-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, 9 Feb 2006, Brian Loe wrote:
> On 2/8/06, R. DuFresne <dufresne_at_sysinfo.com> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>
>> Be wary of VPN bloat, or VPNmadness, whence you have so many VPN/VLAN
>> zones, no one can remember which zone to get to which server set let alone
>> the passwd for each. I think was presently have 20 or 25 such silly
>> things for our "management network" (give or take 5-10, I quit counting).
>>
>>
>> Thanks,
>>
>> Ron DuFresne
>
>
> We have that mess here - times 4, at least - for the customer side of things!
>
> Am I wrong in believing that a simple network is a more secure
> network?
simple is always bwetter, KISS remains a fundamental priciple for a valid
reason;
> That since we deal with a lot of customer VPN connections,
> rather than NATing them and building holes through all of the
> firewalls (3-4 depending) we'd be better off NATing them to a network,
> and giving the network the access required? Possibly figure out a way
> to PVLAN each customer tunnel so that they can't talk to each other,
> etc.?
>
Customers are one thing, and for those pvlans and vpn connections to the
servers and apps required can be sweets. But, and here we ESAP all our
angencies into seperate zones/pcvlans. Course then managing these devices
gets to be a nightmare, due to the fact that a mgt network was never
properly designed into the whole setup. So to access machines in each
ESAP, I need to use vpn's like I was a clients at each of the hundreeds of
agecies we manage. Each with a different login, each with a different
passwd, each with a different way of resetting expired/locked passwds and
such. Most often, and here's the catch, we have a zone for our console
access in say czone, all admined on avocents, course, the avocents have
their own quirks, like there is limited cut and paste, and if an app is
poorly setup and scrolls it;s log info to the console <it happenes far too
often> it can make it so the console is totally unavailable. so
depending, I might fnd it easier to maintain a system from one of these
limited console devices, rather then getting the direct access tot he
server in question due to esap/vpn madness issues. But, in either case,
I'm dealing with limits that are painful, slow, and just a pain in the
ass. When passwd's for numerous vpn's are needed to be maintained and
remembered, where does securiy go as far as postit's about the cubicle?
Out the window, same as when passwd's are preset to something a user just
can become familiar with and latch onto, especially when they are expired
every 30-45 days. Admins here tend to spend 30% of their time resetting
passwd's on logins and vpn's per week, let alone trying to reset and
maintain their own. this has fostered a sense of communication though, as
each admin taps another to try and determine with esap a particular server
resides in and which vpn profile is required with what two factor auth
modles being in place to get there.... All that and a poorly planned
infrastructure <none really, still trying to define the term here> make
the KISS principle non-existant. But in a properly laid out and designed
setup, I'm sure others can fair much better then any gov type site might.
I miss AT&T and Nortel, that had security wrapped upon a far better
thoughtout infrastructure.
Thanks,
Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFD8k4kst+vzJSwZikRAgFTAJ9yMW9hShNY3J/Kfk8H3SS8FCMFvQCcDTQB
RoX3H+zSMaManGkyvL6wlL4=
=Hx5W
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Feb 20 2006
Intro
