UniGuard-V34 & Port Authority 44
Communication Devices (CDI)
Excellent protection for remote systems management with strong authentication. SecurID service can be kept separate from one used for corporate systems access.
Policies are quite simple; needs more options to limit staff access.
A must-have if remote access to systems management and high security is key, but policies cannot be easily incorporated into any other interface.
The UniGuard-V34 modem and Port Authority 44 (PA44) offer secure out-of-band control of networking hardware and servers.
The problem is how to connect remotely to network devices when that network has failed. Most monitoring consoles communicate through the network they are monitoring. Out of band (OOB) systems use a separate network, in this case the telecoms network, which is not in the same "band."
Both products have built-in modems, Triple DES encryption, and two-factor authentication optionally through RSA's SecurID.
PA44's four ports connect to console ports on the hardware being controlled. There are also four power ports so equipment can be powered-down and back up again remotely. UniGuard is a single-port version, which can be used to control one piece of equipment or at the admin's workstation as an encryption modem to communicate with the PA44 or its eight-port partner the PA88.
Both units need to maintain a security database of sanctioned technicians. Other methods of OOB management rely on Radius and Tacacs+, but these require separate security servers to maintain a database. Uniguard and PA44 each contain a secured database that can be kept updated and refreshed remotely.
The database is populated from the Distributed Database Manager through an encrypted session. The policies in this environment are simple. All that is stored is the user name, their preferred method of connection, and which ports and equipment they can access. If SecurID is used, it also stores the seed number used in generating the user's numerical password.
The policy management of these products lacks sophistication, but access is well thought-out. Users wishing to access the database can connect with two-factor authentication, or a numerical password can be generated by the system and sent to a technician's pager to supplement their password.