Firewall Wizards mailing list archives
Re: question on securing out-of-band management
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Wed, 8 Feb 2006 23:25:33 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [SNIP]
I certainly see the risks with this approach and my perfect world preference would be to have separate management systems for the perimeter and internal networks. I have two problems. First, is the cost of deploying two systems. Second, and probably more important, is the amount of resources that we have to look at these systems. In a way it's a compromise. I'd rather be aware of the areas of vulnerability and focus attention there, then spread the resources too thin across many areas. Also, it won't be just the VLANs and firewall services. Possibly HIDS on the servers as well. As far the example that you describe below (pretty bad...=])), I am hoping to avoid the issue by requiring everyone (including server admins) to go through the VPN in order to manage the management servers. I can have pretty granular access control at the VPN box. Still, you make a good point and it's something I've thought about extensively. Maybe I am missing some alternatives? What are my other options outside of having separate management systems for inside and perimeter?
Be wary of VPN bloat, or VPNmadness, whence you have so many VPN/VLAN zones, no one can remember which zone to get to which server set let alone the passwd for each. I think was presently have 20 or 25 such silly things for our "management network" (give or take 5-10, I quit counting).
Thanks, Ron DuFresne- -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins <Still Life With Woodpecker> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFD6sRAst+vzJSwZikRAp4JAJ0aJXilLITwBVgenXLZKu+6Kw9F5ACfWAcV JEVVCp1LBKKyUgKG63elwc4= =iS0N -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- question on securing out-of-band management golovast (Feb 03)
- RE: question on securing out-of-band management Paul Melson (Feb 07)
- Re: question on securing out-of-band management Marcus J. Ranum (Feb 07)
- Re: question on securing out-of-band management Kevin (Feb 07)
- <Possible follow-ups>
- RE: question on securing out-of-band management Brian Ford (brford) (Feb 07)
- RE: question on securing out-of-band management golovast (Feb 07)
- Re: question on securing out-of-band management Kevin (Feb 07)
- Re: question on securing out-of-band management golovast (Feb 07)
- Re: question on securing out-of-band management R. DuFresne (Feb 09)
- RE: question on securing out-of-band management golovast (Feb 07)
- RE: question on securing out-of-band management (ver. 2) golovast (Feb 07)
- RE: question on securing out-of-band management (ver. 2) Marcus J. Ranum (Feb 07)
- Re: question on securing out-of-band management (ver. 2) Dave Piscitello (Feb 08)
- RE: question on securing out-of-band management (ver. 2) golovast (Feb 08)
- Re: question on securing out-of-band management (ver. 2) Dave Piscitello (Feb 15)