Re: fw-1 general & VPN questions

[AC <ac0 () io com>]

> Sounds like there's no terminal server there, just dialin on
> the serial console. :(

This is exactly the situation. IN fact, we probably won't even do 
IP over it, simply a dial-in modem connected to console that
will present you with a login prompt after the modems
have handshaked. The phone line will be disconnected
and the modem off, until we call the client and get him to 
turn it on and plug the line in. This would be used only
in the case of catastrophic failure i.e. when their T1
to the Net is down, and thus rendering remote mgmt via
VPN useless.

I realize this is still a nasty setup, but as I said
I have no choice in the matter. Actually, I'm less
concerned about the "out-of-band" stuff right now
than getting the encrypted VPN over the internet to work.
If you get a chance, look over the rest of my message ;)
 
> Warning: workstations often have incredibly lame serial consoles.
> I don't know about the particular sun boxes you're planning to use
> but I've had $40,000 screaming hot workstations barely able to handle
> serial I/O at 38.8k.

Yes, These are Ultra-1s, and the highest speed the serial port 
will support is 38400. Still, we will only be pushing chars,
not IP.

> I've been pondering the secure remote management thing for a while
> and was trying to come up with decent solutions that are dirt cheap.
> Haven't tried this, but does anyone see a flaw with:
>   - have a log-in that drops you right into PPP using CHAP
>   - run ip_filt on the workstation to filter access via the PPP interface
>   - let only SSH in over PPP (or whatever other services are OK)

If I was to consider doing the serial setup correctly, ideally
I'd like to use dialback, and CHAP authentication w/PPP. That
would be the most economical and slightly more secure setup.
Doing encryption over that link would probably be dog slow.
IN any case, the modem is a "last resort"-type thing,
only used in emergencies, disconnected otherwise.

--ANindya