mailing list archives
Re: question on securing out-of-band management
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Fri, 03 Feb 2006 12:40:44 -0500
First, did anyone here ever try using USB ethernet adapters for
OOB in perimiter and high performance servers? A lot of servers
don't have extra NICs. Sticking in USB adapters would be a lot
easier, but I am still a bit hesitant. Internal NICs would be
preferable, but its a lot of manual labor and downtime. Any big
cons against using usb ethernet?
That sounds like a pretty decent idea, though I suspect people
labor under the perception that USB networks are "slow" and
perhaps less reliable. I'm not convinced high performance is a
requirement for all OOB networks, but reliability certainly is.
You don't want that USB dongle to pull free at a bad time.
For the sake of tradition, I would recommend duct-taping the
dongles in place. ;)
Second question is about security. How do you secure the oob management
Aha, you've discovered the "creeping OOB network problem"
most often stated as The Anonymous Auditor's Law of OOB Networks
"OOB networks eventually grow until they are the same size as
the networks they are intended to manage, at which time someone
begins to build an OOB-OOB (known as OOB-prime) network,
It obviously has it's pros, but even still it's a good way to
bypass all other security layers. I was thinking about HIDS and locking
things down with ACLs and hardening servers. Also, no ports on the floor
assigned to that network and a VPN access with two-factor authentication
The last well-designed OOB network I saw had IP and MAC
address filtering that locked all communications on the OOB so that
systems on a single hub in the NOC could talk to any machine on
the OOB network but none of the machines could cross-talk.
Detecting attempts to cross-talk will give you 99% of the
intrusion detection you'd need on such a network.
firewall-wizards mailing list
firewall-wizards () honor icsalabs com