Webconsole & Lan Console port

They are both pretty darned secure in my opinion.

We use web console, because it was the first one I anaged to to get working. I was having terminal key errors with lanconsole.

The Web console has a good java/security package with it and an extra layer of password security before you can get to a normal console prompt.

The advantage here is that all you need to make it work is a supported browser. If there are security flaws, your exposure is the same as any other web document.

Behind a firewall, the real issue is employees.

lanconsole gives you an additional advantage, along with the disadvantage of needing to find and install a proper client, putty works fine btw. You can add a layer of /var/adm/inetd.sec security and control what ip addresses and hosts are allowed to connect. This should be done regardless of whether you use lanconsole or not but you can fine tune the security in a little more granular fashion.

I see these as two equally good products, one of which is slightly easier for a fool like me to set up.

SEP

I know of 3 ways to do this:

1) Serial consoles, which I assume we are not talking about.
2) Lanconsole which is substantially a telnet/ssh connection and network configuration.
3) Secure Web Console.

Even though I did a recent install on this, the first thread response writer is way more up to date than me an the technical aspects.

Take that into account when making your decision.

SEP

Both have same funtion and secure. Web console are old one and is extra hardware but lan console is inbuilt. No one can remove it, no extra cables needed.I think every new server have this feature as default.

Thanks to Everybody
-sinhass

In my opinion (and many other sysadmins), there is nothing secure about the Web Console. Here is one of many (old) references to decoding the web console:

http://www.security-express.com/archives/bugtraq/1999-q4/0157.html

So the answer is that neither should be used a security device. Console connections, regardless of the platform or appliance, are critical entry points into the system. And as such, they should be treated as highly vulnerable and to be protected. So I would remove lanconsole connections and web consoles (don't forget your network appliances), and replace them with serial connections into a secure terminal server. Cyclades makes an embedded Linux box that supports from 1 to as many as 48 consoles in a 1U rack space. There are a couple of other manufacturers that offer console servers with SSH access.

The reason that this is important is that you don't want any of the consoles directly connected to a network. You will use SSH to terminal server and then select the port you need. Another advantage of modern terminal servers is that they remember text that was sent to the console even though no one was connected to the port.

Hi,

to add to what Bill wrote:
use something like "nmap" to do a so-called "portscan" on one of those "consoles" - and they usually are hung up (and you'll need to unplug the power-cable from it to get it back to work. That's especially nasty with the GSPs, i.e. built-in lan-/web-consoles).

FWIW,
Wodisch