[fw-wiz] Re: General question, was: question on securing out-of-band management



I don't necessarily have fear of VPN bloat. I've seen it implemented successfully a number of times. I think if you do the work in the
beginning and really spend the time building your policies and
figuring out who needs access to what, then it will be a lot
easier in the long run.

The huge advantage that you get is the ability to control access policies in one place. Well, or at least closer to one place. Instead of putting access lists, rules, exceptions, etc in many devices, I can place them in one. I see controlled and integrated security and I think it▓s a good thing.

Also, we have to consider what type of an environment it is.
I don't think it▓s necessarily the right solution for every place. Some people have customers they want to separate and some want to separate
their network segments and want to get different things out of their management network.

By the way, the VPN I am referring to is SSL VPN. No need to NAT. Client/Zones can never actually connect to an IP of the servers. Also, a big plus is that I don't need to push out a VPN client to every machine.


Don't get me wrong. I am all in favor of keeping the network simple.
Except that I think that the VPN actually makes it simpler. And more secure. Granted, it maybe only an improvement over my current methods,
but what's the alternative? An alternative that can realistically be implemented in a world where you're not building from scratch?





On 2/8/06, R. DuFresne <dufresne@xxxxxxxxxxx> wrote:
-----BEGIN PGP SIGNED MESSAGE-----

Be wary of VPN bloat, or VPNmadness, whence you have so many VPN/VLAN
zones, no one can remember which zone to get to which server set let alone
the passwd for each. I think was presently have 20 or 25 such silly
things for our "management network" (give or take 5-10, I quit counting).


Thanks,

Ron DuFresne


We have that mess here - times 4, at least - for the customer side of things!

Am I wrong in believing that a simple network is a more secure
network? That since we deal with a lot of customer VPN connections,
rather than NATing them and building holes through all of the
firewalls (3-4 depending) we'd be better off NATing them to a network,
and giving the network the access required? Possibly figure out a way
to PVLAN each customer tunnel so that they can't talk to each other,
etc.?


--
Яндекс.Почта: объем почтового ящика не ограничен! http://mail.yandex.ru/monitoring/
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: vpn hardware solution
    ... virtual machines so I have a couple more questions. ... If you do not have to be connected to the customer's own network there is normally no problem besides the cost of a separate connection. ... department installs their VPN link software. ...
    (comp.dcom.vpn)
  • Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
    ... This set of steps is redundant in many places, and it's also enormously expensive, since you're using no less than three different expensive bits of networking hardware (AP, PIX, VPN Concentrator), in addition to a bunch of x86 server hardware, windows server licenses, and at least one ISA license. ... Your computers necessarily don't have full access to your network infrastructure when they aren't logged on, so GPOs, software updates, etc can't be applied at the times you want them to be applied. ... Turning on, enabling, and implementing every possible security setting and device you think of is not defence in depth, and will probably only have two effects - your users won't use your wireless network, and you'll burn so much cash you won't have any left to spend on *useful* security measures. ...
    (Full-Disclosure)
  • TidBITS#792/15-Aug-05
    ... We also note the release of Security Update 2005-007, ... Macintosh FTP client, free for educational and charitable use. ... mentioned virtual private network (VPN) technologies. ...
    (comp.sys.mac.digest)
  • Re: vpn hardware solution
    ... industry. ... different network devices including computers, plcs, and remote IO ... network connection and set up a VPN for us. ... Perhaps we could provide our customer ...
    (comp.dcom.vpn)
  • RE: VPN Error 800
    ... The VPN client IP is 10.0.1.40, this is a private IP address. ... server IP address is 81.137.105.244, this is a Internet IP address. ... not test VPN connection from your perimeter network. ... SBS on your switch to make it work. ...
    (microsoft.public.windows.server.sbs)