When choosing OOBI (Out-of-band infrastructure) components do not rely solely on a feature checklist. Remember that security-related features are necessary to implement security policies. The following list includes security features that should be considered.
User authentication: The OOBI components should support server-based authentication using the protocols utilized in your data center today and in the future (RADIUS, TACACS, Kerberos, NIS, LDAP, Secure LDAP, etc.). Support for two-factor authentication (e.g., RSA SecurID) and three-factor authentication (with support for biometric authentication) may also be important.
Packet filtering: While firewalls can effectively be used to enforce access policies based on IP addressing at the perimeter of the network, they are ineffective for filtering internal traffic. For management devices, you may want to impose more stringent access rules and management products that can do internal IP filtering to greatly increase security. User and port access lists:
Some products allow authenticated users to gain access to any management port. If you are in an environment where system administrators have different scopes of responsibility or privileges, you want to make sure the management product supports more sophisticated policies (certain users can access only certain ports, during certain times of the day, for specific operations, in read-only mode, etc.).
Data and event logging: Keeping records of console data and events (Who accessed which port? What did they do?) can help to detect intrusions, prevent mistakes and diagnose problems after the occurrence.
Data encryption: Both authentication transactions and data traffic must be encrypted when in transit over public or non-trusted networks. For example, using Telnet for console access exposes user name and password information in clear text to anyone connected to the physical LAN. Use of SSHv2 for text sessions, HTTPS for web access and VPN protocols such as IPSEC can help mitigate that risk.