RE: [fw-wiz] question on securing out-of-band management



-----Original Message-----
Subject: [fw-wiz] question on securing out-of-band management

A few words about the network. It is a environment where security is of
a highest
priority, because customer data is handled and a variety of regulations
apply. Just like
everyone else, we want to make the network reliable, secure, scalable,
etc. We have decided
to use out-of-band management for the perimeter servers. It will be done
over a dedicated
Ethernet interface. Servers are mostly microsoft, network gear is mostly
cisco.

Tongue visibly protruding through cheek - Windows and Cisco, huh? Security
of the highest priority you say? :-)


First, did anyone here ever try using USB ethernet adapters for OOB in
perimiter and high
performance servers? A lot of servers don't have extra NICs. Sticking in
USB adapters would
be a lot easier, but I am still a bit hesitant. Internal NICs would be
preferable, but its a > lot of manual labor and downtime. Any big cons
against using usb ethernet?

Well, I'd try and dissuade you from using Ethernet altogether for OOB
management. If the server is somehow compromised, the management network
becomes exposed. It has been my experience that more often than not the
management net is 'softer' than the external-facing net. If possible,
network KVM is a nice way to do OOB management for Windows servers. There's
a way on to the box, but no way off.

But if it's a lost cause and you have to use Ethernet, then the USB question
boils down to the reliability and performance of the individual product and
its drivers. I can tell you that I've got a USB Ethernet adapter on my TiVo
at home. No problems there. :-)


Second question is about security. How do you secure the oob management
network? It
obviously has it's pros, but even still it's a good way to bypass all
other security layers.
I was thinking about HIDS and locking things down with ACLs and hardening
servers. Also, no
ports on the floor assigned to that network and a VPN access with
two-factor authentication
into it. Am I leaving anything out? How are you guys doing it? What are
the other
alternatives?

Hardening servers is good, but your big risk on a management net isn't so
much internal ppl getting onto it so VPN and 2-factor auth may be
misdirected effort. The real risk is the legacy NT4 server that gets owned
and then uses the management net as a means to attack the other servers
since you can connect to management services on those interfaces. So if
you've got current Cisco hardware, set up PVLANs. Anything you can do to
keep servers from talking to each other on that LAN and only talking to the
VLAN router port will definitely be worth the effort.

PaulM

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards