When it comes to putting an appliance in your network for out-of-band management, you want to think carefully about whether that appliance is based on an open or closed platform. It might just be the difference between locking up network security and
A Linux platform lends itself to building an out-of-band management appliance, but an important decision is what’s more important – flexibility or security and reliability.
If you keep the appliance open, it’s possible to access and tweak OS settings and create and run scripts on the platform. You can install other programs that can run alongside the OOB management software, and you can patch Linux functionality without patching application software.
However, this flexibility to install other apps means that things can go wrong too. On the non-malicious side of the equation, this could be changes that modify or delete files critical to normal operation of the appliance. But truly bad things could happen as well. Scripts and software can be installed through an encrypted SSH session, with changes made to the appliance outside of the application. This means they could be undetected and not show up in logs or audits. Encrypted passwords and keys can be accessed and exported.
Suddenly you have a device that you might not be able to really trust that is connected directly to your network infrastructure over the console port, which isn’t monitored by your IDS/IPS systems. Sounds scary, right? We think so.
Uplogix is a secure, closed appliance. The underlying Linux OS does not have root access, ensuring:
- No direct access to the OS for higher security and reliability
- Secrets are kept from users (passwords and keys)
- Non-approved scripts and software cannot be installed
- The application software and configuration integrity is maintained