topic N-class LAN console security in Operating System - HP-UX

N-class LAN console security

Oliver White — Mon, 15 Oct 2001 03:13:51 GMT

We have an N-class machine which sits outside our internal firewall. I am using the LAN console, and I would like to connect it to our internal network, so that no-one has access to the console from outside our LAN.

Our network security guy is not happy with this as he just sees the machine as a black box which is connected to both our internal and external networks, and thus gives a hacker the potential to bypass the firewall.

Is it theoretically possible to use the LAN console as a network device in this way?
I know it doesn't show up as a normal network device to HPUX, but is there any security or architectural documentation I can point to which shows it is not possible?

Oliver.

Re: N-class LAN console security

Animesh Chakraborty — Mon, 15 Oct 2001 04:14:59 GMT

Hi,
This link may help you http://forums.itrc.hp.com/cm/QuestionAnswer/1,11866,0x5279abe92dabd5118ff10090279cd0f9,00.html

Best of luck
animesh

Re: N-class LAN console security

Darrell Allen — Mon, 15 Oct 2001 13:59:22 GMT

Hi,

Since the lan console connects to the serial console port of the N and since you plan to have the lan console on an internal (firewalled) network, it seems it should be as secure as having a lan console for a server on the internal network. Sounds much more secure than having the lan console on the same external net as the N.

Darrell

Re: N-class LAN console security

Patrick Wessel — Mon, 15 Oct 2001 14:22:28 GMT

Oliver,

Find attached the block diagram of the GSP (it's shown as System Access Server (SAS) in the diagram). I hope it helps to calm you network colleague down.

Re: N-class LAN console security

Uday_S_Ankolekar — Mon, 15 Oct 2001 14:55:16 GMT

Hi,

Assuming all your servers has multiple network cards, how about creating a "private network" for all your unix boxes,
Good luck
-USA..

Re: N-class LAN console security

Oliver White — Mon, 15 Oct 2001 23:18:52 GMT

Thanks for your help so far guys, but I still don't have a clear indication on whether it would be possible to route traffic from a normal network interface through the machine and out over the lan console interface.

ie, could the LAN console be used as a normal network interface

Re: N-class LAN console security

Bill Hassell — Tue, 16 Oct 2001 01:04:53 GMT

The LAN console is not managed by HP-UX at all, it is run by the Guardian Service Processor. Therefore, you don't see any entry in lanscan or even ioscan. The only software that knows about it is the GSP.

As mentioned, it is an extension of the RS-232 port, so it behaves just like the console. This means that there is no LAN traffic through the console into HP-UX. Anything typed at the LAN console goes to the GSP. If you login to the GSP and type the co (console) command, you can get a console prompt. Otherwise, the LAN console has no connection to HP-UX at all...you can only type GSP commands (assuming you can get logged in).

That said, the LAN console (actually GSP) provides far too much information when you first connect, and the default for most N-class GSP's is no user or password...change that before configuring the LAN console.

Since the N-class is outside the firewall, the LAN console should be connected into your corporate network with a private LAN connection, and NOT placed onto the open Internet. Since the GSP has no network connection to HP-UX, it cannot act as a router or packet forwarder.

So while it would appear that the N-class would have two LAN cards, essentially these are two separate computers which communicate only simple commands between each other via a console connection. There are no ports open on the LAN console except telnet.