What’s an OOB network and why do we recommend them?
Recently I was asked by a customer why we recommend running an out-of-band (OOB) network alongside their existing kit. They had never used such a network before, so I figured it could be worth writing a blog post about it - what, why and where - as well as how to do it well.
Speaking generally, an OOB network is a network that can be used to access remote systems and networks when the main connection is unavailable. It could be unavailable for any number of reasons – misconfiguration, fault, lack of resilience, security breach, DDoS or something else entirely. The alternative means of connection provided by an OOB is usually much, much smaller than the main network and would be used by the engineers to diagnose and fix faults that would otherwise require a site visit.
For smaller sites, a simple business broadband connection can be ample for this. Usually this will form a network, connecting via a switch to the Lights out Management (LoM) interfaces on the devices in question. For network devices, these are usually serial interfaces, and the OOB line would be used in conjunction with an IP serial terminal concentrator.
For an OOB network it’s very important for each component to be separate from the main network. For example, don’t connect the out-of-band network to the same switch that the main network runs through – if that switch fails you will no t be able to connect to your main network or your OOB! Additionally, as far as is reasonably possible, the OOB should use kit from a different supplier to the main network. This will dramatically reduce your risk of one bug or firmware issue taking down both networks.
One often-overlooked element of OOB networks is the power that runs the kit. Intelligent PDUs can help here, providing the means to perform a hard reset when devices are unresponsive. It’s frustrating being able to remotely diagnose an issue affecting the network if you then have to travel to site to just flick a power switch.
Lastly, it’s important to remember the aspects of security and monitoring. The network can be absolutely secure, making use of powerful firewalls and multiple layers of security, but if the OOB provides a weak entry point into the systems, then you’ve just left the backdoor open. With this in mind, it’s advisable to apply the same security policies to your OOB network as are applied to your main network, including locking down access using an ACL, monitoring and alerting, strong passwords and encryption.
So in short, an OOB can provide a way in to your systems when something’s gone wrong with your primary network – the little guy can save the day – but make sure you don’t scrimp on security.