[fw-wiz] Re: General question, was: question on securing out-of-band management

I don't necessarily have fear of VPN bloat. I've seen it implemented successfully a number of times. I think if you do the work in the
beginning and really spend the time building your policies and
figuring out who needs access to what, then it will be a lot
easier in the long run.

The huge advantage that you get is the ability to control access policies in one place. Well, or at least closer to one place. Instead of putting access lists, rules, exceptions, etc in many devices, I can place them in one. I see controlled and integrated security and I think it▓s a good thing.

Also, we have to consider what type of an environment it is.
I don't think it▓s necessarily the right solution for every place. Some people have customers they want to separate and some want to separate
their network segments and want to get different things out of their management network.

By the way, the VPN I am referring to is SSL VPN. No need to NAT. Client/Zones can never actually connect to an IP of the servers. Also, a big plus is that I don't need to push out a VPN client to every machine.

Don't get me wrong. I am all in favor of keeping the network simple.
Except that I think that the VPN actually makes it simpler. And more secure. Granted, it maybe only an improvement over my current methods,
but what's the alternative? An alternative that can realistically be implemented in a world where you're not building from scratch?

On 2/8/06, R. DuFresne <dufresne@xxxxxxxxxxx> wrote:

Be wary of VPN bloat, or VPNmadness, whence you have so many VPN/VLAN
zones, no one can remember which zone to get to which server set let alone
the passwd for each. I think was presently have 20 or 25 such silly
things for our "management network" (give or take 5-10, I quit counting).


Ron DuFresne

We have that mess here - times 4, at least - for the customer side of things!

Am I wrong in believing that a simple network is a more secure
network? That since we deal with a lot of customer VPN connections,
rather than NATing them and building holes through all of the
firewalls (3-4 depending) we'd be better off NATing them to a network,
and giving the network the access required? Possibly figure out a way
to PVLAN each customer tunnel so that they can't talk to each other,

Яндекс.Почта: объем почтового ящика не ограничен! http://mail.yandex.ru/monitoring/
firewall-wizards mailing list