Managing your systems remotely and securely
Michael Mullins
Published: 05 Jul 2005 10:35 BST
Managing Windows servers remotely has become a standard with large networks. However, managing servers across an unsecured WAN connection can be a security challenge.
The security involved with these remote management solutions varies depending on the complexity and the implementation of your organization's network. Let's examine some of your options.
The Microsoft approach
Microsoft offers a native remote management solution. Terminal Services through the Remote Desktop Protocol (RDP) uses TCP port 3389.
RDP offers two excellent features:
- Encryption: This uses an RC4 cipher, a stream cipher using a 56- or 128-bit key.
- Roaming disconnect: When the network or a client failure unexpectedly terminates a user's session, it disconnects the user without logging off the account.
While both are noteworthy features, neither tackles the central issue of how to securely control connections from a remote IP address to a multitude of internal servers. The complexity of the internal network can only compound the problem with the RDP approach, and you often face a number of hurdles to overcome.
Most notable are the vulnerabilities associated with RDP, Terminal Services, and remotely connecting to internal servers that don't have a public IP address. In addition, you must allow remote connections (i.e., TCP 3389) through your security layer from every IP address to your internal servers.
You could address these issues by running a Terminal Services server, remotely connecting to that server, and launching to other internal servers via that connection. However, this doesn't address vulnerabilities associated with the Microsoft RDP implementation or connections to non-Microsoft servers.
In my opinion, the Microsoft approach isn't a viable solution for remote management. It has severe limitations when it comes to dealing with other operating systems and managing the security of inbound connections.
The generic approach
Developed by AT&T Laboratories, Virtual Network Computing (VNC) is a platform-independent approach. While this is an excellent non-OS-specific solution, it does require loading both client and server software and allowing several TCP ports from any IP address to the servers you want to manage. In addition, it doesn't address how to remotely manage servers with private IP addresses.
VNC is a good alternative, but its requirement of loading client software on the remote machine might not always be an option for your organization. You must also deal with the hurdle of allowing multiple ports from any IP address to all of your servers.
The KVM over IP approach
Several leading vendors offer keyboard/video/mouse (KVM) over IP solutions that incorporate remote connectivity through a Web interface.
Raritan offers a KVM solution that allows you to connect any server (through a USB or KVM connection) or network device (through a serial connection) to its KVM appliance. This integrated, secure digital KVM appliance combines out-of-band control with BIOS-level KVM access via a Web browser.
This approach uses a standard Web connection via SSL to connect to the remote KVM device, and it offers local authentication or authentication via LDAP or RADIUS. This means you can now monitor and authenticate remote connections to every server or network device through one SSL-enabled Web interface.
Final thoughts
Both the Microsoft approach and VNC offer some benefits, but each solution also has its drawbacks. In my opinion, Web-based KVM over IP is the leading solution.
Secure remote access via a standard Web browser to a central point allows BIOS-level control of any attached device or server. If secure remote and local management of your enterprise is one of your organization's goals, then I suggest investigating a KVM over IP solution today.
Did you find this article useful?
42 out of 108 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
Full Talkback thread
2 comments
