As we are all concerned about security and don't like unnecessary work, there usually is some kind of SSH Service on all the machines, which means just one more open port to be attacked on.
The idea: Add another network interface to each box in the DMZ and put them into a private IP-network. Use this network for administration purpose only.
[snip]
Would this setup provide any benefit regarding security, provided that there is proper configuration?
Yes, of course it would, since you're separating the path of administrative access from the more or less public production infrastructure physically. Physical separation is always more secure than logical separation, by the very principle. In fact, I often recommend this type of architecture, though it is often too late and many shops find it too cumbersome to not be able to perform system administration from their desktop in the private LAN. The sysadmin network is the logical place to put syslog, backup, NTP and other servers as well, which serve your DMZ machines but needn't (and shouldn't) be accessible to others. You achieve even more security by employing point-to-point links between the DMZ machines and the those in the management network. Since this becomes impractical quickly if performed based on physical distinction, I often recommend the use of end-to-end IPSec within the management network. NB: The sysadmin network must not be connected to the internal network. Tobias
Hello Tobias, thanks for your replay. You advised me of not connecting the administrative network to the normal LAN. I understand that there is a security risk but this was, what I actually wanted to do. The idea was, that I wanted to administer the computers from my desktop without interference with the productive traffic.
You achieve even more security by employing point-to-point links between the DMZ machines and the those in the management network. Since this becomes impractical quickly if performed based on physical distinction, I often recommend the use of end-to-end IPSec within the management network.
Sorry, but I can't understand this. What do you mean with it? Greetings, Stefan
On Tuesday 05 February 2002 09:23, Stefan Nauber wrote:
thanks for your replay. You advised me of not connecting the administrative network to the normal LAN. I understand that there is a security risk but this was, what I actually wanted to do. The idea was, that I wanted to administer the computers from my desktop without interference with the productive traffic.
Personally I think it's a good idea, and Dlink made some 4 port 100BaseT cards which were very useful for this sort of purpose. This kind of backend network should also use an ether switch if at all possible, they cost little more than hubs, and reduce eavesdropping possibilities even further. Furthermore using 4 port cards, additionally allows things like web server to communicate with backend databases or file servers using a seperate server network, at little extra cost (and co-located rackspace is cheaper without IP address or traffic allocation). The hosts in the DMZ, should not route packets between the networks, and should only permit admin access through the admin host 'bastion' on that network, and the administration network should not be trusted by that admin host, packet filtering should be in place. Any probing causing packets to be dropped, in that admin network should trigger some immediate, and heavy attention. Rob
participants (3)
-
Reckhard, Tobias
-
Robert Davies
-
Stefan Nauber