HPE GreenLake Administration
- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: N-class LAN console security
Operating System - HP-UX
1826420
Members
3170
Online
109692
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-14-2001 08:13 PM
10-14-2001 08:13 PM
We have an N-class machine which sits outside our internal firewall. I am using the LAN console, and I would like to connect it to our internal network, so that no-one has access to the console from outside our LAN.
Our network security guy is not happy with this as he just sees the machine as a black box which is connected to both our internal and external networks, and thus gives a hacker the potential to bypass the firewall.
Is it theoretically possible to use the LAN console as a network device in this way?
I know it doesn't show up as a normal network device to HPUX, but is there any security or architectural documentation I can point to which shows it is not possible?
Oliver.
Our network security guy is not happy with this as he just sees the machine as a black box which is connected to both our internal and external networks, and thus gives a hacker the potential to bypass the firewall.
Is it theoretically possible to use the LAN console as a network device in this way?
I know it doesn't show up as a normal network device to HPUX, but is there any security or architectural documentation I can point to which shows it is not possible?
Oliver.
Solved! Go to Solution.
6 REPLIES 6
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-14-2001 09:14 PM
10-14-2001 09:14 PM
Re: N-class LAN console security
Hi,
This link may help you http://forums.itrc.hp.com/cm/QuestionAnswer/1,11866,0x5279abe92dabd5118ff10090279cd0f9,00.html
Best of luck
animesh
This link may help you http://forums.itrc.hp.com/cm/QuestionAnswer/1,11866,0x5279abe92dabd5118ff10090279cd0f9,00.html
Best of luck
animesh
Did you take a backup?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2001 06:59 AM
10-15-2001 06:59 AM
Re: N-class LAN console security
Hi,
Since the lan console connects to the serial console port of the N and since you plan to have the lan console on an internal (firewalled) network, it seems it should be as secure as having a lan console for a server on the internal network. Sounds much more secure than having the lan console on the same external net as the N.
Darrell
Since the lan console connects to the serial console port of the N and since you plan to have the lan console on an internal (firewalled) network, it seems it should be as secure as having a lan console for a server on the internal network. Sounds much more secure than having the lan console on the same external net as the N.
Darrell
"What, Me Worry?" - Alfred E. Neuman (Mad Magazine)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2001 07:22 AM
10-15-2001 07:22 AM
Re: N-class LAN console security
Oliver,
Find attached the block diagram of the GSP (it's shown as System Access Server (SAS) in the diagram). I hope it helps to calm you network colleague down.
Find attached the block diagram of the GSP (it's shown as System Access Server (SAS) in the diagram). I hope it helps to calm you network colleague down.
There is no good troubleshooting with bad data
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2001 07:55 AM
10-15-2001 07:55 AM
Re: N-class LAN console security
Hi,
Assuming all your servers has multiple network cards, how about creating a "private network" for all your unix boxes,
Good luck
-USA..
Assuming all your servers has multiple network cards, how about creating a "private network" for all your unix boxes,
Good luck
-USA..
Good Luck..
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2001 04:18 PM
10-15-2001 04:18 PM
Re: N-class LAN console security
Thanks for your help so far guys, but I still don't have a clear indication on whether it would be possible to route traffic from a normal network interface through the machine and out over the lan console interface.
ie, could the LAN console be used as a normal network interface
ie, could the LAN console be used as a normal network interface
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2001 06:04 PM
10-15-2001 06:04 PM
Solution
The LAN console is not managed by HP-UX at all, it is run by the Guardian Service Processor. Therefore, you don't see any entry in lanscan or even ioscan. The only software that knows about it is the GSP.
As mentioned, it is an extension of the RS-232 port, so it behaves just like the console. This means that there is no LAN traffic through the console into HP-UX. Anything typed at the LAN console goes to the GSP. If you login to the GSP and type the co (console) command, you can get a console prompt. Otherwise, the LAN console has no connection to HP-UX at all...you can only type GSP commands (assuming you can get logged in).
That said, the LAN console (actually GSP) provides far too much information when you first connect, and the default for most N-class GSP's is no user or password...change that before configuring the LAN console.
Since the N-class is outside the firewall, the LAN console should be connected into your corporate network with a private LAN connection, and NOT placed onto the open Internet. Since the GSP has no network connection to HP-UX, it cannot act as a router or packet forwarder.
So while it would appear that the N-class would have two LAN cards, essentially these are two separate computers which communicate only simple commands between each other via a console connection. There are no ports open on the LAN console except telnet.
Bill Hassell, sysadmin
As mentioned, it is an extension of the RS-232 port, so it behaves just like the console. This means that there is no LAN traffic through the console into HP-UX. Anything typed at the LAN console goes to the GSP. If you login to the GSP and type the co (console) command, you can get a console prompt. Otherwise, the LAN console has no connection to HP-UX at all...you can only type GSP commands (assuming you can get logged in).
That said, the LAN console (actually GSP) provides far too much information when you first connect, and the default for most N-class GSP's is no user or password...change that before configuring the LAN console.
Since the N-class is outside the firewall, the LAN console should be connected into your corporate network with a private LAN connection, and NOT placed onto the open Internet. Since the GSP has no network connection to HP-UX, it cannot act as a router or packet forwarder.
So while it would appear that the N-class would have two LAN cards, essentially these are two separate computers which communicate only simple commands between each other via a console connection. There are no ports open on the LAN console except telnet.
Bill Hassell, sysadmin
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Support
Events and news
Customer resources
© Copyright 2025 Hewlett Packard Enterprise Development LP