mailing list archives
Re: question on securing out-of-band management
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Wed, 8 Feb 2006 23:25:33 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE-----
I certainly see the risks with this approach and my perfect world preference would be to have separate management
systems for the perimeter and internal networks.
I have two problems. First, is the cost of deploying two systems. Second, and probably more important, is the amount of resources
that we have to look at these systems. In a way it's a compromise. I'd rather be aware of the areas of vulnerability
and focus attention there, then spread the resources too thin across many areas.
Also, it won't be just the VLANs and firewall services. Possibly HIDS on the servers as well.
As far the example that you describe below (pretty bad...=])), I am hoping to avoid the issue by requiring everyone
(including server admins) to go through the VPN in order to manage the management servers. I can have pretty granular
access control at the VPN box.
Still, you make a good point and it's something I've thought about extensively. Maybe I am missing some alternatives?
What are my other options outside of having separate management systems for inside and perimeter?
Be wary of VPN bloat, or VPNmadness, whence you have so many VPN/VLAN
zones, no one can remember which zone to get to which server set let alone
the passwd for each. I think was presently have 20 or 25 such silly
things for our "management network" (give or take 5-10, I quit counting).
admin & senior security consultant: sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
-----END PGP SIGNATURE-----
firewall-wizards mailing list
firewall-wizards () honor icsalabs com