Performing Out-of-Band Network Management
Out-of-Band (OoB) network management is a concept that uses an alternate communication path to manage network
infrastructure devices. These alternate paths are designed to isolate management traffic from operational traffic. This
isolation prevents compromised user devices or malicious network traffic from impacting network operations or
compromising network infrastructure. Implementing these alternate paths can vary in configuration from virtual tunneling
(sharing the physical network connections with the operational network) to a physically segmented network infrastructure.
OoB management creates a framework that enables administrators to improve the security of their networks by
segmenting management traffic from operational traffic, and ensuring that management traffic only comes from the OoB
communication path.
Out-of-Band Architecture Design
A single OoB management design may not fall within the security requirements or financial constraints for each
installation. Fortunately, there are multiple approaches to implementing OoB management with a range of security
protections and related costs. To begin the process of determining which implementation will provide the desired level of
protection, network owners need to perform a vulnerability and risk assessment. The information gathered from these
assessments will aid in deciding to implement a virtually or physically segmented OoB network architecture. Regardless of
architecture design, NSA recommends all management traffic utilize only encrypted protocols, such as Secure Shell
(SSH), Hypertext Transfer Protocol Secure (HTTPS), Simple Network Management Protocol v3 (SNMPv3), Secure Copy
(SCP), and Secure File Transfer Protocol (SFTP), with strong encryption algorithms and key sizes. NSA also
recommends never managing any device over an untrusted network, which includes the operational network, without a
strong Virtual Private Network (VPN). Never should a network device’s management interface be directly accessible from
the Internet.
Physical Segmentation
The most secure OoB management design is to create a physically segmented management infrastructure that allows for
secure administration and monitoring of network devices. Each operational network device will have a dedicated interface
connecting to the physically segmented management network. These dedicated interfaces must be isolated from the
operational network and have strict Access Control Lists (ACLs) implemented to prevent a possible misconfiguration from
allowing unauthorized access to management services. Administrator workstations should only be connected to the
management network and all other network access should be restricted. For critical devices, such as perimeter firewalls or
routers, the use of console management switches can be used to create a protocol break and eliminate the possibility of a
compromised device from accessing other devices on the management network. A dedicated physical network
infrastructure is the most secure option; however, it can be expensive to implement and maintain as it requires additional
network devices, cabling, and servers.
Virtual Segmentation
Completing detailed vulnerability and risk assessments allows the network owners to consider implementing a more cost-
effective and economical virtual segmentation approach to network management. The virtual segmentation design is a
less secure option, but it is attractive due to reduced cost and maintenance. Virtual segmentation allows the management
traffic to share the same physical links with operational traffic. However, the network designer must logically segment the
two types of traffic. This virtual segmentation can be implemented using multiple Virtual Local Area Networks (VLANs),
Virtual Routing and Forwarding (VRFs), VPNs, or other zero trust and micro-segmentation technologies. The major
vulnerability in these configurations is potential data leakage where devices on the operational network may capture
sensitive management traffic or management traffic is accidentally sent over the operational network. To mitigate most of
these vulnerabilities, NSA recommends the management traffic utilize strong encryption.
An often overlooked security design flaw with virtually segmented networks is authentication, logging, and other
management services that are not properly isolated. When deploying a virtually segmented OoB network, these services
should not be shared with the operational network. If these services are shared between the management and the