|
Security Basics
mailing list archives
Re: Managed switches outside firewalls?
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Tue, 29 May 2007 18:15:55 +0200
On 2007-05-29 Hari Sekhon wrote:
I need to get some new switches outside of my firewalls, which means
that they will have publicly accessible IPs if they are manageable
switches.
I'm not quite sure what security stance to take on this. I know I can
restrict the management interface to certain IPs, but I'm still not
sure if this is asking for trouble to have switches will accessible
IPs. Perhaps I should use a dumb switch and forgo any management
features...
Do any of you guys have policies for this (like unmanaged switches
outside firewalls and managed ones inside)?
If you don't need switch management for the outside switches: go for
unmanaged ones. Cheaper, disposable, and a lot less headaches for you.
If you need management on the switches, I'd go for devices that have a
serial console (or at least an SSH server that allows for public key
authentication), and restrict access to this access method only.
Furthermore I'd allow access to those switches only from a single
(hardened) host inside your network. Maybe even put that host into a
separate (management) network segment.
Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq
 By Date 
By Thread
Current thread:
| 
Intro
