Firewall Wizards mailing list archives

Re: question on securing out-of-band management

From: "Marcus J. Ranum" <mjr () ranum com>
Date: Fri, 03 Feb 2006 12:40:44 -0500

golovast wrote:

First, did anyone here ever try using USB ethernet adapters for 
OOB in perimiter and high performance servers? A lot of servers 
don't have extra NICs. Sticking in USB adapters would be a lot 
easier, but I am still a bit hesitant. Internal NICs would be 
preferable, but its a lot of manual labor and downtime. Any big 
cons against using usb ethernet?


That sounds like a pretty decent idea, though I suspect people
labor under the perception that USB networks are "slow" and
perhaps less reliable. I'm not convinced high performance is a
requirement for all OOB networks, but reliability certainly is.
You don't want that USB dongle to pull free at a bad time.
For the sake of tradition, I would recommend duct-taping the
dongles in place. ;)

Second question is about security. How do you secure the oob management 
network?


Aha, you've discovered the "creeping OOB network problem"
most often stated as The Anonymous Auditor's Law of OOB Networks
to wit:
"OOB networks eventually grow until they are the same size as
the networks they are intended to manage, at which time someone
begins to build an OOB-OOB (known as OOB-prime) network,
ad infinitum"

It obviously has it's pros, but even still it's a good way to 
bypass all other security layers. I was thinking about HIDS and locking
things down with ACLs and hardening servers. Also, no ports on the floor
assigned to that network and a VPN access with two-factor authentication
into it.


The last well-designed OOB network I saw had IP and MAC
address filtering that locked all communications on the OOB so that
systems on a single hub in the NOC could talk to any machine on
the OOB network but none of the machines could cross-talk.
Detecting attempts to cross-talk will give you 99% of the
intrusion detection you'd need on such a network.

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

question on securing out-of-band management golovast (Feb 03)
- RE: question on securing out-of-band management Paul Melson (Feb 07)
- Re: question on securing out-of-band management Marcus J. Ranum (Feb 07)
- Re: question on securing out-of-band management Kevin (Feb 07)
- <Possible follow-ups>
- RE: question on securing out-of-band management Brian Ford (brford) (Feb 07)
  - RE: question on securing out-of-band management golovast (Feb 07)
    - Re: question on securing out-of-band management Kevin (Feb 07)
    - Re: question on securing out-of-band management golovast (Feb 07)
    - Re: question on securing out-of-band management R. DuFresne (Feb 09)
  - RE: question on securing out-of-band management (ver. 2) golovast (Feb 07)
    - RE: question on securing out-of-band management (ver. 2) Marcus J. Ranum (Feb 07)
    - Re: question on securing out-of-band management (ver. 2) Dave Piscitello (Feb 08)
    - RE: question on securing out-of-band management (ver. 2) golovast (Feb 08)

(Thread continues...)