[BBLISA] Remote KVM?

[John Stoffel]

Charles> I'm currently investigating the idea of a "remote KVM" for my
Charles> servers, to allow our team more direct access when we are not
Charles> physically on-site.  Ideally, it would do the following:

Charles> - Require login
Charles> - Log all access (user, time, and IP)
Charles> - Allow (at least) 2 simultaneous connections
Charles> - Allow me to switch between servers after I am connected
Charles> - Support at least 16 servers

Charles> I'm torn about putting it behind our firewall, such that I
Charles> would have to VPN in to get to it, and putting it in a DMZ
Charles> such that I can get to it without the VPN server being up.
Charles> My concern is, if the VPN server is down, then I'm stuck (and
Charles> we are off line until someone can physically arrive on-site.)
Charles> On the other hand, I don't really want to give unsavory
Charles> individuals easy access and unlimited time to hack my system.
Charles> How secure are these things on their own?  Can they be made
Charles> to require certificates, for instance?

I'd put it behind the firewall myself, since you'd be giving someone
else the keys to your kingdom, esp if there are undocumented backdoors
in the KVM system.

As for KVMs in general, do your servers have serial console or
ILO/ILOM type remote management modules?  I'd go with those instead of
dedicate hardware if I could.  My current $WORK has some ancient
Avocent KVMs which I despise and have mostly gotten away from.  

As for problems with the VPN being down and having to wait for someone
to drive in, don't you have redundant VPNs?  Or at least maybe a two
factor SSH tunnel you could use in the emergency case so you could
forceably reboot the VPN box if it hangs?  

Sorry I don't have any concrete recommendations for hardware to use
though.

John