Hari:
Consider one of the following approaches:
1. Use VLANs to separate the management traffic from the Internet traffic
a. VLAN1 for management
b. VLAN2 for Internet traffic
2. Manage your external switches via their console ports, by connecting them
to a trusted Linux | Unix box's serial ports, in the management VLAN. You would
then access your external switches, indirectly, via the Linux | Unix boxes
parked in the management VLAN.
Also, if possible, enable SSHv2 on those external switches, to further enhance
security.
Regards,
Dean Davis, CISSP,RHCE,CCSP,MCSE,MCDBA,CCNA,Linux+
Sr. Network Engineer
MBG Expense Management, LLC
https://www.mbg-inc.com
-----Original Message-----
From: listbounce@securityfocus.com
[mailto:listbounce@securityfocus.com]On Behalf Of Hari Sekhon
Sent: Tuesday, May 29, 2007 4:57 AM
To: security-basics@securityfocus.com
Subject: Managed switches outside firewalls?
Hi,
I need to get some new switches outside of my firewalls, which means
that they will have publicly accessible IPs if they are manageable switches.
I'm not quite sure what security stance to take on this. I know I can
restrict the management interface to certain IPs, but I'm still not
sure if this is asking for trouble to have switches will accessible IPs.
Perhaps I should use a dumb switch and forgo any management features...
Do any of you guys have policies for this (like unmanaged switches
outside firewalls and managed ones inside)?
Any thoughts and suggestions welcome.
-h
--
Hari Sekhon
--
This message has been scanned for viruses and
dangerous content and is believed to be clean.
