Re: Managed switches outside firewalls?

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2007-05-29 Hari Sekhon wrote:
>   I need to get some new switches outside of my firewalls, which means 
> that they will have publicly accessible IPs if they are manageable
> switches.
>
> I'm not quite sure what security stance to take on this. I know I can
> restrict the management interface to  certain IPs,  but I'm still not
> sure if this is asking for trouble to have switches will accessible
> IPs. Perhaps I should use a dumb switch and forgo any management
> features...
>
> Do any of you guys have policies for this (like unmanaged switches
> outside firewalls and managed ones inside)?

If you don't need switch management for the outside switches: go for
unmanaged ones. Cheaper, disposable, and a lot less headaches for you.

If you need management on the switches, I'd go for devices that have a
serial console (or at least an SSH server that allows for public key
authentication), and restrict access to this access method only.
Furthermore I'd allow access to those switches only from a single
(hardened) host inside your network. Maybe even put that host into a
separate (management) network segment.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq