Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: General question, was: question on securing out-of-band management
From: "golovast" <golovast () yandex ru>
Date: Fri, 10 Feb 2006 22:30:36 +0300 (MSK)

I don't necessarily have fear of VPN bloat. I've seen it implemented successfully a number of times. I think if you do 
the work in the
beginning and really spend the time building your policies and 
figuring out who needs access to what, then it will be a lot 
easier in the long run.

The huge advantage that you get is the ability to control access policies in one place. Well, or at least closer to one 
place. Instead of putting access lists, rules, exceptions, etc in many devices, I can place them in one. I see 
controlled and integrated security and I think it▓s a good thing.

Also, we have to consider what type of an environment it is.
I don't think it▓s necessarily the right solution for every place. Some people have customers they want to separate and 
some want to separate
their network segments and want to get different things out of their management network. 

By the way, the VPN I am referring to is SSL VPN. No need to NAT. Client/Zones can never actually connect to an IP of 
the servers. Also, a big plus is that I don't need to push out a VPN client to every machine.

Don't get me wrong. I am all in favor of keeping the network simple.
Except that I think that the VPN actually makes it simpler. And more secure. Granted, it maybe only an improvement over 
my current methods,
but what's the alternative? An alternative that can realistically be implemented in a world where you're not building 
from scratch?

On 2/8/06, R. DuFresne <dufresne () sysinfo com> wrote:

Be wary of VPN bloat, or VPNmadness, whence you have so many VPN/VLAN
zones, no one can remember which zone to get to which server set let alone
the passwd for each.  I think was presently have 20 or 25 such silly
things for our "management network" (give or take 5-10, I quit counting).


Ron DuFresne

We have that mess here - times 4, at least - for the customer side of things!

Am I wrong in believing that a simple network is a more secure
network? That since we deal with a lot of customer VPN connections,
rather than NATing them and building holes through all of the
firewalls (3-4 depending) we'd be better off NATing them to a network,
and giving the network the access required? Possibly figure out a way
to PVLAN each customer tunnel so that they can't talk to each other,

Яндекс.Почта: объем почтового ящика не ограничен! http://mail.yandex.ru/monitoring/
firewall-wizards mailing list
firewall-wizards () honor icsalabs com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]