Firewall Wizards mailing list archives
RE: question on securing out-of-band management
From: "golovast" <golovast () yandex ru>
Date: Sat, 4 Feb 2006 04:57:30 +0300 (MSK)
Thank's for all the replies. See inline.
Golovast, Great message! In the future you may want to include your name in the message so that those responding can get the salutation correct. See in line: -----Original Message----- Date: Fri, 3 Feb 2006 11:38:45 +0300 (MSK) From: "golovast" <golovast () yandex ru> To: firewall-wizards () honor icsalabs com Reply-To: golovast () yandex ru Subject: A few words about the network. It is a environment where security is of a highest priority, because customer data is handled and a variety of regulations apply. Just like everyone else, we want to make the network reliable, secure, scalable, etc. We have decided to use out-of-band management for the perimeter servers. [BF] Excellent! It will be done over a dedicated Ethernet interface. Servers are mostly microsoft, network gear is mostly cisco. I have two questions. First, did anyone here ever try using USB ethernet adapters for OOB in perimiter and high performance servers? A lot of servers don't have extra NICs. Sticking in USB adapters would be a lot easier, but I am still a bit hesitant. Internal NICs would be preferable, but its a lot of manual labor and downtime. Any big cons against using usb ethernet? [BF] If the particular USB NICs that you get work with the server hardware you've got, that's great! Silly point but I would suggest using wired USB NICs (as opposed to wireless).
Wireless is not even a consideration. Some of the people in our department and some folks who replied had some concerns about them falling out from time to time though. I guess it's a possiblity.
Second question is about security. How do you secure the oob management network? [BF] Don't let anything else attach or pass over the OOB management network. While this may sound simple, it's actually quite difficult after prolonged use.
We'll try to keep it as restricted as possible. Management and backup systems should be the only ones on the list.
It obviously has it's pros, but even still it's a good way to bypass all other security layers. I was thinking about HIDS and locking things down with ACLs and hardening servers. Also, no ports on the floor assigned to that network and a VPN access with two-factor authentication into it. Am I leaving anything out? [BF] I think you have it right. Make the OOB management network one big flat network and only allow management traffic. Specify what management traffic is on your network (Syslog, SNMP, Telnet, SSH, etc,..). If possible in the data center use a separate switch on a different UPS for OOB segment. I would suggest not allowing VPN access to the OOB management network (at least to start). If you go with the big flat network you can deploy one IDS/IPS sensor set to alarm on anything that is not a management protocol on that network or on device adds and drops.
Unfortunately it won't be on a completely separate switch. For a variety of reasons, our management network is going to be used to manage both the perimeter and the internal servers, so on the back end it will be connected to the internal core switch. We'll probably run IOS with firewall services there, so the users should be restricted from accessing the network. Do you have any recommendations for HIDS? We currently have Tripwire. I haven't really dug into it, but at first few glances it didn't seem all that great.
How are you guys doing it? What are the other alternatives? I'll appreciate any replies. Thanks. Liberty for All, Brian Brian Ford (brford <at] cisco [dot> com) Consulting Engineer Cisco Systems, Inc. http://www.cisco.com/go/security The thoughts and opinions expressed in the message are those of the author and not necessarily those of the author's employer.
-- Яндекс.Почта: объем почтового ящика не ограничен! http://mail.yandex.ru/monitoring/ _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- question on securing out-of-band management golovast (Feb 03)
- RE: question on securing out-of-band management Paul Melson (Feb 07)
- Re: question on securing out-of-band management Marcus J. Ranum (Feb 07)
- Re: question on securing out-of-band management Kevin (Feb 07)
- <Possible follow-ups>
- RE: question on securing out-of-band management Brian Ford (brford) (Feb 07)
- RE: question on securing out-of-band management golovast (Feb 07)
- Re: question on securing out-of-band management Kevin (Feb 07)
- Re: question on securing out-of-band management golovast (Feb 07)
- Re: question on securing out-of-band management R. DuFresne (Feb 09)
- RE: question on securing out-of-band management golovast (Feb 07)
- RE: question on securing out-of-band management (ver. 2) golovast (Feb 07)
- RE: question on securing out-of-band management (ver. 2) Marcus J. Ranum (Feb 07)
- Re: question on securing out-of-band management (ver. 2) Dave Piscitello (Feb 08)
- RE: question on securing out-of-band management (ver. 2) golovast (Feb 08)
- Re: question on securing out-of-band management (ver. 2) Dave Piscitello (Feb 15)