Firewall Wizards mailing list archives
Re: question on securing out-of-band management
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Fri, 03 Feb 2006 12:40:44 -0500
golovast wrote:
First, did anyone here ever try using USB ethernet adapters for OOB in perimiter and high performance servers? A lot of servers don't have extra NICs. Sticking in USB adapters would be a lot easier, but I am still a bit hesitant. Internal NICs would be preferable, but its a lot of manual labor and downtime. Any big cons against using usb ethernet?
That sounds like a pretty decent idea, though I suspect people labor under the perception that USB networks are "slow" and perhaps less reliable. I'm not convinced high performance is a requirement for all OOB networks, but reliability certainly is. You don't want that USB dongle to pull free at a bad time. For the sake of tradition, I would recommend duct-taping the dongles in place. ;)
Second question is about security. How do you secure the oob management network?
Aha, you've discovered the "creeping OOB network problem" most often stated as The Anonymous Auditor's Law of OOB Networks to wit: "OOB networks eventually grow until they are the same size as the networks they are intended to manage, at which time someone begins to build an OOB-OOB (known as OOB-prime) network, ad infinitum"
It obviously has it's pros, but even still it's a good way to bypass all other security layers. I was thinking about HIDS and locking things down with ACLs and hardening servers. Also, no ports on the floor assigned to that network and a VPN access with two-factor authentication into it.
The last well-designed OOB network I saw had IP and MAC address filtering that locked all communications on the OOB so that systems on a single hub in the NOC could talk to any machine on the OOB network but none of the machines could cross-talk. Detecting attempts to cross-talk will give you 99% of the intrusion detection you'd need on such a network. mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- question on securing out-of-band management golovast (Feb 03)
- RE: question on securing out-of-band management Paul Melson (Feb 07)
- Re: question on securing out-of-band management Marcus J. Ranum (Feb 07)
- Re: question on securing out-of-band management Kevin (Feb 07)
- <Possible follow-ups>
- RE: question on securing out-of-band management Brian Ford (brford) (Feb 07)
- RE: question on securing out-of-band management golovast (Feb 07)
- Re: question on securing out-of-band management Kevin (Feb 07)
- Re: question on securing out-of-band management golovast (Feb 07)
- Re: question on securing out-of-band management R. DuFresne (Feb 09)
- RE: question on securing out-of-band management golovast (Feb 07)
- RE: question on securing out-of-band management (ver. 2) golovast (Feb 07)
- RE: question on securing out-of-band management (ver. 2) Marcus J. Ranum (Feb 07)
- Re: question on securing out-of-band management (ver. 2) Dave Piscitello (Feb 08)
- RE: question on securing out-of-band management (ver. 2) golovast (Feb 08)