Even within the tech industry, there seems to be some confusion over the terms “OOB network” and “OOB management.” This makes it difficult for consumers to know how to implement the solutions they need for secure and reliable network management. In this article, we’ll define both terms, explain their importance, and provide tips and best practices for using this technology effectively.
What is an out-of-band (OOB) network?
An out-of-band (or OOB) network is an entirely separate network that runs in parallel with your production (or in-band) network. OOB networks are used primarily for managing, orchestrating, and troubleshooting production networks.
Why use an out-of-band (OOB) network?
While it’s still common for organizations to conduct network administration tasks on the production network, it’s inadvisable for larger companies that require 24/7 availability and optimal network performance.
Performing tasks like provisioning, maintenance, and even orchestration can impact the speed and performance of your production network. Plus, there’s always the chance that a configuration mistake or failed update could take a device offline, bringing down your production network and removing your ability to troubleshoot remotely. In addition, in-band management interfaces are attractive targets for hackers, who can use them to access sensitive or valuable network resources and exploit your business.
Using an out-of-band network can solve these problems. For example, performing maintenance and orchestration on a separate network helps reduce latency on the production network. Since the OOB network runs independently of the main network, there are extra defenses in the way of potential attackers.
While OOB networks aren’t just for remote management, another significant benefit is that they provide an alternative way for administrators to access remote infrastructure even if the main WAN or LAN connection goes down. This allows businesses to recover from outages at remote locations without expensive truck rolls or on-site managed services.
Out-of-band (OOB) network best practices
An OOB network should function independently of the main network. For example, suppose an administrator uses OOB to update a production DNS server, and the update fails and takes the server offline. In that case, it should only affect your in-band network. This will allow the administrator to continue to use the OOB network to troubleshoot the failed server and attempt recovery. This is accomplished locally by hosting an OOB network’s critical services on the OOB’s VLAN.
In addition, you should store device images on a local server on the OOB VLAN so new appliances can be provisioned on the OOB network. This will allow zero touch provisioning (ZTP) to pull device configurations via TFTP on the OOB network.
An out-of-band network enables you to create a separation between management and production traffic. A fully independent network for administration and orchestration can improve the production network’s performance, reliability, and security.
What is out-of-band (OOB) management?
People can use out-of-band management to describe any network management that occurs on an OOB network. There are generally two approaches to OOB management—jump boxes and serial consoles.
What is an OOB jump box?
An OOB jump box (or jump server) is a computer system connected to both the in-band and out-of-band networks. Administrators log in to the jump box from the primary network and use it to access IPMI management interfaces on the OOB network. A jump server acts as the single point of entry from the production network to the OOB network, making it easier to analyze and control traffic between the two. It’s also a checkpoint that forces administrators to authenticate with privileged credentials before accessing the secure OOB network.
Jump boxes are usually hardened and closely monitored, but since they form a bridge between your in-band and out-of-band networks, they’re still a potential vulnerability. For instance, in the 2015 U.S. Office of Personnel Management (OPM) data breach, an advanced persistent threat (APT) compromised a jump server and accessed millions of susceptible documents.
OOB jump box security best practices
The OPM breach could have been prevented by following security best practices such as zero trust security and multi-factor authentication (MFA).
Zero trust security is a methodology that follows the principle of “never trust, always verify.” Zero trust networks are divided into microsegments, each protected by highly specific security policies and controls. Zero trust protects you from outside attackers and inside attackers. All traffic into and out of a microsegment is scrutinized no matter who or where it’s coming from. Trust is dynamically assessed based on context-specific criteria (such as time of day, originating IP address, geographic location, etc.) If activity is deemed suspicious, users or devices need to re-establish trust through methods like multi-factor authentication. MFA thwarts hackers by forcing a secondary method of identity verification, such as an authenticator app or biometric scanner.
In the case of the OPM breach, zero trust security would have restricted the lateral movement of hackers on the network. Even if they could still access the jump server and infect it with malware, the compromised account would need to verify its identity and re-establish trust before moving on to any other network segment.
What is an OOB serial console?
An OOB serial console may also be referred to as a console server, terminal server, serial console router, or serial console switch. In-band network devices and systems connect to the serial console via managed ports. Administrators can connect to an OOB serial console over the WAN. Still, an additional network interface (such as a 4G/5G cellular link or DSL modem) acts as a failover and provides an alternative access path. This ensures access to the OOB network even if the primary WAN goes down. Plus, since the management ports use local serial connections to reach infrastructure (unlike jump boxes, which use IPMI over the LAN), administrators can remotely troubleshoot devices when critical network services are unavailable.
OOB serial console security best practices
While it’s harder for hackers to use an OOB serial console to access production resources, it’s not impossible. Hence, zero trust security is still highly recommended. In addition, the ideal solution will include on-board security features so that attackers can’t use a stolen serial console to access network resources. For example, a secure boot prevents hackers from accessing the BIOS without additional credentials, and geofencing will lock the device if GPS detects it outside a predetermined geographical radius.
Understanding out-of-band networks and out-of-band management
If you need further help understanding out-of-band networks and out-of-band management, you may find it helpful to see an OOB serial console solution in action. Contact ZPE Systems online or call 1-844-4ZPE-SYS to view a demo of the Nodegrid out-of-band network management solution.
Read more about out-of-band (OOB) network management: