[unisog] unisog Digest, Vol 24, Issue 17

Jenkins, Matthew mjenkins7 at fairmontstate.edu
Mon Mar 20 01:27:00 GMT 2006


Adam and Kheeran, thanks for your replies.  We are currently using a separate VLAN for our management interfaces.  The VLAN has no route so unless something exists on the same VLAN and is addressed on the same subnet it cannot communicate with other management devices.  I presume from both of your posts that you recommend multihoming the administrator's workstations?  In the case of VPN, are you using a firewall as a server, or are you using a software VPN server such as Microsoft's RAS or an open-source VPN server?  Thanks for your suggestions,
 
Matt

________________________________

From: unisog-bounces at lists.sans.org on behalf of Kheeran Dharmawardena
Sent: Sun 3/19/2006 7:35 AM
To: unisog at lists.sans.org
Subject: Re: [unisog] unisog Digest, Vol 24, Issue 17



Hi Matthew,

"Jenkins, Matthew" <mjenkins7 at fairmontstate.edu> wrote:

> Message: 1
> Date: Sat, 18 Mar 2006 15:35:51 -0500
> From: "Jenkins, Matthew" <mjenkins7 at fairmontstate.edu>
> Subject: [unisog] Secure Cisco device management
> To: <unisog at lists.sans.org>
> Message-ID:
>       <D2CB4985C212054DAA225C7B9E21C57BA387EA at PVIEX101.fairmontstate.edu>
> Content-Type: text/plain;     charset="iso-8859-1"
>
> I am looking to get some thoughts on locking down our management vlan where our Cisco gear (and other management devices) sit.  We have thrown around the idea of a VPN solution so that we can access devices from other networks other than where our administrator's workstations sit.  Does anyone have any suggestions for locking down a management network, and what kind of access into the network you would recommend (i.e. multihomed workstations/servers, vpn solution, etc.)?  Thanks for your suggestions,
>  

We use the following combination for our security,
1. Administrators workstation network is allowed access to the
management network.
2. Connections via the VPN are allowed access.
3. The NMS servers are allowed access to the management network and
administrators are allowed to login to the NMS systems from elsewhere.
4. Connections from anywhere else has been blocked to the management
network.

This combination has given our staff sufficient flexibility to perform
their work effectively while also providing a good level of security
against unwanted access.

Cheers
Kheeran

--
Kheeran Dharmawardena                       Tel: +61 3 9905 4729
Operations Manager                          Fax: +61 3 9905 9888
Network Infrastructure Services
Monash University Victoria 3800 Australia


_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/ms-tnef
Size: 5937 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20060319/ca0be7b1/attachment.bin


More information about the unisog mailing list