Re: General question, was: question on securing out-of-band management

["R. DuFresne" <dufresne () sysinfo com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 9 Feb 2006, Brian Loe wrote:

> On 2/8/06, R. DuFresne <dufresne () sysinfo com> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
>
> > Be wary of VPN bloat, or VPNmadness, whence you have so many VPN/VLAN
> > zones, no one can remember which zone to get to which server set let alone
> > the passwd for each.  I think was presently have 20 or 25 such silly
> > things for our "management network" (give or take 5-10, I quit counting).
> >
> >
> > Thanks,
> >
> > Ron DuFresne
>
>
> We have that mess here - times 4, at least - for the customer side of things!
>
> Am I wrong in believing that a simple network is a more secure
> network?

simple is always bwetter, KISS remains a fundamental priciple for a valid 
reason;

> That since we deal with a lot of customer VPN connections,
> rather than NATing them and building holes through all of the
> firewalls (3-4 depending) we'd be better off NATing them to a network,
> and giving the network the access required? Possibly figure out a way
> to PVLAN each customer tunnel so that they can't talk to each other,
> etc.?

Customers are one thing, and for those pvlans and vpn connections to the 
servers and apps required can be sweets.  But, and here we ESAP all our 
angencies into seperate zones/pcvlans.  Course then managing these devices 
gets to be a nightmare, due to the fact that a mgt network was never 
properly designed into the whole setup.  So to access machines in each 
ESAP, I need to use vpn's like I was a clients at each of the hundreeds of 
agecies we manage.  Each with a different login, each with a different 
passwd, each with a different way of resetting expired/locked passwds and 
such.  Most often, and here's the catch, we have a zone for our console 
access in say czone, all admined on avocents, course, the avocents have 
their own  quirks, like there is limited cut and paste, and if an app is 
poorly setup and scrolls it;s log info to the console <it happenes far too 
often> it can make it so the console is totally unavailable.  so 
depending, I might fnd it easier to maintain a system from one of these 
limited console devices, rather then getting the direct access tot he 
server in question due to esap/vpn madness issues.  But, in either case, 
I'm dealing with limits that are painful, slow, and just a pain in the 
ass.  When passwd's for numerous vpn's are needed to be maintained and 
remembered, where does securiy go as far as postit's about the cubicle? 
Out the window, same as when passwd's are preset to something a user just 
can become familiar with and latch onto, especially when they are expired 
every 30-45 days.  Admins here tend to spend 30% of their time resetting 
passwd's on logins and vpn's per week, let alone trying to reset and 
maintain their own.  this has fostered a sense of communication though, as 
each admin taps another to try and determine with esap a particular server 
resides in and which vpn profile is required with what two factor auth 
modles being in place to get there....  All that and a poorly planned 
infrastructure <none really, still trying to define the term here> make 
the KISS principle non-existant.  But in a properly laid out and designed 
setup, I'm sure others can fair much better then any gov type site might.

I miss AT&T and Nortel, that had security wrapped upon a far better 
thoughtout infrastructure.

Thanks,

Ron DuFresne
- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFD8k4kst+vzJSwZikRAgFTAJ9yMW9hShNY3J/Kfk8H3SS8FCMFvQCcDTQB
RoX3H+zSMaManGkyvL6wlL4=
=Hx5W
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards