Hardware

Choose a secure remote management approach

Examine some of your options for remote management solutions, such as the Microsoft approach, the generic approach, and the KVM over IP approach.

Managing Windows servers remotely has become a standard with large networks. However, managing servers across an unsecured WAN connection can be a security challenge.

The security involved with these remote management solutions varies depending on the complexity and the implementation of your organization's network. Let's examine some of your options.

The Microsoft approach

Microsoft offers a native remote management solution. Terminal Services through the Remote Desktop Protocol (RDP) uses TCP port 3389.

RDP offers two excellent features:

  • Encryption: This uses an RC4 cipher, a stream cipher using a 56- or 128-bit key.
  • Roaming disconnect: When the network or a client failure unexpectedly terminates a user's session, it disconnects the user without logging off the account.

While both are noteworthy features, neither tackles the central issue of how to securely control connections from a remote IP address to a multitude of internal servers. The complexity of the internal network can only compound the problem with the RDP approach, and you often face a number of hurdles to overcome.

Most notable are the vulnerabilities associated with RDP, Terminal Services, and remotely connecting to internal servers that don't have a public IP address. In addition, you must allow remote connections (i.e., TCP 3389) through your security layer from every IP address to your internal servers.

You could address these issues by running a Terminal Services server, remotely connecting to that server, and launching to other internal servers via that connection. However, this doesn't address vulnerabilities associated with the Microsoft RDP implementation or connections to non-Microsoft servers.

In my opinion, the Microsoft approach isn't a viable solution for remote management. It has severe limitations when it comes to dealing with other operating systems and managing the security of inbound connections.


Get the TR Blog Roundup

Find out who's offering the best advice, the quirkiest comments, and the most compelling life stories every week with TechRepublic's Blog Roundup. Click here to automatically sign up to receive it every Wednesday.

Use tags to find blog posts about Windows and security.


The generic approach

Developed by AT&T Laboratories, Virtual Network Computing (VNC) is a platform-independent approach. While this is an excellent non-OS-specific solution, it does require loading both client and server software and allowing several TCP ports from any IP address to the servers you want to manage. In addition, it doesn't address how to remotely manage servers with private IP addresses.

VNC is a good alternative, but its requirement of loading client software on the remote machine might not always be an option for your organization. You must also deal with the hurdle of allowing multiple ports from any IP address to all of your servers.

The KVM over IP approach

Several leading vendors offer keyboard/video/mouse (KVM) over IP solutions that incorporate remote connectivity through a Web interface.

Raritan offers a KVM solution that allows you to connect any server (through a USB or KVM connection) or network device (through a serial connection) to its KVM appliance. This integrated, secure digital KVM appliance combines out-of-band control with BIOS-level KVM access via a Web browser.

This approach uses a standard Web connection via SSL to connect to the remote KVM device, and it offers local authentication or authentication via LDAP or RADIUS. This means you can now monitor and authenticate remote connections to every server or network device through one SSL-enabled Web interface.

Final thoughts

Both the Microsoft approach and VNC offer some benefits, but each solution also has its drawbacks. In my opinion, Web-based KVM over IP is the leading solution.

Secure remote access via a standard Web browser to a central point allows BIOS-level control of any attached device or server. If secure remote and local management of your enterprise is one of your organization's New Year's resolutions, then I suggest investigating a KVM over IP solution today.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

Editor's Picks

Free Newsletters, In your Inbox