Some of the managed switches I have worked with make it possible to turn
off management of the switch on certain ports. So if you have your
router connected to a certain port you can turn off management of that
switch for all ports but the one that comes from inside your network.
Or if you have a internet drop in one of the ports make sure to disable
management from that port and allow it from others. That is how a few
of our public IP managed switches are setup and has been successful so
far.
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of ragdelaed
Sent: Wednesday, May 30, 2007 1:56 PM
To: 'Hari Sekhon'; security-basics@securityfocus.com
Subject: RE: Managed switches outside firewalls?
Sorry if this was already posted, but why do you want to do this? Or
what is the business justification for doing this?
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Hari Sekhon
Sent: Tuesday, May 29, 2007 4:57 AM
To: security-basics@securityfocus.com
Subject: Managed switches outside firewalls?
Hi,
I need to get some new switches outside of my firewalls, which means
that they will have publicly accessible IPs if they are manageable
switches.
I'm not quite sure what security stance to take on this. I know I can
restrict the management interface to certain IPs, but I'm still not
sure if this is asking for trouble to have switches will accessible IPs.
Perhaps I should use a dumb switch and forgo any management features...
Do any of you guys have policies for this (like unmanaged switches
outside firewalls and managed ones inside)?
Any thoughts and suggestions welcome.
-h
--
Hari Sekhon
