RE: [fw-wiz] question on securing out-of-band management
- From: "Brian Ford (brford)" <brford@xxxxxxxxx>
- Date: Fri, 3 Feb 2006 17:52:49 -0500
Golovast,
Great message!
In the future you may want to include your name in the message so that
those responding can get the salutation correct.
See in line:
-----Original Message-----
Date: Fri, 3 Feb 2006 11:38:45 +0300 (MSK)
From: "golovast" <golovast@xxxxxxxxx>
To: firewall-wizards@xxxxxxxxxxxxxxxxxx
Reply-To: golovast@xxxxxxxxx
Subject:
A few words about the network. It is a environment where security
is of a highest priority, because customer data is handled
and a variety of regulations apply. Just like everyone else, we want
to make the network reliable, secure, scalable, etc. We have decided
to use out-of-band management for the perimeter servers.
[BF] Excellent!
It will be done
over a dedicated Ethernet interface. Servers are mostly microsoft,
network gear is mostly cisco.
I have two questions.
First, did anyone here ever try using USB ethernet adapters for
OOB in perimiter and high performance servers? A lot of servers
don't have extra NICs. Sticking in USB adapters would be a lot
easier, but I am still a bit hesitant. Internal NICs would be
preferable, but its a lot of manual labor and downtime. Any big
cons against using usb ethernet?
[BF] If the particular USB NICs that you get work with the server
hardware you've got, that's great! Silly point but I would suggest
using wired USB NICs (as opposed to wireless).
Second question is about security. How do you secure the oob management
network?
[BF] Don't let anything else attach or pass over the OOB management
network. While this may sound simple, it's actually quite difficult
after prolonged use.
It obviously has it's pros, but even still it's a good way to
bypass all other security layers. I was thinking about HIDS and locking
things down with ACLs and hardening servers. Also, no ports on the floor
assigned to that network and a VPN access with two-factor authentication
into it. Am I leaving anything out?
[BF] I think you have it right. Make the OOB management network one
big flat network and only allow management traffic. Specify what
management traffic is on your network (Syslog, SNMP, Telnet, SSH,
etc,..). If possible in the data center use a separate switch on a
different UPS for OOB segment. I would suggest not allowing VPN access
to the OOB management network (at least to start). If you go with the
big flat network you can deploy one IDS/IPS sensor set to alarm on
anything that is not a management protocol on that network or on device
adds and drops.
How are you guys doing it? What are
the other alternatives?
I'll appreciate any replies. Thanks.
Liberty for All,
Brian
Brian Ford (brford <at] cisco [dot> com)
Consulting Engineer
Cisco Systems, Inc.
http://www.cisco.com/go/security
The thoughts and opinions expressed in the message are those of the
author and not necessarily those of the author's employer.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Follow-Ups:
- RE: [fw-wiz] question on securing out-of-band management (ver. 2)
- From: golovast
- RE: [fw-wiz] question on securing out-of-band management
- From: golovast
- RE: [fw-wiz] question on securing out-of-band management (ver. 2)
- Prev by Date: Re: [fw-wiz] question on securing out-of-band management
- Next by Date: RE: [fw-wiz] question on securing out-of-band management
- Previous by thread: Re: [fw-wiz] question on securing out-of-band management
- Next by thread: RE: [fw-wiz] question on securing out-of-band management
- Index(es):
Relevant Pages
|
