Re: [fw-wiz] question on securing out-of-band management

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


[SNIP]


I certainly see the risks with this approach and my perfect world preference would be to have separate management systems for the perimeter and internal networks.

I have two problems. First, is the cost of deploying two systems. Second, and probably more important, is the amount of resources that we have to look at these systems. In a way it's a compromise. I'd rather be aware of the areas of vulnerability and focus attention there, then spread the resources too thin across many areas.

Also, it won't be just the VLANs and firewall services. Possibly HIDS on the servers as well.

As far the example that you describe below (pretty bad...=])), I am hoping to avoid the issue by requiring everyone (including server admins) to go through the VPN in order to manage the management servers. I can have pretty granular access control at the VPN box.

Still, you make a good point and it's something I've thought about extensively. Maybe I am missing some alternatives? What are my other options outside of having separate management systems for inside and perimeter?




Be wary of VPN bloat, or VPNmadness, whence you have so many VPN/VLAN zones, no one can remember which zone to get to which server set let alone the passwd for each. I think was presently have 20 or 25 such silly things for our "management network" (give or take 5-10, I quit counting).


Thanks,

Ron DuFresne
- -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFD6sRAst+vzJSwZikRAp4JAJ0aJXilLITwBVgenXLZKu+6Kw9F5ACfWAcV
JEVVCp1LBKKyUgKG63elwc4=
=iS0N
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Re: dns administration delegation
    ... Let's not worry about why the zones need to be created. ... Allow site_DNSadmin group to FULL control Computer Configuration\Windows ... Executed dnsmgmt.msc and added one of the dns servers. ...
    (microsoft.public.windows.server.dns)
  • Re: Forward lookup zone not automatically created for new domain in fo
    ... Company.biz is the forest root. ... forward lookup zones on the domain controllers hosting shell.company. ... You need your DNS servers in every domain/tree ... servers are Win2003 you can do forest wide AD Integration ...
    (microsoft.public.windows.server.active_directory)
  • Re: 4 part domain names
    ... I tend to use djbdns for DNS servers, ... These name servers delegate ... authority for zones within their zones to yet more name servers. ...
    (freebsd-questions)
  • Re: W2K DNS Forwarding
    ... On the primary zones, you need to allow zone transfers to the IP ... Win2k3 DNS servers in a single Forest, or Win2k DCs in the same domain) ... proxy server, and completely bypasses the DNS Client configuration. ...
    (microsoft.public.win2000.dns)
  • Re: error changing scope
    ... The honest answer is that I am unsure whether any of the zones are ... current domains up under Windows 2000 did not make any major changes to DNS ... the scope replication setting from the default "All DC's in the domain" to ... "All name servers in the forest" when we added this 3rd name server; ...
    (microsoft.public.windows.server.dns)