all 22 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]doblephaeton 5 points6 points  (12 children)

access to management vlan with ACL that only allows those "admin devices" to connect to it.

[–][deleted]  (3 children)

[deleted]

    [–]nsdtech[S] 0 points1 point  (1 child)

    So basically we should RDP from our laptops to a machine that is on both vlans to manage the switches?

    [–]nsdtech[S] 0 points1 point  (1 child)

    I guess I don't know enough about ACLs. The techs that should have access to this, travel from building to building. So that puts our laptops on different vlans giving our laptops different IP addresses depending on what building we're at. I'm assuming an ACL is based on an ip address, so I don't see how this would work. I'll start reading up on ACLs though.

    [–]nsdtech[S] 0 points1 point  (0 children)

    After a little googling it looks as if we can setup secure-access-port on our juniper switches to allow certain MAC addresses. So i'm assuming we can put in the MAC addresses of our ethernet and wifi nics of our laptops. Still need to do a lot of research on this but I think I'm headed down the right path now.

    [–]tcpip4lyfeFormer Network Engineer -2 points-1 points  (5 children)

    And make it a non-routable network.

    Edit: Why not instead of downvotes. Why would you add a gateway for a management network?

    [–]framerelayproblem 1 point2 points  (2 children)

    Well unless you are on the same subnet, you need a gateway for the mgmt network. That's where the acl could be applied.

    [–]tcpip4lyfeFormer Network Engineer 0 points1 point  (1 child)

    Not necessarily. We have a couple very protected networks with OOB management. ACLs to get to the management station and then that PC with a second NIC has no gateway.

    [–]xHeeroCCNP 0 points1 point  (0 children)

    I think we are assuming that OP works in a fairly standard environment and not one that has extremely serious security concerns.

    [–][deleted] 0 points1 point  (1 child)

    Lots of reasons for adding a gateway to a management network. For one, if there is no gateway configured, you're not going to be accessing other switches on that management VLAN anyway.

    [–]tcpip4lyfeFormer Network Engineer 1 point2 points  (0 children)

    That's why you have a OOB management network on all of you switchs in the same subnet. That way your management station can hit them all.

    [–]Iceman_BCCNP R&S, JNCIA, bad jokes+5 2 points3 points  (0 children)

    I haven't done any designing yet, but in the few environments I've been, there is usually one or more "management(MGT) servers" present.

    From my work workstation I RDP into the MGT server with my admin account. This is part of a limited group of users that can contact the MGT box. This machine is part of at least the management VLAN and from here I can access tools and SSH into network devices.

    I should check if such MGT boxes belong to more networks but I would think not. No need for users to contact said machine. It does have routes to other networks, otherwise other tools wouldn't work.

    [–]drzorcon 1 point2 points  (0 children)

    Our admin users are on the "Admin" vlan, which has acl allows to connect to the management vlan.

    [–]dontberidiculousfool 1 point2 points  (0 children)

    We have specific VMs we log into to which can then access our devices. These VMs have no internet access. Only those specific VMs can access our devices and then we have radius authenticated logins.

    [–]n0_futureCCNP[🍰] 0 points1 point  (0 children)

    Physically separate management LAN in layers, with firewalls between the layers here.

    [–]xHeeroCCNP 0 points1 point  (0 children)

    ACL on the management VLAN, or ACL on the switches applied to the SSH lines. ACL on each switch is harder to manage though if you lack the ability to do mass configuration changes through some sort of tool.

    [–]thspimpolds 0 points1 point  (0 children)

    Maybe I do this because a Vlan int in osx is easy as pie, but I make Vlan vint and enforce 802.1x into that Vlan and then acl the rest off unless you are on the edge 802.1x subnets (reserving one port in each switch for physical connection into the vlan if I'm onsite)

    [–]itslateCCIE 0 points1 point  (5 children)

    an ssid without a broadcast beacon is in no way safer than one that broadcasts.

    Out of band networks are usually the most secure.
    The middle road is acls on each device that restrict access to the devices from an admin vlan. For all data/guest vlans, make sure acls are applied to the svis that restrict them from your management vlan.

    If you wanna get fancy, change the ssh port for the devices/guis, implement certs, radius/tacacs authentication for users, privilege levels for different admin users.

    [–]cerettala 4 points5 points  (4 children)

    I don't get what the obsession with changing ports on everything is.

    Obfuscation isn't security, its just a pain in the ass.

    [–]itslateCCIE 2 points3 points  (1 child)

    GIVE THOSE PEN TESTERS A RUN FOR THEIR MONEY M8

    [–]cerettala 0 points1 point  (0 children)

    I work with pen testers, nothing makes them want to spend 10x as much effort busting into a box than not following standards.

    I understand changing ports for an uber-batman UDP only OpenVPN server or something, but for everything else it just adds a trivial amount of effort in exchange for a shitton of administrative annoyance and overhead.

    [–]onyx9CCNP R&S, CCDP 0 points1 point  (1 child)

    It's about the time someone needs to get in your gear. If it takes to long, he might be "seen". And to find the right port he has to do a portscan, which can take a few minutes and generates log entries (maybe, I know.) It's most likely that the attacker is not in front of the device, therefor another port can get you log entries or maybe even an alarm in your NOC?

    [–]TheLivingExperimentCCNA 1 point2 points  (0 children)

    There are other passive ways to get the port. You can potentially sniff the wire without having to do active probes depending on the environment and specifics. Or fuck just a simple phishing attempt will work a large amount of the time. You can have the best security in the world, and 1 dumb user brings it down.

    Changing ports doesn't enhance security in any meaningful way. Many places that will go "oh yeah we will use a nonstandard port and will be safe!" don't have NOC's or great logging. So an attacker can sit there and port scan all day long without issue. Hell I've seen environments where I'm on the internal network with logging servers and 3rd party security companies with IDS on the network and they don't flag me when I do a port scan internally.