Review: Console Servers
Console servers offer smooth device-switching, authentication and encryption with easy access to remote locations. Find out which of the three we tested won our Editor's Choice for its mix of
September 28, 2004
No one enjoys spending a day building serial cables and pulling them to a switch box. We like crawling around behind the rack to connect a console cable to a seldom-used port even less.
Console servers can bring the same sort of easy device-switching seen in KVMs to the serial console port. With the addition of security through authentication and encryption, console servers can do even more, letting administrators reach console ports from remote locations.
We tested three console servers--Cyclades Corp.'s AlterPath ACS16, Digi International's Digi CM16 and Lantronix's SecureLinx SLC16--in our Gainesville, Fla., labs. All three devices have multiple serial output ports, as well as one or more Ethernet connections to reach the device as a user. Each has a serial console management port t used only as an option for configuration and management, not as a user input for controlling other connected devices. For a busy network administrator, such features are a real win. We also invited Belkin, Broadax Systems, Echelon, GlobeTek, Moxa, Network Technologies, Perle, PolyWell, Sena, TEK DigiTel and Qualtech to participate in our tests. Qualtech declined, saying it didn't have a product that met our criteria. None of the others responded to our invitation. Was it something we said?
To qualify, each device had to have at least 16 ports and a method for user authentication and traffic encryption. One of the key capabilities we tested was recovering from an unplanned power outage. To evaluate this, we opened sessions with various appliances, then pulled the plug on the console server under test. We waited 30 seconds, then reconnected the unit to power and waited for it to reboot. When it was back in service, we attempted to resume the sessions.
All three units successfully terminated their own port sessions and let us try to reconnect to the appliance--an improvement over some earlier-generation products. In addition, they offer SSH VPN capabilities, local user authentication and remote-user authentication with RADIUS and LDAP services. Each provides both Web browser and CLI configuration as well. If you have a rack or two of infrastructure equipment and need a single server to help you connect to all of it, any of these systems will do the job--all three vendors make units with varying numbers of output ports. We feel, however, that 16 ports is the best option for the small- and midsize-business market and a reasonable building block for enterprise deployments.
Features Click to Enlarge |
How They Differ
Despite their similarities, the boxes we tested differ from one another in key ways. For example, Digi's device offers superb ease of use and configuration, as well as the greatest combination of internal and external authentication methods, but it does not support complex log-in scripting and routing for devices. Lantronix's SecureLinx SLC16 will do well for remote-location installation, with front-panel configuration, redundant power supplies, and easy-to-configure connection and routing parameters, along with the most complete set of built-in error- and status-reporting options. However, it doesn't have as rich a programming and routing environment as the Cyclades AlterPath, nor as many options for authentication as the Digi. Cyclades AlterPath is the flexible-configuration champion, with SSH and IPsec VPNs along with a wide range of routing and connection programming options, though you must be comfortable with Linux to take advantage of everything it offers.
Choosing a single winner wasn't easy, but the best combination of flexibility, ease of use and internal capabilities comes in the Lantronix SLC16, which earned our Editor's Choice award. The SecureLinx split the difference between the Cyclades and Digi units, providing us with tremendous connection and routing capabilities without requiring the use of a raw configuration file editor. It also split the difference between the Cyclades and Digi in cost, putting Lantronix in good position on the price-versus-performance curve.
The SLC16 stood out in our tests for two reasons. First, it's the only appliance to allow for front-panel configuration, a key consideration for some remote or wiring-closet installations. Second, it has the most complete internal administration and reporting capabilities of the three units we tested.
Like the other systems we looked at, the SLC16 provides external authentication, in this case through RADIUS, LDAP, CHAP, PAP and NIS servers, in addition to a local-user authentication database. We could also use SSH encryption for traffic to and from the SLC16.
Whereas the Cyclades and Digi console servers have features and documented examples that focus heavily on server and network infrastructure control, the SLC16's menus are suited to controlling modems, network connection interfaces, and those appliances that contain or make use of modems and other communications interfaces (such as DSL or ISDN) for extended control of, or reporting to, other devices and services. It's not that the device won't serve as a gateway to a rack of firewalls and routers, but parameters like Connect at Time, Flow Direction and Dialing Instructions--appearing as they do on high-level menus, as opposed to being buried in subsidiary menus or configuration files--exhibit Lantronix's focus on devices that have multiple communications interfaces for failover, or multiple-channel control and communications with their peers or other appliances. The SLC16 also is the only unit we tested with redundant power supplies for high availability, making it more viable in a critical remote-communications closet.
We easily set the SLC16 to control modems with dialing instructions given in these menus. Like the other systems tested, the SLC16 effectively breaks connections on a power outage and reboots quickly. But unlike the others, it has an easily configurable time-out parameter for Web interface sessions, making it a breeze to adapt the SLC16's behavior to fit our specific security requirements. The Lantronix system also offers SSL-based Web access. Lantronix provides for logs to be posted to a syslog or NFS server, along with SNMP traps and e-mail notification. The SLC16 allows five levels of reporting detail in log entries, and we could identify each by the port alias furnished. In addition, a half-dozen radio buttons gave us reports on key parameters for individual ports, connections, routes and the console server as a whole. We liked the SLC16's user interface, which showed us a graphical representation of the unit and its ports; we could graphically choose ports for status checks or configuration.
The SLC16 also offers more complete diagnostics than the other units, with features including NetStat, ARP table and Host Lookup. The routing capabilities available for connection definitions are similar to those of the Cyclades product, and the addition of the diagnostics makes the Lantronix system a good candidate for remote access between systems in far-flung locations.
If easy, basic field configuration and on-board management capabilities are important to you, the SLC16 is a clear winner. It wraps sophisticated routing and connection capabilities in a useful GUI, though it doesn't have the range of authentication or encryption options available with the other units.
SecureLinx SLC Console Manager SLC16, $2,340. Lantronix, (800) 422-7055, (949) 453-3990. www.lantronix.com
Cyclades AlterPath greets you as a Linux appliance, and you never forget that Linux is humming along just under the skin of this device. If you're comfortable with this OS, you'll find the ACS16 a remarkably configurable and flexible solution to the problem of accessing console ports. If you're not a Linux expert, many tasks can be accomplished with the Web-based GUI, but more advanced setup will mean climbing a difficult learning curve.
The ACS16 can be used as a relatively simple console server, but that misses the point of this appliance, which has the greatest number of options for security and configuration of the devices we tested. Rather than simply acting as a conduit for connections to console ports, the ACS16 can be a server that users log in to and from which logins are authenticated, wrapped in application code and passed to other devices. Whereas the other two products are focused on providing a way for users to choose among all connected ports, the ACS16 really hits its stride as a server that supports customized menus and options for each user, presenting named options that lead to login scripts to open appliance sessions with all security and configuration options set at session start.
We began setup by connecting to the console port, logging in to Linux and running a wizard to set basic network parameters. We then moved to the browser-based GUI for the remainder of basic setup. There are two modes to the GUI, wizard and expert; wizard mode guided us through the foundation issues, while expert let us tweak individual parameters.
Security customization began with user authentication. The ACS16 offers authentication against an internal database or against external RADIUS, Tacacs, Kerberos or LDAP databases. Building the list of users and privileges authenticated locally was a straightforward process in the Web interface. External authentication is tied to individual ports; we could built it either through the Web interface or by editing parameter files using vi or the CLI wizard. The ACS16 offers two options for encrypting traffic: SSH (both SSH and SSH2) and IPsec VPN. Cyclades has used the FreeS/WAN version of IPsec as its primary VPN implementation. Enabling a VPN was easy, though we did encounter a couple of quirks in the documentation--the most obvious being an assumption that a road warrior's computer will be running Linux rather than Windows!
After we generated a public key with RSA and edited a couple of files using vi, the VPN was set up and worked as advertised. Cyclades warns of potential difficulties setting up and maintaining a VPN over links involving NAT or DHCP on the client side, but we experienced no problems in our tests when we accessed the ACS16 from a client behind an external NAT router. It is possible, though, that difficulties might arise if the clients' DHCP server renews leases quite often, or if you try to hold a session open for a long time so that the client address ends up different from the address used for the VPN.
The ACS16 has a full-featured firewall built in and can serve as a dedicated device router. If you are building a system for controlling servers and network infrastructure and are looking to reduce total component count, Cyclades has provided a system that can fill both control and routing requirements. In our tests, we found that the ACS16 recovered gracefully from power outages, timing out its connections and leaving no console sessions hanging. Only one Cyclades administrator can be in the system at any one time; we tried to log in from multiple machines to manage the ACS16 and were told that another admin was logged in.
From a flexibility and feature-richness standpoint, the Cyclades is tops in this group, but it does have shortcomings. For example, though the ACS16 can send syslog files to a central server, there are no built-in log-view or reporting facilities. For a device of this capability, that came as a real surprise. True, the AS16 produced detailed log files, with parameters that included the generating host's name and address, the application generating the notice, and options to send alerts generated by various attached appliances to different syslog servers. But these very solid reporting capabilities made the lack of an easy-to-use internal report viewer hurt even more.
Cyclades has built many configuration possibilities into the Web-based and console menu interfaces. To take full advantage of the ACS16's features, however, you'll have to go into the Linux configuration files. That said, if you're comfortable with vi, this is an incredibly rich console server package. AlterPath ACS16, $2,661. Cyclades Corp., (888) CYCLADES, (510) 771-6100. www.cyclades.com
Whereas the Cyclades system reached its full potential when we rolled up our sleeves and edited configuration files, the Digi CM16 shone as an easy-to-use system that leans on its Web-based GUI for virtually all configuration and management functions. A text-menu interface is available, as is a CLI that directly manipulates the Digi's Hard Hat Linux operating system, but most users will never need to delve beyond the Web interface.
After we set up initial network parameters, the CM16 propagated addresses and port numbers to its 16 serial ports via NAT, so we could address attached devices through individual IP addresses or a single IP address using a range of attaching ports. We could establish user authentication using Kerberos, LDAP, RADIUS, TACACS+ or local user list methods. RADIUS authentication was a simple matter, set up with menu boxes. Establishing a local user database, with privileges varying according to user and port, was just as easy.
We could encrypt traffic with SSHv2. Users can also be restricted according to their originating IP addresses through the use of IP filtering. We believe authentication will be sufficient for most needs, and SSH encryption is adequate for most control conversations given that the majority of users will rely on the Web interface for administration. We were bombarded with dozens of menus for parameters affecting administration, all serial ports, groups of serial ports or individual ports. All the menus were laid out logically, with deeper menus visible through a stacked-tab viewing layout.
Among the device's more interesting options is the Special Administration Console facility for Windows 2003. The CM16 provides a GUI front end to emergency features, such as Shutdown, Show and Kill Processes, and Show and Configure Network Interfaces. We found the setup process tedious but straightforward, proving no more difficult than editing the Cyclades ACS16's configuration files.
We could set the CM16 to deliver logs to a syslog server and notify us through e-mail or SNMP. The system provided several key status pages that let us see the status of significant parameters--such as ports in use, errors or warnings over time and user status--from the browser interface.
There weren't as many options for configuring the information stored in the logs as we found in the Cyclades system, but some nifty built-in tools may make up the difference for many users. For example, the CM16 will identify log entries by port alias rather than number, making problem identification a bit easier. When problems are suspected on an individual serial interface, a "sniff" mode will let you see all the traffic passing on the port, so you can break in if necessary. Between the snapshot status pages and the sniff interface, the Digi unit provides solid management and administration functions in an easy-to-use package.
In our power-interruption testing, the CM16 left no hanging sessions on test equipment. The only security issue we found was that Web-based management sessions were kept alive for a very long time; there's no way to alter the time-out parameters from the Web-based management system. Unlike the Cyclades system, which required reauthentication if there was no activity for several minutes, we could leave the Digi alone for extended periods and return to a live session. The Digi CM16 is a flexible console server that allows fast and easy setup for most basic functions. If you're looking for a straightforward console server that has an easy learning curve and an attractive price--the least expensive unit we tested--the Digi CM16 is the way to go.
Digi CM16, $2,099. Digi International, (877) 912-3444, (952) 912-3444. www.digi.com
CURTIS FRANKLIN JR. is a senior technology editor for Network Computing and Secure Enterprise. He has been writing about the computer and network industries since 1985. Write to him at [email protected].
We tested a trio of console servers from Cyclades Corp., Digi International and Lantronix in our Gainesville, Fla., labs. Our requirements: a minimum of 16 ports, user authentication and traffic-encryption capabilities, and a gracefully recovery when the lights go out. We liked all the units tested, and any will make a network administrator's life easier, especially if that life includes travel or a number of remote offices. Depending on your needs, you have clear choices, ranging from the simple-to-use Digi CM16 to the highly capable but complex Linux-based Cyclades ACS16.
Lantronix's SecureLinx SLC16 falls between the Digi and Cyclades console servers in price, and that moderation seems to match the scale of its capability--it's both easy to configure and highly adaptable to different needs. Splitting the difference in so many ways makes the Lantronix our preferred system and earns it our Editor's Choice award.
Related Links
Branch Office Management: IT Central
Affordable IT: Remote Access Security Cyclades' AlterPath KVM/net16
The console servers were placed in a test network with auxiliary appliances from a variety of vendors. Principal components included a Cisco 927 ADSL router, two 3Com Superstack 10/100 switches, two BlueSocket WG2100 security appliances, one ServGate EdgeForce Plus, one ipUnplugged Roaming Gateway, one Zyxel ZyWall firewall, two AirMagnet Distributed sensors, one Cisco 1220 access point, two Dell servers running Windows 2003 Server and 11 workstations running Windows XP.
How We Tested Click to Enlarge |
Most testing was performed with 12 devices attached to the console server under test. Sessions were initiated from various workstations to the appliances connected to the device being tested. We observed performance from the workstations to the attached appliances and servers.
To test an unexpected power outage, we simply pulled the electrical connector of the device under test out of the wall, waited 30 seconds and then plugged the electrical connector back into the power outlet.
R E V I E W
Console Servers
Sorry,
your browseris not Javaenabled
Welcome to
NETWORK COMPUTING's Interactive Report Card, v2. To launch it, click on the Interactive Report Card ® icon
above. The program components take a few moments to load.
Once launched, enter your own product feature weights and click the Recalc button. The Interactive Report Card ® will re-sort (and re-grade!) the products based on the new category weights you entered. Click here for more information about our Interactive Report Card ®.
You May Also Like