Last month, the U.S. computer emergency readiness team, in coordination with the U.S. Department of Homeland Security,...
released the National Cyber Awareness System advisory to network security professionals. It recommends six ways of mitigating ever-increasing threats to network infrastructure devices, including out-of-band management. Here's a summary of the recommendations:
1. Segregate networks and functions. Affected network segments rather than the entire network should be shut down automatically due to an intrusion. Healthy segments continue to run.
2. Limit unnecessary lateral communications. Proper communications are ensured via host-based firewall rules and an access control list.
3. Harden network devices. Encrypt remote admin protocols, disable unnecessary services and apply the latest patches.
4. Secure access to infrastructure devices. Unauthorized access is weeded out via proper implementation of network security access policies.
5. Perform out-of-band management. Alternate paths are used to remotely manage network infrastructure devices and proactively respond to an intrusion in the in-band network.
6. Validate integrity of hardware and software. Tampered products due to an intrusion are discovered and blocked or removed from the network. All network administrators should periodically check for product integrity.
The importance of SDN controllers' roles in performing out-of-band management of traffic flows in in-band networks has been overlooked. The SDN controller helps the network administrator spend less time locating and fixing in-band network vulnerabilities. Countermeasures to mitigate vulnerabilities should be part of the out-of-band risk management plan. Critical network devices, for example, must be properly configured to make it more difficult for the adversary to observe the changes the administrator would make in the BIOS, device configurations and connection upgrades. Here are some ways to conduct out-of-band management for network infrastructure devices.
Behind the SDN controller brains is OpenFlow, a communication standard that gets the controller to separate the control plane from the data plane of network devices. The controller tells the network devices what to do when forwarding the traffic -- control plane -- to in-band network, but does not actually forward the traffic -- data plane. If one network device gets congested, for example, the controller can instruct a healthy device to let in the traffic.
OpenFlow has been used to mirror in-band traffic for out-of-band management of traffic flows. This allows the administrator to monitor in-band network devices regardless if the device is powered on, powered off, nonresponsive or when not accessible by in-band network. If an in-band network segment is found unbootable, out-of-band management can be used to reboot it, for example.
Out-of-band management implementation
Out-of-band management can be implemented on premises physically or virtually or as a hybrid that includes an in-band network. If multicontrollers are used, the organization should consider whether Border Gateway Protocol (BGP) provides support for out-of-band management.
This federation technique lets multicontrollers -- characteristic of a large network spanning between two or more geographical points -- exchange information from one controller to another. If one controller, for example, is not properly working, other controllers in the same SDN environment will automatically get the packets through the designated routers. The organization's network policy should include BGP as one of the supporting protocols for out-of-band management. (Note that one controller is enough for a small business network.)
Organizations that do not desire management software on premises should look into a subscription-based cloud management service. Cradlepoint, for example, offers this service as part of a cloud offering. Another consideration is whether the vendor would let the network administrators that are always on the go use wireless USB modems to remotely manage both out-of-band and in-band network devices at anytime from anywhere.
Vendor-based out-of-band management
Some SDN vendors require an enterprise to have an out-of-band network that gives better latency times particularly when an in-band network segment is down. Falling in this category are traffic monitoring companies including Ixia and Gigamon, as well as the traditional network vendors such as Cisco, Brocade and Hewlett Packard Enterprise.
Intelligent Platform Management Interface (IPMI) is the most common method of using out-of-band management with servers or appliances on premises. The IPMI uses the Baseboard Management Controller, which has its own power source, communication port and operating system. Vendor-based IPMI devices include Dell DRAC/iDRAC, HP Integrated Lights-Out and IBM Remote Supervisor.
But IPMI devices come with vulnerabilities if not properly configured, such as default passwords. They should be fixed before the out-of-band management is used to perform corrective actions to compromised IB network segments.
To view how an out-of-band network is managed, a monitoring mechanism is needed. One possibility is Tenable's SecurityCenter Continuous View, which is a dashboard that provides risk analysis of vulnerability, threat and network traffic on out-of-band management devices or systems. Another possibility is Cradlepoint's Modem Health Management that provides self-health monitoring of the modem, WAN port speed control and several levels of basic and advanced logging for troubleshooting.
Always check the latest Common Vulnerabilities and Exposures and U.S. CERT notices on out-of-band exploits that a performance monitoring device may have overlooked. It's important to be one step ahead of adversaries.
Find out how to better manage network security alerts
Learn about mitigating the risks of machine learning applications
Read more on improving SDN security with a risk management plan