Cyclades AlterPath Manager E200
Price: $8,950 US
Global console namespace across managed devices.
Global user management across managed devices.
Access via SSH and Web.
Automated firmware updates.
A little pricey.
Passwords stored clear text and world-readable.
Needs more comprehensive documentation.
Cyclades makes a number of excellent products aimed at easing system administration and data center management. These include console (serial and KVM) and remote power management. In the past, these devices were all islands unto themselves needing individual management. Authentication and authorization could be unified easily with a directory service such as LDAP, Radius, NIS or Kerberos, but the configuration of the devices would need to be managed individually and manually.
In modern complex data center environments, infrastructure must be flexible to keep up with changing circumstances and requirements. A central management system was needed.
Serial Consoles in the Data Center
For most computers, the console is the video monitor and a directly attached keyboard. This is where kernel and boot messages go as a system is coming up. The console eventually becomes a login terminal, either graphical or text mode, after a system is fully booted. On servers, however, graphical consoles are not needed and are often unwanted. Consoles on servers usually are used only to recover an ailing system or install a new OS. In these cases, a serial port is used as the console. This provides a very simple device for the kernel to deliver messages without the complexity or wasted CPU cycles of a graphics device. Serial consoles have the added benefit of remote access when used in conjunction with a console server such as the Cyclades ACS series products. These devices literally allow you to use SSH (secure shell) to connect directly to a server's console and manage it from anywhere. Remote access to a server console allows the system administrator to recover and even re-install the OS from anywhere, if the server is running Linux or UNIX. For more information on implementing serial consoles on Linux see my LJ article in the August 2004 issue.
Some of Cyclades' most popular products are the TS and ACS serial console management devices. These thin 1U-rackmount enclosures allow secure remote console access to servers and serial-port-equipped appliances such as filers, routers, firewalls, SAN arrays and switches. The AlterPath Manager (APM) is designed to sit above multiple ACS and TS units and centralize configuration and authentication.
The APM unit sports an 850MHz Intel Celeron CPU, 256MB RAM, 40GB disk, two 10/100 Ethernet ports and two serial ports, one for the APM's console and another for an optional dial-in modem. Not much horsepower by today's standards, but more than enough for what the APM needs to do. This is all basically off-the-shelf hardware; the APM is primarily a software product that includes integrated hardware.
The hardware is packaged nicely in a sturdy 1U-rack enclosure. Indicators are on the front with all connectors on the rear.
The APM runs a small customized Linux OS. Cyclades' management application is Web-based and runs under the Tomcat Java servlet engine. The servlet engine serves on both HTTP and HTTPS (encrypted) ports, and Cyclades provides simple instructions for disabling the non-encrypted port. All configuration and control of the managed devices is done over encrypted SSH connections.
The APM uses password-style authentication to the managed devices using expect. I would have liked to see public key authentication, but passwords are easier to understand for most people and at least it's still all encrypted. The root passwords for all managed devices are stored in a MySQL database running on the APM. This database allows connections only from localhost and stores these passwords in clear text. It also appears that the MySQL databases on all APM devices use the same hard-coded database root password. All the database passwords can be found in the world-readable configuration file /var/apm/apm.properties. It needs to be assumed that any user with shell access to the APM will have complete control of the managed devices because of the unfettered access to the root passwords. This security situation should be significantly tightened up by Cyclades' developers.
|The True Internet of Things||Sep 02, 2015|
|September 2015 Issue of Linux Journal: HOW-TOs||Sep 01, 2015|
|September 2015 Video Preview||Sep 01, 2015|
|Using tshark to Watch and Inspect Network Traffic||Aug 31, 2015|
|Where's That Pesky Hidden Word?||Aug 28, 2015|
|A Project to Guarantee Better Security for Open-Source Projects||Aug 27, 2015|
- Using tshark to Watch and Inspect Network Traffic
- The True Internet of Things
- September 2015 Issue of Linux Journal: HOW-TOs
- Problems with Ubuntu's Software Center and How Canonical Plans to Fix Them
- Concerning Containers' Connections: on Docker Networking
- Firefox Security Exploit Targets Linux Users and Web Developers
- Where's That Pesky Hidden Word?
- A Project to Guarantee Better Security for Open-Source Projects
- Build a “Virtual SuperComputer” with Process Virtualization
- My Network Go-Bag