Security Basics mailing list archives
RE: PXE, OS Imaging(?) in the DMZ
From: Jay Vlavianos <jvlavianos () ecastnetwork com>
Date: Thu, 7 Jan 2010 10:23:42 -0800
Correct, the DMZ is isolated and it takes an Act of Man to put the device in the build VLAN. Once the server is tagged for the build VLAN we reboot it via lights-out and it picks up the PXE session. After the machine is built we retag it for the DMZ via another Act of Man and then we are off to the races. This prevents accidental exposure of the build network if a DMZ machine is b0rked but gives us the flexibility to reimage at will. Cheers, -Jay -----Original Message----- From: Ray Van Dolson [mailto:rvdolson () gmail com] Sent: Thursday, January 07, 2010 10:17 AM To: Jay Vlavianos Cc: security-basics () securityfocus com Subject: Re: PXE, OS Imaging(?) in the DMZ Apologies for the double reply, Jay. I forgot to CC the list. On Thu, Jan 7, 2010 at 9:03 AM, Jay Vlavianos <jvlavianos () ecastnetwork com> wrote:
I would never handle this with a traditional DMZ. I do currently isolate a vlan on the network for PXE build with it's own pxe/dhcp server. The vlan has ACLs that prevent intra-vlan communication from the build network but allow external excess via the router for updates and such. When you say DMZ I assume you mean in the isolated but open sense. -Jay
Correct. Controlled external exposure via an edge firewall but isolated from internal and other networks. So do you allow hosts within your "DMZ" to access your build network whenever they like, or do you do some sort of access control? I'm thinking the separate network sounds like the best way to go. Risks of having some of this infrastructure within the "DMZ" would be as follows: - We assume that if a machine within the DMZ becomes compromised, others could be as well (or at least our confidence in their state decreases). - Folowing that, an attacker, after compromising a DMZ host could compromise our PXE or build environment and thus infect other machines. If we decided not to do imaging but only provide PXE access with tools such as Partition Magic, etc available, this might not be such a big worry as most of these would require local, physical console access to really make use of and the contents of the tools themselves aren't particularly sensitive... Just thinking out loud here. Thanks for the reply! Ray ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- PXE, OS Imaging(?) in the DMZ Ray Van Dolson (Jan 07)
- <Possible follow-ups>
- PXE, OS Imaging(?) in the DMZ Ray Van Dolson (Jan 07)
- Re: PXE, OS Imaging(?) in the DMZ Jay Vlavianos (Jan 07)
- Re: PXE, OS Imaging(?) in the DMZ Ray Van Dolson (Jan 07)
- RE: PXE, OS Imaging(?) in the DMZ Jay Vlavianos (Jan 07)
- Re: PXE, OS Imaging(?) in the DMZ Jay Vlavianos (Jan 07)