mailing list archives
Re: question on securing out-of-band management
From: Kevin <kkadow () gmail com>
Date: Fri, 3 Feb 2006 16:43:08 -0600
On 2/3/06, golovast <golovast () yandex ru> wrote:
A few words about the network. It is a environment where security
is of a highest priority, because customer data is handled
and a variety of regulations apply. Just like everyone else, we want
to make the network reliable, secure, scalable, etc. We have decided
to use out-of-band management for the perimeter servers. It will be done
over a dedicated Ethernet interface. Servers are mostly microsoft,
network gear is mostly cisco.
For Cisco, Unix, and even some Windows systems,
we primarily use serial console for OOB management and recovery,
but also some Ethernet.
Many higher end servers have a dedicated management NIC.
First, did anyone here ever try using USB ethernet adapters for
OOB in perimiter and high performance servers? A lot of servers
don't have extra NICs. Sticking in USB adapters would be a lot
easier, but I am still a bit hesitant. Internal NICs would be
preferable, but its a lot of manual labor and downtime. Any big
cons against using usb ethernet?
Interesting idea. One area of concern, the lack of positive retention
on the USB port/plug.
Second question is about security. How do you secure the oob management
network? It obviously has it's pros, but even still it's a good way to
bypass all other security layers. I was thinking about HIDS and locking
things down with ACLs and hardening servers.
When hardening servers, one big advantage to a dedicated management
network is that you can configure management services (SSH, RDP, etc)
with the listener only bound to the management interface and/or IP.
So even if the host or network firewall fails and passes TCP/22 traffic,
the server just isn't listening for that port anywhere but on the management
interface, and you're still protected.
Also, no ports on the floor
assigned to that network and a VPN access with two-factor authentication
into it. Am I leaving anything out? How are you guys doing it? What are
the other alternatives?
Strong authentication is a must.
Use a dedicated switch, with PVLAN edge (protected port) security,
unused switch ports are shutdown. Management subnet is not routed.
firewall-wizards mailing list
firewall-wizards () honor icsalabs com