> Sounds like there's no terminal server there, just dialin on > the serial console. :( This is exactly the situation. IN fact, we probably won't even do IP over it, simply a dial-in modem connected to console that will present you with a login prompt after the modems have handshaked. The phone line will be disconnected and the modem off, until we call the client and get him to turn it on and plug the line in. This would be used only in the case of catastrophic failure i.e. when their T1 to the Net is down, and thus rendering remote mgmt via VPN useless. I realize this is still a nasty setup, but as I said I have no choice in the matter. Actually, I'm less concerned about the "out-of-band" stuff right now than getting the encrypted VPN over the internet to work. If you get a chance, look over the rest of my message ;) > Warning: workstations often have incredibly lame serial consoles. > I don't know about the particular sun boxes you're planning to use > but I've had $40,000 screaming hot workstations barely able to handle > serial I/O at 38.8k. Yes, These are Ultra-1s, and the highest speed the serial port will support is 38400. Still, we will only be pushing chars, not IP. > I've been pondering the secure remote management thing for a while > and was trying to come up with decent solutions that are dirt cheap. > Haven't tried this, but does anyone see a flaw with: > - have a log-in that drops you right into PPP using CHAP > - run ip_filt on the workstation to filter access via the PPP interface > - let only SSH in over PPP (or whatever other services are OK) If I was to consider doing the serial setup correctly, ideally I'd like to use dialback, and CHAP authentication w/PPP. That would be the most economical and slightly more secure setup. Doing encryption over that link would probably be dog slow. IN any case, the modem is a "last resort"-type thing, only used in emergencies, disconnected otherwise. --ANindya
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:55:47 PDT