Firewall Wizards mailing list archives
RE: question on securing out-of-band management
From: "Paul Melson" <pmelson () gmail com>
Date: Fri, 3 Feb 2006 11:44:14 -0500
-----Original Message----- Subject: [fw-wiz] question on securing out-of-band management
A few words about the network. It is a environment where security is of
a highest
priority, because customer data is handled and a variety of regulations
apply. Just like
everyone else, we want to make the network reliable, secure, scalable,
etc. We have decided
to use out-of-band management for the perimeter servers. It will be done
over a dedicated
Ethernet interface. Servers are mostly microsoft, network gear is mostly
cisco. Tongue visibly protruding through cheek - Windows and Cisco, huh? Security of the highest priority you say? :-)
First, did anyone here ever try using USB ethernet adapters for OOB in
perimiter and high
performance servers? A lot of servers don't have extra NICs. Sticking in
USB adapters would
be a lot easier, but I am still a bit hesitant. Internal NICs would be
preferable, but its a > lot of manual labor and downtime. Any big cons against using usb ethernet? Well, I'd try and dissuade you from using Ethernet altogether for OOB management. If the server is somehow compromised, the management network becomes exposed. It has been my experience that more often than not the management net is 'softer' than the external-facing net. If possible, network KVM is a nice way to do OOB management for Windows servers. There's a way on to the box, but no way off. But if it's a lost cause and you have to use Ethernet, then the USB question boils down to the reliability and performance of the individual product and its drivers. I can tell you that I've got a USB Ethernet adapter on my TiVo at home. No problems there. :-)
Second question is about security. How do you secure the oob management
network? It
obviously has it's pros, but even still it's a good way to bypass all
other security layers.
I was thinking about HIDS and locking things down with ACLs and hardening
servers. Also, no
ports on the floor assigned to that network and a VPN access with
two-factor authentication
into it. Am I leaving anything out? How are you guys doing it? What are
the other
alternatives?
Hardening servers is good, but your big risk on a management net isn't so much internal ppl getting onto it so VPN and 2-factor auth may be misdirected effort. The real risk is the legacy NT4 server that gets owned and then uses the management net as a means to attack the other servers since you can connect to management services on those interfaces. So if you've got current Cisco hardware, set up PVLANs. Anything you can do to keep servers from talking to each other on that LAN and only talking to the VLAN router port will definitely be worth the effort. PaulM _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- question on securing out-of-band management golovast (Feb 03)
- RE: question on securing out-of-band management Paul Melson (Feb 07)
- Re: question on securing out-of-band management Marcus J. Ranum (Feb 07)
- Re: question on securing out-of-band management Kevin (Feb 07)
- <Possible follow-ups>
- RE: question on securing out-of-band management Brian Ford (brford) (Feb 07)
- RE: question on securing out-of-band management golovast (Feb 07)
- Re: question on securing out-of-band management Kevin (Feb 07)
- Re: question on securing out-of-band management golovast (Feb 07)
- Re: question on securing out-of-band management R. DuFresne (Feb 09)
- RE: question on securing out-of-band management golovast (Feb 07)
- RE: question on securing out-of-band management (ver. 2) golovast (Feb 07)
- RE: question on securing out-of-band management (ver. 2) Marcus J. Ranum (Feb 07)
- Re: question on securing out-of-band management (ver. 2) Dave Piscitello (Feb 08)