Re: General question, was: question on securing out-of-band management

["golovast" <golovast () yandex ru>]

I don't necessarily have fear of VPN bloat. I've seen it implemented successfully a number of times. I think if you do 
the work in the
beginning and really spend the time building your policies and 
figuring out who needs access to what, then it will be a lot 
easier in the long run.

The huge advantage that you get is the ability to control access policies in one place. Well, or at least closer to one 
place. Instead of putting access lists, rules, exceptions, etc in many devices, I can place them in one. I see 
controlled and integrated security and I think it▓s a good thing.

Also, we have to consider what type of an environment it is.
I don't think it▓s necessarily the right solution for every place. Some people have customers they want to separate and 
some want to separate
their network segments and want to get different things out of their management network. 

By the way, the VPN I am referring to is SSL VPN. No need to NAT. Client/Zones can never actually connect to an IP of 
the servers. Also, a big plus is that I don't need to push out a VPN client to every machine.


Don't get me wrong. I am all in favor of keeping the network simple.
Except that I think that the VPN actually makes it simpler. And more secure. Granted, it maybe only an improvement over 
my current methods,
but what's the alternative? An alternative that can realistically be implemented in a world where you're not building 
from scratch?





> On 2/8/06, R. DuFresne <dufresne () sysinfo com> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
>
> > Be wary of VPN bloat, or VPNmadness, whence you have so many VPN/VLAN
> > zones, no one can remember which zone to get to which server set let alone
> > the passwd for each.  I think was presently have 20 or 25 such silly
> > things for our "management network" (give or take 5-10, I quit counting).
> >
> >
> > Thanks,
> >
> > Ron DuFresne
>
>
> We have that mess here - times 4, at least - for the customer side of things!
>
> Am I wrong in believing that a simple network is a more secure
> network? That since we deal with a lot of customer VPN connections,
> rather than NATing them and building holes through all of the
> firewalls (3-4 depending) we'd be better off NATing them to a network,
> and giving the network the access required? Possibly figure out a way
> to PVLAN each customer tunnel so that they can't talk to each other,
> etc.?


-- 
Яндекс.Почта: объем почтового ящика не ограничен! http://mail.yandex.ru/monitoring/
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards