RE: Managed switches outside firewalls?

You can always put the management connection on a different vlan to that of the "outside" and connect this to an "inside" network with ACL's, fw, etc. "Outside" ips would not be able to route to this.
If you just need to remotely access the device you can always use a terminal server at the back of the serial connection (i'm assuming that it's got a serial console) that way it's not even connected via ip from the "outside".

-----Original Message-----
From: listbounce_at_securityfocus.com
[mailto:listbounce_at_securityfocus.com]On Behalf Of ragdelaed
Sent: Thursday, 31 May 2007 6:56 AM
To: 'Hari Sekhon'; security-basics_at_securityfocus.com
Subject: RE: Managed switches outside firewalls?

Sorry if this was already posted, but why do you want to do this? Or what is
the business justification for doing this?

-----Original Message-----
From: listbounce_at_securityfocus.com [mailto:listbounce_at_securityfocus.com] On
Behalf Of Hari Sekhon
Sent: Tuesday, May 29, 2007 4:57 AM
To: security-basics_at_securityfocus.com
Subject: Managed switches outside firewalls?

Hi,

   I need to get some new switches outside of my firewalls, which means
that they will have publicly accessible IPs if they are manageable switches.

I'm not quite sure what security stance to take on this. I know I can
restrict the management interface to certain IPs, but I'm still not
sure if this is asking for trouble to have switches will accessible IPs.
Perhaps I should use a dumb switch and forgo any management features...

Do any of you guys have policies for this (like unmanaged switches
outside firewalls and managed ones inside)?

Any thoughts and suggestions welcome.

-h

-- 
Hari Sekhon
Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Crane Group