| oct2006.tar |
Cyclades ACS Console ServersJoe Freeman Terminal servers, network access servers, and console servers all come from similar roots. Although they were originally used to connect green-screen, dumb terminals to remote hosts, it didn't take long for people to realize that they could put a pair of modems and a phone line between the terminal and the terminal server. Once IP became the prevalent protocol, it was a fairly simple task to add an IP stack to the terminal server and create a device that allowed remote users to connect to the IP network from a remote location. Once the IP stack was added, it was an even smaller jump to turn the connection around and use the terminal server to access serial console ports on remote equipment via IP. As time progressed, the market developed and different vendors added different features to support their customers. Today, IP Keyboard, Video, and Mouse (IP KVM) switches allow you to remote even the GUI interface on many of today's servers. This article will focus on console servers -- the terminal server turned around so that you can access remote consoles via the IP network. With a console server, you can access all the management functions available on a server's console port just as if you were there. With high port capacity, clustering, and other features available today, you can access your whole data center remotely. This ability to virtualize the server's console port is a life saver when that Web server or database box dies in the middle of the night and you can't physically get to it. Enter the Cyclades Cyclades hit the market in 1991 as manufacturer of serial cards for Linux hosts. The name Cyclades is a tribute to the Cyclades Network Project, which was a predecessor to ARPANET and TCP/IP. Cyclades continues to maintain a close relationship with the OSS community and, in fact, uses the HardHat Linux distribution in its appliances. Today, Cyclades produces a line of console servers known as the Alterpath ACS. There are several different versions, providing various port counts and power options. I've used both the ACS16 and ACS48 units, which provide 16 and 48 serial ports, respectively. The ACS16 With two PC card slots for expansion, the ACS16 can get a second Ethernet port, 802.11, GSM or POTS connectivity, or even flash memory. A PC Card IDE drive can even be installed to provide additional drive space if needed. I'll discuss why an appliance would need additional drive space later. Installation Several power options give the appliance flexibility to handle almost any environment. With single or dual AC power, these appliances are comfortable in that remote branch office, or in the data center where redundant power is crucial to providing maximum reliability. These appliances also have the option of single or dual 48VDC power supplies, so they're right at home in a central office or in a newer data center using DC power to improve efficiency and reduce heat. One thing to note about the DC power supplies is that they include a small clear shield that snaps onto the terminal strips where you connect the power leads and ground. These shields are designed to keep anything from accidentally coming into contact with the power leads when the equipment is powered up, and it's a good idea to make sure they're in place before putting the fuses into the panel. As I mentioned, however, they are small and are easy to snap on and off, so if you're not careful, they do tend to get lost. After losing a few, I started taking them off the device and putting them in my pocket till I was ready to power up the device. Both units are single rack units at 1.75 inches tall. At 17" wide and 8.5" deep, they'll fit in almost any space. I've mounted them in 23" telco racks, 19" network racks, and even in the back of server cabinets. Connecting the appliance to hosts is a relatively simple matter if you've ever made a cat5 patch cable. In fact, you don't even have to make cables; you can just buy pre-made cat5 cables and adapters to fit almost any device from Cyclades. Personally, I prefer to make my cables to length and then lace them together with wax string, but that's the telco part of my background coming out. The device itself has RJ45 ports for all the serial ports, the Ethernet port, and its local console port. The device comes with one RJ45-to-DB9 male adapter that works with your laptop's serial port, which you'll need for the initial configuration. The Ethernet port included on the appliance is your basic 10/100 Ethernet port that will connect to the switch or hub. With an Ethernet cross-over cable, you can connect it directly to a router's Ethernet port as well. Unix sys admins will feel very comfortable at initial turn up of the appliance. The turn up requires the user to connect via the console port and either edit the configuration files using vi or, if preferred, execute a wizard from the CLI that will handle enough of the configuration to get the box online to the point you can use the Web interface for most functions. Many of the features mentioned here are turned on by editing the text files, however. Once you've run the wizard and gotten the device on the network, it's relatively simple to connect to it using your Web browser. The basic management interface should work with most any browser. I've used IE and Firefox with no troubles. Java's not required for the basic interface, but to connect to the serial ports using the web UI, you'll need a JVM installed. Features The administrator's Web UI allows you to customize things like security profiles, user accounts, port names/aliases, baud rates, etc. You can even log into the serial ports from the Web UI using a Java applet included with the appliance. Furthermore, the appliance can be configured to allow access to the Web UI via a modem, which helps when a router is down and you need to get on its console to find out why. As an administrator, you can customize user access considerably. Besides controlling what user has access to which ports, you can allow telnet, or require SSH connections to the ports. User authentication can be handled with local accounts, or can be offloaded to RADIUS, LDAP, Kerberos, TACACS+, NIS, and One-Time Passwords (OTP). Any authentication method can be backed up by local authentication in case the connection to the remote authentication server goes down. The appliance also allows you to set up an IPSec VPN connection back to another location so that the device can be accessed via a secure tunnel. ESP, AH, RSA public keys, and shared secrets are all supported. The VPN tunnel can be established with any host that supports IPSEC, including firewalls, routers, and hosts that have an IPSec stack installed. As mentioned earlier, the device uses the HardHat Linux distribution. This includes ipchains and rules capability that allows packet filtering. The firewall rules can be configured from the Web UI. The standard chains -- INPUT, FORWARD, and OUTPUT -- can be modified by the administrator, or additional chains may be created and applied as needed. Remote monitoring of the appliance is also possible using the simple network management protocol (SNMP). The device supports SNMP versions 1, 2, and 3. As is typical of most SNMP agents, traps can be sent to remote trap collectors, and remote probes can poll the SNMP agent for various statistics. Private MIBS are available from Cyclades:
ftp://ftp.cyclades.de/pub/cyclades/apps/snmp/
The ACS appliance also supports event logging. These
logs can be logged locally in flash memory, or can be sent to a remote
network file system (NFS) server or syslog server. The appliance can also
log data from hosts or devices, which is useful for remote forensics after
a failure or security event.
One of the really neat features of the ACS platform is the ability to integrate a power distribution unit. An add-on accessory, the IPDU connects to one of the serial ports on the ACS; then the power connections for the hosts connected to the ACS are connected to the IPDU. This gives the remote sys admin the ability to remotely reboot a host while watching the console port for problems. It's an extremely useful tool, especially when the equipment is in un-manned locations. The ACS includes the ability to associate multiple power outlets with a device, so that even devices with multiple power supplies can be handled. Intelligent Platform Management Interface (IPMI) is also supported. The ACS includes the ability to manage power functions on IPMI compliant hosts. MD5, MD2, straight password, and no password are supported for authentication to the IPMI compliant host. The ACS includes all the network functions one would expect in a modern Linux-based appliance. This includes typical host settings such as hostname, IP address, DNS, gateway, NIC bonding (requires a NIC installed in a PC Card) as well as syslog settings, PCMIA management, VPN configuration SNMP, firewall config, host table entries (/etc/hosts), and static routing. Security Out of the box, the platform includes the root user. Obviously, the password for root should be changed from the default. Two groups to which users may be assigned are included by default -- Admin and Regular User. The Admin group obviously should be limited to only those users that need total control of the device. The Regular User group by default can access all the ports but has no read/write privileges on the actual ACS config. Additional groups may be created as needed. Users can be assigned to these groups. Port access can then be associated with specific groups to limit access to only devices to which a user is authorized access. Active sessions may be viewed at any time from the administrator's Web UI. This Web UI also gives the administrator the ability to kill any session on the box and clear the port if needed. The Active Sessions window includes the user id, the connection type, where the user is connected from, session duration, and idle time. As mentioned above, the ACS supports several different authentication types for access to the ACS or to the serial ports. A neat feature of the device is that authentication for access to the ACS may be handled via a different method or server than authentication for access to the serial ports. This is exceptionally useful if one authentication method is used for management and another for users in the network. RADIUS accounting information may be collected using the RADIUS authentication server. Group information may also be retrieved from RADIUS, TACACS+, and LDAP. This allows group authorization via a centralized, managed point, simplifying overall security management. Security profiles increase control over active services. Three pre-defined profiles exist out of the box: Secure, Moderate, and Open.
A custom profile may be used to allow custom configuration of all these options. Certificates are supported for SSH/HTTPS. The ACS includes OpenSSL tools to allow the administrator to generate self-signed certificates. Out of the box, the ACS will generate a certificate to use with HTTPS, but it will not be recognized by Web browsers, requiring the user to approve the certificate. X.509 certificates are also supported for SSH via the OpenSSH package included. Port Configuration The ACS Port menu allows configuration of physical and virtual ports as well as the ability to view statistics on the individual ports. Virtual ports allow you to slave multiple ACS platforms together to increase port count. By default, all serial ports are disabled. The administrator can enable all the ports at once or enable only the ports needed, as they're needed. A "Modify all ports" option is included, or you can select only the port or ports (hold down the ctrl key for multiple ports) you want to modify. The physical ports have an option that allows an Alias to be associated. I use this to associate the name of the device attached to the port with the port. This name then shows up in the port menu the users see when they log into the ACS. Since I use CLLI codes to name my devices, and my users are telco professionals, it's a simple matter for them to find the port they need. Use whatever naming scheme makes sense to you and the console users. A physical port may also be configured as a connection to an IPDU as mentioned above, or as an IPMI power management port. The TCP port number associated with the port for SSH or reverse telnet access may also be changed from the default (7000 + the port number). STTY, break options, and login banners may also be configured. The ACS also allows multiple sessions per port. This is useful in training situations. Port sniffing is also possible, enabling capture and recording of traffic passed to and from the port. This is a great feature for change management auditing as well as forensics. A physical port may also be configured to have a modem connected. The ACS supports PPP, SLIP, and CSLIP for remote connections via modem. As mentioned, data buffering may also be enabled on a port. This data will be buffered to a local file and may be logged to syslog. Options include the ability not to buffer data when a user is connected to the port as well as time stamping entries as they are written. The log file data is buffered to may be local, or may be a remote NFS path. ACS Clustering The virtual port allows multiple ACS units to be clustered together into one logical unit. Port counts as high as 1024 serial ports may be achieved using this clustering method. One ACS is the master unit, and all others are configured as slaves to the master. Any IPDUs in use should also be connected to the master. Additional Features and Applications The ACS also includes support for Windows 2003 emergency management services. This allows out-of-band management of Windows 2003 servers via a serial port for recovery and emergency operations. Information written to the Windows event log may also be sent to this port. In additional to power control as mentioned above, IPMI can be configured on the ACS to allow collection of sensor readings such as CPU temp and fan speed. FRU information may also be collected in addition to LAN configuration. IPMI may be configured via ipmitool or via the CLI. Another feature that's useful is one that allows serial printers to be connected to the ACS. The line print daemon (LPD) can be set up to allow the ACS to service remote print requests using the locally attached serial printers. Port pooling allows the ACS to share multiple physical ports with one logical port on a round-robin basis. This is particularly useful in an outbound modem pool, or with a device that has multiple serial ports and is not particularly concerned with what users connect to what ports. The ACS can also be configured to collect records from a device on the serial port into a local file and send the file on a pre-determined basis to a remote host. In a telco environment, this would be used to collect billing records from a switch and send them to a billing mediation system. Cyclades also offers the Cyclades Development Kit. This allows you to build your own image for the ACS, with whatever features or application you need that might not be included. The CDK is available to ACS owners via a download from the Cyclades Web site. Conclusion The Cyclades ACS platform is a stable, flexible, feature-filled appliance that's well suited for most serial console applications. I've used them for basic remote management applications as well as to provide secure login and auditing for legacy equipment that doesn't support centralized user authentication. The Linux base provides an outstanding platform to add features using the CDK as needed. This ability creates a powerful platform not only to manage current devices, but also to provide interfaces between legacy equipment and modern applications. I've been extremely pleased with the ACS platform as I've deployed the units. I've deployed them in data centers and central offices all over the country. Both the ACS16 and the ACS48 have proven to be very reliable. (The only difference between the two is the port count.) Joe currently manages the Data Engineering group for one of the large telcos. When he's not on the road or working, he can be found spending time with his three kids or out on the paintball fields. He can be reached at: feedback@netbyjoe.com. |