9

I am looking at setting up a Management vlan, on which I will put all the Management interfaces for my various networkable devices (Firewall Mgmt Interfaces, Server RAC, WAP Mgmt Interfaces, etc).

What are best practices when it comes to accessing that mgmt vlan--For example, as the IT administrator, my workstation is only on the Business network--But if I need to access the firewall through the mgmt interface, should I have a 2nd nic that I use exclusively for the mgmt network? Or should I write ACLs that allow only certain IPs (my workstation) to access the mgmt network?

Josh Brower
  • 1,366
  • 2
  • 13
  • 24

1 Answers1

4

One way I've seen this setup, which seemed like a reasonable approach was to allow access from a single host to the management LAN and then have anyone need access connect to that device via rdp or ssh and from there on to the management network.

An advantage of this approach is you reduce visibility of the management network in terms of scanning but you're not tied down to accessing from specific hosts as you would be with a multiple nic solution.

Another advantage is that it should allow for easier auditing of what actions are taken on devices in the management LAN, by auditing activity on the gateway host.

Of course securing that host becomes very important, both in terms of authenticating the admins connecting to it and auditing activity.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
  • What do you mean by "you reduce visibility of the management network in terms of scanning"? A simple pivot (at any layer) could provide scanning as far as I understand it. I think it's best to put all devices in a secure cloud (on public IPs) and manage them over Web Services with SSL/TLS, or perhaps RDP, SSH, or OpenVPN depending on the use cases (but less likely these days). – atdre Nov 18 '10 at 20:38
  • This can also help provide some defense in depth, as you can restrict access to the network via the management endpoint. – AviD Nov 21 '10 at 11:15