Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: PXE, OS Imaging(?) in the DMZ

From: Jay Vlavianos <jvlavianos () ecastnetwork com>
Date: Thu, 7 Jan 2010 10:23:42 -0800
Correct, the DMZ is isolated and it takes an Act of Man to put the device in the build VLAN.  Once the server is tagged 
for the build VLAN we reboot it via lights-out and it picks up the PXE session.

After the machine is built we retag it for the DMZ via another Act of Man and then we are off to the races.   This 
prevents accidental exposure of the build network if a DMZ machine is b0rked but gives us the flexibility to reimage at 
will.

Cheers,
-Jay


-----Original Message-----
From: Ray Van Dolson [mailto:rvdolson () gmail com] 
Sent: Thursday, January 07, 2010 10:17 AM
To: Jay Vlavianos
Cc: security-basics () securityfocus com
Subject: Re: PXE, OS Imaging(?) in the DMZ

Apologies for the double reply, Jay.  I forgot to CC the list.

On Thu, Jan 7, 2010 at 9:03 AM, Jay Vlavianos
<jvlavianos () ecastnetwork com> wrote:

I would never handle this with a traditional DMZ. I do currently
isolate a vlan on the network for PXE build with it's own pxe/dhcp
server. The vlan has ACLs that prevent intra-vlan communication from
the build network but allow external excess via the router for updates
and such.

When you say DMZ I assume you mean in the isolated but open sense.

-Jay


Correct.  Controlled external exposure via an edge firewall but isolated
from internal and other networks.

So do you allow hosts within your "DMZ" to access your build network
whenever they like, or do you do some sort of access control?

I'm thinking the separate network sounds like the best way to go.  Risks
of having some of this infrastructure within the "DMZ" would be as
follows:

   - We assume that if a machine within the DMZ becomes compromised,
     others could be as well (or at least our confidence in their state
     decreases).
   - Folowing that, an attacker, after compromising a DMZ host could
     compromise our PXE or build environment and thus infect other
     machines.

If we decided not to do imaging but only provide PXE access with tools
such as Partition Magic, etc available, this might not be such a big
worry as most of these would require local, physical console access to
really make use of and the contents of the tools themselves aren't
particularly sensitive...

Just thinking out loud here.  Thanks for the reply!

Ray

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: