The remote server access enabled by KVM devices is a convenience bordering on necessity for system administrators. As with most conveniences, there's a trade-off: security.
A keyboard, video and mouse (KVM) connection enables systems administrators to manage multiple devices within a data center rack. And now with remotely accessible KVM consoles, management is even more convenient. As with any remotely accessible device, remote KVMs mean a constant battle to control vulnerability vectors.
A brief look into remote KVM
KVM configurations are typically accompanied by a switch mechanism that serves as a central point of control where all IP-enabled devices within a rack or group of racks connect. In many modern KVM configurations, the KVM switch has a built-in Web server for remote access to server management interfaces. And that's the potential attack vector.
It's admittedly a tough hack to gain unauthorized control over KVM consoles, as most remote KVM devices are only accessible from inside the local area network (LAN). Configure the IP address of the KVM to be internally facing and you've already limited the attack vector to LAN insiders.
In April 2013, British law enforcement agents arrested 12 individuals who exploited a KVM in a Barclays bank branch that was otherwise secured from outside access. One perpetrator posed as an IT technician and successfully installed a USB dongle that had 3G connectivity. Once they gained physical access to the KVM, cellular technology enabled the hack. By the time the gang was caught, they had stolen 1.3 million pounds. This incident reinforces the notion that while unauthorized access to the KVM is difficult, it is by no means impossible.
The remote KVM's Web server puts systems management tasks into a graphical user interface. This necessitates semi-frequent server scans to reveal any open ports. When you monitor for open ports and find one unexpectedly open, immediately collaborate with all concerned parties.
The value of collaboration
The speed and convenience inherent to remotely accessible KVMs expedites degradation of the network just as easily as it improves it. Any system administrator with access to the KVM can potentially update any server connected to it, for better or worse.
In some configurations, one KVM switch grants access to as many as 24 bare metal servers, and therefore affects all the virtual machines that reside on them. For example, if an administrator applies a bulk patch installation that wasn't properly tested or was deemed unsafe but not properly documented, it can break the proprietary software residing on multiple servers all at once.
Collaboration is a pet topic of conference speakers and book authors, but collaboration means different things to different organizations. In the case of IT and data center management, collaboration occurs over platforms as diverse as Confluence and SharePoint to group texts and smoke breaks. But when attempting to control change management, nothing clears up ambiguity like a face-to-face meeting. This necessary evil enables the speed and convenience of remotely accessible KVMs without speedy, widespread blunders.
About the author
Brad Casey is an expert on network security with experience in penetration testing, public key infrastructure, VoIP and network packet analysis. He also covers system administration, Active Directory and Windows Server 2008, with interest in Linux virtualization and Wireshark captures. He spent five years in security assessment testing for the U.S. Air Force. Contact him at firstname.lastname@example.org.
Overcome remote server management limitations
Choose a remote management tool
Connect everything with RFID
Dig deeper on Configuration and change management tools
Brad Casey asks:
Who should have remote access to servers?
0 ResponsesJoin the Discussion