Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: General question, was: question on securing out-of-band management

Re: General question, was: question on securing out-of-band management

From: golovast <golovast_at_yandex.ru>
Date: Fri, 10 Feb 2006 22:30:36 +0300 (MSK)

I don't necessarily have fear of VPN bloat. I've seen it implemented successfully a number of times. I think if you do the work in the
beginning and really spend the time building your policies and
figuring out who needs access to what, then it will be a lot
easier in the long run.

The huge advantage that you get is the ability to control access policies in one place. Well, or at least closer to one place. Instead of putting access lists, rules, exceptions, etc in many devices, I can place them in one. I see controlled and integrated security and I think it’s a good thing.

Also, we have to consider what type of an environment it is.
I don't think it’s necessarily the right solution for every place. Some people have customers they want to separate and some want to separate
their network segments and want to get different things out of their management network.

By the way, the VPN I am referring to is SSL VPN. No need to NAT. Client/Zones can never actually connect to an IP of the servers. Also, a big plus is that I don't need to push out a VPN client to every machine.

Don't get me wrong. I am all in favor of keeping the network simple.
Except that I think that the VPN actually makes it simpler. And more secure. Granted, it maybe only an improvement over my current methods,
but what's the alternative? An alternative that can realistically be implemented in a world where you're not building from scratch?

>On 2/8/06, R. DuFresne <dufresne_at_sysinfo.com> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>
>> Be wary of VPN bloat, or VPNmadness, whence you have so many VPN/VLAN
>> zones, no one can remember which zone to get to which server set let alone
>> the passwd for each. I think was presently have 20 or 25 such silly
>> things for our "management network" (give or take 5-10, I quit counting).
>>
>>
>> Thanks,
>>
>> Ron DuFresne
>
>
>We have that mess here - times 4, at least - for the customer side of things!
>
>Am I wrong in believing that a simple network is a more secure
>network? That since we deal with a lot of customer VPN connections,
>rather than NATing them and building holes through all of the
>firewalls (3-4 depending) we'd be better off NATing them to a network,
>and giving the network the access required? Possibly figure out a way
>to PVLAN each customer tunnel so that they can't talk to each other,
>etc.? 

-- 
ñÎÄÅËÓ.ðÏÞÔÁ: ÏÂßÅÍ ÐÏÞÔÏ×ÏÇÏ ÑÝÉËÁ ÎÅ ÏÇÒÁÎÉÞÅÎ! http://mail.yandex.ru/monitoring/
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Feb 19 2006
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos