1

I was after a little bit of advice regarding Network Management.

Users will enter the network and hit a remote desktop server. On from this, they will pass through firewalls to the core switch. When they hit the core switch they are heading to a Network Management Server. This has dual NICs. One of these NICs is in the management vlan, the other is in the server/user vlan.

My question would be, when accessing this management server. Should it be directly to the management NIC on the management VLAN? Would it in turn be better to have the management VLAN completely locked down with a deny any on both in and out, allowing the management VLAN to get to all devices on the management VLAN, but nothing to enter or leave the VLAN? So in order to get to the management VLAN, you have to access the management server. Is this a particularly good practice to access it via the production network? In order to ensure the management VLAN remains locked down? Once at the NMS, access is to all management devices, so I am unsure as to the best practice. The NMS will be running software like solarwinds that needs access to the production network.

Mrtn
  • 1,274
  • 10
  • 18
Adie
  • 13
  • 1
  • 4
  • What workstations do you administrators use to do the management? Do they have regular workstations, like any other user? Or are there dedicated management workstations? – paj28 Jul 30 '15 at 08:36
  • They are dedicated workstations. The guys coming into the RDS will be from the helpdesk support team. – Adie Jul 30 '15 at 09:37
  • in that case, I'd do exactly what you suggest - keep the management network to itself. Allow connections from management to production (e.g. to push changes) but not the other way. – paj28 Jul 30 '15 at 12:07
  • Please in your 1st §, replace "Users" by their real function: end users (I guess not), network admins, help desk… – dan Jul 30 '15 at 12:12

1 Answers1

1

There are generally 2 reasons to have a management vlan:

  1. To provide security and control for management interfaces
  2. To provide a redundant way to access critical systems so if the core network has problems there is another way to access management interfaces in order to restore services

I would usually recommend that the management network be on a completely separate set of network hardware and connections - if you rely on your core network to connect to management interfaces and it goes down then you lose all access.

As for whether to allow access from the wider network or limit access to a specific set of gateways there's no right or wrong answer, it depends on your security goals and setup. If your support staff have fixed IP addresses or exist within specific IP subnets or ranges then you could allow access to the management network from those IPs. This is fine as long as you have strong authentication and authorization in place, and do not have a requirement to limit access on a ticketing basis. If your administrators are all over the place IP-wise or you have a requirement to limit access only when there's a change request then you would need to limit access to a specific set of gateways. Many organizations do both: they allow access from permitted ranges and also have gateway hosts for out of band management and roaming users.

GdD
  • 17,291
  • 2
  • 41
  • 63