Determine Your Access Strategy for Business Continuity
A secure out-of-band network enables firewall access
during network and power outages.
Your business continuity plan should
include provisions for how to connect to critical devices, including
firewalls and Panorama, during power outages and other events that
prevent connecting to those devices over normal communication channels.
The ability to connect to and manage devices on an out-of-band (OOB)
network enables you to continue running your business when primary
networks and power sources are down. Business continuity should
be a core consideration of your network architecture.
An OOB network is a secure method of remotely accessing
and managing devices and does not use the primary communication
channels. Instead, OOB networks use separate communication channels
that are always available if the primary channel fails and have
a different source of power than the primary network. Depending
on your network architecture, you may use both the primary network
and the OOB network to access and manage devices in day-to-day operation.
The OOB network should never rely on a power source or network
that could fail concurrently with the primary access network. How
you architect OOB access to devices depends on your network architecture
and your business considerations, so there is no “one size fits
all” method of ensuring connectivity. However, there are guidelines
that help you understand how to meet the goals of an OOB access
network:
Power considerations—Use a different power source
(a separate circuit or a protected or battery-powered source) for
the OOB network than you use for the regular access network. If
you lose power to the regular network, you won’t lose power to the
OOB network.
Use power distribution unit (PDU) controls to
remotely power devices on and off.
Secure connection method—There are a number of ways
to connect securely to an OOB network, for example, a terminal server
device, a modem, or a serial console server. Examples of secure
networks you can use for OOB access include LTE, dial-up, and broadband
(completely separated from the normal broadband network) networks.
The connection method you use depends on your business needs and
network architecture.
Regardless of the method you select,
the connection must be secure, with strong encryption and authentication.
See
Administrative Access Best Practices for
advice about how to secure management connections to the firewall
and Panorama.
You can connect into an OOB network remotely
using SSH with strong authentication over an Ethernet LAN or you
can dial in over a serial connection. The outbound connection will
be serial.