Firewall Wizards mailing list archives
Re: question on securing out-of-band management
From: Kevin <kkadow () gmail com>
Date: Fri, 3 Feb 2006 16:43:08 -0600
On 2/3/06, golovast <golovast () yandex ru> wrote:
A few words about the network. It is a environment where security is of a highest priority, because customer data is handled and a variety of regulations apply. Just like everyone else, we want to make the network reliable, secure, scalable, etc. We have decided to use out-of-band management for the perimeter servers. It will be done over a dedicated Ethernet interface. Servers are mostly microsoft, network gear is mostly cisco.
For Cisco, Unix, and even some Windows systems, we primarily use serial console for OOB management and recovery, but also some Ethernet. Many higher end servers have a dedicated management NIC.
First, did anyone here ever try using USB ethernet adapters for OOB in perimiter and high performance servers? A lot of servers don't have extra NICs. Sticking in USB adapters would be a lot easier, but I am still a bit hesitant. Internal NICs would be preferable, but its a lot of manual labor and downtime. Any big cons against using usb ethernet?
Interesting idea. One area of concern, the lack of positive retention on the USB port/plug.
Second question is about security. How do you secure the oob management network? It obviously has it's pros, but even still it's a good way to bypass all other security layers. I was thinking about HIDS and locking things down with ACLs and hardening servers.
When hardening servers, one big advantage to a dedicated management network is that you can configure management services (SSH, RDP, etc) with the listener only bound to the management interface and/or IP. So even if the host or network firewall fails and passes TCP/22 traffic, the server just isn't listening for that port anywhere but on the management interface, and you're still protected.
Also, no ports on the floor assigned to that network and a VPN access with two-factor authentication into it. Am I leaving anything out? How are you guys doing it? What are the other alternatives?
Strong authentication is a must. Use a dedicated switch, with PVLAN edge (protected port) security, unused switch ports are shutdown. Management subnet is not routed. Kevin _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- question on securing out-of-band management golovast (Feb 03)
- RE: question on securing out-of-band management Paul Melson (Feb 07)
- Re: question on securing out-of-band management Marcus J. Ranum (Feb 07)
- Re: question on securing out-of-band management Kevin (Feb 07)
- <Possible follow-ups>
- RE: question on securing out-of-band management Brian Ford (brford) (Feb 07)
- RE: question on securing out-of-band management golovast (Feb 07)
- Re: question on securing out-of-band management Kevin (Feb 07)
- Re: question on securing out-of-band management golovast (Feb 07)
- Re: question on securing out-of-band management R. DuFresne (Feb 09)
- RE: question on securing out-of-band management golovast (Feb 07)
- RE: question on securing out-of-band management (ver. 2) golovast (Feb 07)
- RE: question on securing out-of-band management (ver. 2) Marcus J. Ranum (Feb 07)
- Re: question on securing out-of-band management (ver. 2) Dave Piscitello (Feb 08)
- RE: question on securing out-of-band management (ver. 2) golovast (Feb 08)
- Re: question on securing out-of-band management (ver. 2) Dave Piscitello (Feb 15)