[fw-wiz] question on securing out-of-band management



A few words about the network. It is a environment where security
is of a highest priority, because customer data is handled
and a variety of regulations apply. Just like everyone else, we want
to make the network reliable, secure, scalable, etc. We have decided
to use out-of-band management for the perimeter servers. It will be done
over a dedicated Ethernet interface. Servers are mostly microsoft,
network gear is mostly cisco.

I have two questions.
First, did anyone here ever try using USB ethernet adapters for
OOB in perimiter and high performance servers? A lot of servers
don't have extra NICs. Sticking in USB adapters would be a lot
easier, but I am still a bit hesitant. Internal NICs would be
preferable, but its a lot of manual labor and downtime. Any big
cons against using usb ethernet?

Second question is about security. How do you secure the oob management
network? It obviously has it's pros, but even still it's a good way to
bypass all other security layers. I was thinking about HIDS and locking
things down with ACLs and hardening servers. Also, no ports on the floor
assigned to that network and a VPN access with two-factor authentication
into it. Am I leaving anything out? How are you guys doing it? What are
the other alternatives?

I'll appreciate any replies. Thanks.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • IT Security Administrator in Bend, OR
    ... workstations as well as physical security for I/T systems. ... manages network security software and hardware. ... Extensive experience with Windows 2000/2003 servers and Exchange ... Two years experience configuring, installing and implementing VMWare ...
    (comp.arch)
  • Re: How to access I/O port directly in VC6.0?
    ... As soon as you have standalone machines, ... Their "security" as far as servers was a joke; ... discovered the internal wireless network was completely unencrypted. ...
    (microsoft.public.vc.mfc)
  • Re: Pen testing Fiber Channel
    ... If direct access to the network is available, ... Subject: Re: Pen testing Fiber Channel ... > server to another on a different higher security network. ... SAN servers are usually on isolated ...
    (Pen-Test)
  • RE: [fw-wiz] Security Audit and Priorities
    ... Learn your network. ... - Linux Security Cookbook ... Building Secure Servers with Linux ... It's one thing to be a firewall admin and write ...
    (Firewall-Wizards)
  • Re: Dcidag errors
    ... Port blockage between servers ... Other sorts of networking issues (lack of connectivity between the points ... These errors are typically a result of a network connectivity issue of some ... > replicating this nc. ...
    (microsoft.public.windows.server.active_directory)