RE: [fw-wiz] question on securing out-of-band management
- From: "Paul Melson" <pmelson@xxxxxxxxx>
- Date: Fri, 3 Feb 2006 11:44:14 -0500
-----Original Message-----
Subject: [fw-wiz] question on securing out-of-band management
A few words about the network. It is a environment where security is ofa highest
priority, because customer data is handled and a variety of regulationsapply. Just like
everyone else, we want to make the network reliable, secure, scalable,etc. We have decided
to use out-of-band management for the perimeter servers. It will be doneover a dedicated
Ethernet interface. Servers are mostly microsoft, network gear is mostlycisco.
Tongue visibly protruding through cheek - Windows and Cisco, huh? Security
of the highest priority you say? :-)
First, did anyone here ever try using USB ethernet adapters for OOB inperimiter and high
performance servers? A lot of servers don't have extra NICs. Sticking inUSB adapters would
be a lot easier, but I am still a bit hesitant. Internal NICs would bepreferable, but its a > lot of manual labor and downtime. Any big cons
against using usb ethernet?
Well, I'd try and dissuade you from using Ethernet altogether for OOB
management. If the server is somehow compromised, the management network
becomes exposed. It has been my experience that more often than not the
management net is 'softer' than the external-facing net. If possible,
network KVM is a nice way to do OOB management for Windows servers. There's
a way on to the box, but no way off.
But if it's a lost cause and you have to use Ethernet, then the USB question
boils down to the reliability and performance of the individual product and
its drivers. I can tell you that I've got a USB Ethernet adapter on my TiVo
at home. No problems there. :-)
Second question is about security. How do you secure the oob managementnetwork? It
obviously has it's pros, but even still it's a good way to bypass allother security layers.
I was thinking about HIDS and locking things down with ACLs and hardeningservers. Also, no
ports on the floor assigned to that network and a VPN access withtwo-factor authentication
into it. Am I leaving anything out? How are you guys doing it? What arethe other
alternatives?
Hardening servers is good, but your big risk on a management net isn't so
much internal ppl getting onto it so VPN and 2-factor auth may be
misdirected effort. The real risk is the legacy NT4 server that gets owned
and then uses the management net as a means to attack the other servers
since you can connect to management services on those interfaces. So if
you've got current Cisco hardware, set up PVLANs. Anything you can do to
keep servers from talking to each other on that LAN and only talking to the
VLAN router port will definitely be worth the effort.
PaulM
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- References:
- [fw-wiz] question on securing out-of-band management
- From: golovast
- [fw-wiz] question on securing out-of-band management
- Prev by Date: [fw-wiz] re: fw-wiz] Cisco PIX-520
- Next by Date: Re: [fw-wiz] IPS vs. Firewalls (why vs. ?)
- Previous by thread: [fw-wiz] question on securing out-of-band management
- Next by thread: Re: [fw-wiz] question on securing out-of-band management
- Index(es):
Relevant Pages
|
