CCSP SelfStudy CCSP CSI: Exam Certification Guide, Second Edition [Electronic resources] نسخه متنی

Foundation Topics

Network Management Overview

Simply put, network management is a generic term that describes the execution of the set of functions that help to maintain, monitor, and troubleshoot the resources of a network. The traffic flow generated from these management actions can occur in what are generally referred to as either in-band or out-of-band flows hence giving the term in-band or out-of-band network management.

In-Band Network Management

The term in-band network management refers to the flow of management traffic that follows the same path as normal network data. In-band managed devices support various methods and protocols that facilitate remote management of the device while using the normal data flow. The section "Network Management Protocols," later in the chapter, provides more details on the protocols that provide this functionality.

Because management information is flowing over the same path as data traffic, in-band network management is usually seen to be less secure than out-of-band network management. This is primarily because administrative access to all managed devices is via the normal data flow and hence potentially liable to being administratively compromised by a network intruder.

Consequently, you should always keep in mind the potential security flaws associated with in-band network management and, wherever possible, implement techniques to minimize the chance of interception and modification of management data. Limiting network management to read-only access, using tunneling protocols, or using more secure variants of insecure management protocols are just some of the methods that you can use.

Out-of-Band Network Management

Out-of band network management refers to the flow of management traffic that does not follow the same path as normal network data. Normally, a parallel network or communications path is used for management purposes in this case. This path either directly interfaces to a dedicated network port on the device needing to be managed or terminates on a device, such as a terminal server, which then provides direct connection to the networked device''s console port.

Generally, out-of-band management is considered more secure than in-band management because the network management segment is private and, hence, isolated from the normal data network.

Consequently, the out-of-band network management segment is less likely to be compromised by a network intruder. However, out-of-band network management is usually the least cost-effective means of network management because each managed device requires a dedicated connection to the private management network.

Mitigating Management Traffic Attacks

To mitigate management traffic attacks, consider the following points:

• You should always use out-of-band management in preference to in-band management because it provides the highest level of security.

• Where management traffic flows in-band, you need to place more emphasis on securing the transport of the management protocols. Consequently, you need to make this transport as secure as possible either by using a secure tunneling protocol, such as IPSec, to secure all management traffic or, if that is not possible, by using a secure management protocol.

• If a device that requires management resides outside the network, then you should use an IPSec tunnel to manage that device. This tunnel should originate from the management network and terminate directly on the device.

• Where management data cannot be secured due to device limitations, you should always be aware of the potential for data interception and falsification.