Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: General question, was: question on securing out-of-band management
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Tue, 14 Feb 2006 16:39:45 -0500 (EST)

Hash: SHA1

On Thu, 9 Feb 2006, Brian Loe wrote:

On 2/8/06, R. DuFresne <dufresne () sysinfo com> wrote:

Be wary of VPN bloat, or VPNmadness, whence you have so many VPN/VLAN
zones, no one can remember which zone to get to which server set let alone
the passwd for each.  I think was presently have 20 or 25 such silly
things for our "management network" (give or take 5-10, I quit counting).


Ron DuFresne

We have that mess here - times 4, at least - for the customer side of things!

Am I wrong in believing that a simple network is a more secure

simple is always bwetter, KISS remains a fundamental priciple for a valid reason;

That since we deal with a lot of customer VPN connections,
rather than NATing them and building holes through all of the
firewalls (3-4 depending) we'd be better off NATing them to a network,
and giving the network the access required? Possibly figure out a way
to PVLAN each customer tunnel so that they can't talk to each other,

Customers are one thing, and for those pvlans and vpn connections to the servers and apps required can be sweets. But, and here we ESAP all our angencies into seperate zones/pcvlans. Course then managing these devices gets to be a nightmare, due to the fact that a mgt network was never properly designed into the whole setup. So to access machines in each ESAP, I need to use vpn's like I was a clients at each of the hundreeds of agecies we manage. Each with a different login, each with a different passwd, each with a different way of resetting expired/locked passwds and such. Most often, and here's the catch, we have a zone for our console access in say czone, all admined on avocents, course, the avocents have their own quirks, like there is limited cut and paste, and if an app is poorly setup and scrolls it;s log info to the console <it happenes far too often> it can make it so the console is totally unavailable. so depending, I might fnd it easier to maintain a system from one of these limited console devices, rather then getting the direct access tot he server in question due to esap/vpn madness issues. But, in either case, I'm dealing with limits that are painful, slow, and just a pain in the ass. When passwd's for numerous vpn's are needed to be maintained and remembered, where does securiy go as far as postit's about the cubicle? Out the window, same as when passwd's are preset to something a user just can become familiar with and latch onto, especially when they are expired every 30-45 days. Admins here tend to spend 30% of their time resetting passwd's on logins and vpn's per week, let alone trying to reset and maintain their own. this has fostered a sense of communication though, as each admin taps another to try and determine with esap a particular server resides in and which vpn profile is required with what two factor auth modles being in place to get there.... All that and a poorly planned infrastructure <none really, still trying to define the term here> make the KISS principle non-existant. But in a properly laid out and designed setup, I'm sure others can fair much better then any gov type site might.

I miss AT&T and Nortel, that had security wrapped upon a far better thoughtout infrastructure.


Ron DuFresne
- -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                -Tom Robbins <Still Life With Woodpecker>
Version: GnuPG v1.2.4 (GNU/Linux)

firewall-wizards mailing list
firewall-wizards () honor icsalabs com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]