Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: question on securing out-of-band management
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Wed, 8 Feb 2006 23:25:33 -0500 (EST)

Hash: SHA1


I certainly see the risks with this approach and my perfect world preference would be to have separate management 
systems for the perimeter and internal networks.

I have two problems. First, is the cost of deploying two systems. Second, and probably more important, is the amount of resources 
that we have to look at these systems. In a way it's a compromise. I'd rather be aware of the areas of vulnerability 
and focus attention there, then spread the resources too thin across many areas.

Also, it won't be just the VLANs and firewall services. Possibly HIDS on the servers as well.

As far the example that you describe below (pretty bad...=])), I am hoping to avoid the issue by requiring everyone 
(including server admins) to go through the VPN in order to manage the  management servers. I can have pretty granular 
access control at the VPN box.

Still, you make a good point and it's something I've thought about extensively. Maybe I am missing some alternatives? 
What are my other options outside of having separate management systems for inside and perimeter?

Be wary of VPN bloat, or VPNmadness, whence you have so many VPN/VLAN zones, no one can remember which zone to get to which server set let alone the passwd for each. I think was presently have 20 or 25 such silly things for our "management network" (give or take 5-10, I quit counting).


Ron DuFresne
- -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                -Tom Robbins <Still Life With Woodpecker>
Version: GnuPG v1.2.4 (GNU/Linux)

firewall-wizards mailing list
firewall-wizards () honor icsalabs com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]