servers: An Interface Approach

Ron McCarty

Console servers have become key components of managing large centralized data centers as well as remote sites and shops that require quick administrative access to systems during outages.

Because of the critical nature of console servers and the escalated privileges they can grant to the systems being managed, systems administrators must have a strong understanding of the security implications involved and take the necessary steps to mitigate any risk associated with providing console access. The risks associated with console servers are well worth the return benefits assuming good security practices are used to minimize the effect of those risks.

This article gives an overview of those risks as well as some best practices that can mitigate them. The approach used for this article is an interface approach -- each interface and the logical interfaces "above" the interfaces will be covered from a security standpoint.

Network: Ethernet

The Ethernet interfaces used by the console server provide the physical access to the IP network for the console server. Within some console servers, a redundant network interface is provided. Ideally, this interface should be provisioned as a redundant interface to provide additional availability. However, if the redundant Ethernet interface is not used, then the interface should be removed if possible or configured into an administrator down state. The interface should not be connected to any networks other than the network it is providing redundancy on, since this can be used to effectively bridge or route between two networks.