[unisog] unisog Digest, Vol 24, Issue 17

Stasiniewicz, Adam stasinia at msoe.edu
Mon Mar 20 17:15:04 GMT 2006


Multihoming is an option.  Another option would be to dedicate some desktop computers that exist solely on the management network.  Yet another would be you can also configure the router to:

Allow:
Admin desktop net <=> Management Net
Admin desktop net <=> Regular network

Deny:
Management Net <=> Regular Net


As for VPNs, RRAS is kind of a pain to use here (since you need a full Server license and a full blown box).  I would go with one of those wonderfully tiny VPN appliances.  Cisco, Linksys, Netgear, Sonicwall, and Watchgard (to name a few) make these small form-factor appliances.  Granted they don't have much CPU power, but you really don't need much to transmit a telnet sessions.

Regards,
Adam Stasiniewicz 
MSCE: Messaging & Security 2003 
________________________________________
From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org] On Behalf Of Jenkins, Matthew
Sent: Sunday, March 19, 2006 7:27 PM
To: UNIversity Security Operations Group
Subject: RE: [unisog] unisog Digest, Vol 24, Issue 17

Adam and Kheeran, thanks for your replies.  We are currently using a separate VLAN for our management interfaces.  The VLAN has no route so unless something exists on the same VLAN and is addressed on the same subnet it cannot communicate with other management devices.  I presume from both of your posts that you recommend multihoming the administrator's workstations?  In the case of VPN, are you using a firewall as a server, or are you using a software VPN server such as Microsoft's RAS or an open-source VPN server?  Thanks for your suggestions,
 
Matt

________________________________________
From: unisog-bounces at lists.sans.org on behalf of Kheeran Dharmawardena
Sent: Sun 3/19/2006 7:35 AM
To: unisog at lists.sans.org
Subject: Re: [unisog] unisog Digest, Vol 24, Issue 17
Hi Matthew,

"Jenkins, Matthew" <mjenkins7 at fairmontstate.edu> wrote:

> Message: 1
> Date: Sat, 18 Mar 2006 15:35:51 -0500
> From: "Jenkins, Matthew" <mjenkins7 at fairmontstate.edu>
> Subject: [unisog] Secure Cisco device management
> To: <unisog at lists.sans.org>
> Message-ID:
>       <D2CB4985C212054DAA225C7B9E21C57BA387EA at PVIEX101.fairmontstate.edu>
> Content-Type: text/plain;     charset="iso-8859-1"
>
> I am looking to get some thoughts on locking down our management vlan where our Cisco gear (and other management devices) sit.  We have thrown around the idea of a VPN solution so that we can access devices from other networks other than where our administrator's workstations sit.  Does anyone have any suggestions for locking down a management network, and what kind of access into the network you would recommend (i.e. multihomed workstations/servers, vpn solution, etc.)?  Thanks for your suggestions,
>  

We use the following combination for our security,
1. Administrators workstation network is allowed access to the
management network.
2. Connections via the VPN are allowed access.
3. The NMS servers are allowed access to the management network and
administrators are allowed to login to the NMS systems from elsewhere.
4. Connections from anywhere else has been blocked to the management
network.

This combination has given our staff sufficient flexibility to perform
their work effectively while also providing a good level of security
against unwanted access.

Cheers
Kheeran

--
Kheeran Dharmawardena                       Tel: +61 3 9905 4729
Operations Manager                          Fax: +61 3 9905 9888
Network Infrastructure Services
Monash University Victoria 3800 Australia


_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog



More information about the unisog mailing list