Firewall Wizards mailing list archives

Re: question on securing out-of-band management

From: "R. DuFresne" <dufresne () sysinfo com>
Date: Wed, 8 Feb 2006 23:25:33 -0500 (EST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


        [SNIP]


I certainly see the risks with this approach and my perfect world preference would be to have separate management 
systems for the perimeter and internal networks.

I have two problems. First, is the cost of deploying two systems. Second, and probably more important, is the amount of resources 
that we have to look at these systems. In a way it's a compromise. I'd rather be aware of the areas of vulnerability 
and focus attention there, then spread the resources too thin across many areas.

Also, it won't be just the VLANs and firewall services. Possibly HIDS on the servers as well.

As far the example that you describe below (pretty bad...=])), I am hoping to avoid the issue by requiring everyone 
(including server admins) to go through the VPN in order to manage the  management servers. I can have pretty granular 
access control at the VPN box.

Still, you make a good point and it's something I've thought about extensively. Maybe I am missing some alternatives? 
What are my other options outside of having separate management systems for inside and perimeter?

Be wary of VPN bloat, or VPNmadness, whence you have so many VPN/VLANzones, no one can remember which zone to get to which server set let alonethe passwd for each. I think was presently have 20 or 25 such sillythings for our "management network" (give or take 5-10, I quit counting).



Thanks,

Ron DuFresne

- --~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFD6sRAst+vzJSwZikRAp4JAJ0aJXilLITwBVgenXLZKu+6Kw9F5ACfWAcV
JEVVCp1LBKKyUgKG63elwc4=
=iS0N
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

question on securing out-of-band management golovast (Feb 03)
- RE: question on securing out-of-band management Paul Melson (Feb 07)
- Re: question on securing out-of-band management Marcus J. Ranum (Feb 07)
- Re: question on securing out-of-band management Kevin (Feb 07)
- <Possible follow-ups>
- RE: question on securing out-of-band management Brian Ford (brford) (Feb 07)
  - RE: question on securing out-of-band management golovast (Feb 07)
    - Re: question on securing out-of-band management Kevin (Feb 07)
    - Re: question on securing out-of-band management golovast (Feb 07)
    - Re: question on securing out-of-band management R. DuFresne (Feb 09)
  - RE: question on securing out-of-band management (ver. 2) golovast (Feb 07)
    - RE: question on securing out-of-band management (ver. 2) Marcus J. Ranum (Feb 07)
    - Re: question on securing out-of-band management (ver. 2) Dave Piscitello (Feb 08)
    - RE: question on securing out-of-band management (ver. 2) golovast (Feb 08)
    - Re: question on securing out-of-band management (ver. 2) Dave Piscitello (Feb 15)