Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Managed switches outside firewalls?

from [Ansgar -59cobalt- Wiechers] Network Security [Permanent Link]
Subject: Re: Managed switches outside firewalls?
Date: Tue, 29 May 2007 18:15:55 +0200 
On 2007-05-29 Hari Sekhon wrote:

  I need to get some new switches outside of my firewalls, which means 
that they will have publicly accessible IPs if they are manageable
switches.

I'm not quite sure what security stance to take on this. I know I can
restrict the management interface to  certain IPs,  but I'm still not
sure if this is asking for trouble to have switches will accessible
IPs. Perhaps I should use a dumb switch and forgo any management
features...

Do any of you guys have policies for this (like unmanaged switches
outside firewalls and managed ones inside)?


If you don't need switch management for the outside switches: go for
unmanaged ones. Cheaper, disposable, and a lot less headaches for you.

If you need management on the switches, I'd go for devices that have a
serial console (or at least an SSH server that allows for public key
authentication), and restrict access to this access method only.
Furthermore I'd allow access to those switches only from a single
(hardened) host inside your network. Maybe even put that host into a
separate (management) network segment.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Private IP address with yahoo messenger, neo anderson
Next by Date:  Security engineering services business practices & models, everette . denney
Previous by Thread:  RE: Managed switches outside firewalls?, Dedric Ramsey
Next by Thread:  Re: Managed switches outside firewalls?, Hari Sekhon
Indexes:  [Date] [Thread] [Top] [All Lists]