Internet Facing Router Management Best Practice

betaaaa · ‎06-22-2023

Hello all,

We have this kind of topology,

Internet Router (Traffic + Management)> Internet Switch > Firewall > Edge Switch > Core Switch

but we want to connecting management of Internet Router separately from traffic port via Mgmt0 port, is that secure connecting the Internet Router Mgmt0 directly to Core Switch (bypassing Firewall) so the topology will be like this?

Internet Router (Traffic) > Internet Switch > Firewall > Edge Switch > Core Switch

Internet Router (Mgmt0) > Core Switch

Leo Laohoo · ‎06-22-2023

@betaaaa wrote:
but we want to connecting management of Internet Router separately from traffic port via Mgmt0 port, is that secure connecting the Internet Router Mgmt0 directly to Core Switch (bypassing Firewall) so the topology will be like this?
Internet Router (Traffic) > Internet Switch > Firewall > Edge Switch > Core Switch

Internet Router (Mgmt0) > Core Switch

Connect the Mgmt0 port a completely separate network. That way, when the core switch fails (or gets DDoS), there is still a way to access the router from a different direction.

betaaaa · ‎06-22-2023

is that mean, even we run Management under "Mgmt-Intf" VRF, there are still potentially attack or breach through the inside (trusted zone) ?

Leo Laohoo · ‎06-22-2023

No, that is not what I mean.

Ideally, Mgmt0 should be connected to a completely separate network. Even if the Mgmt0 is in a different VRF, if the core switch blows up (high CPU/memory leak, DDoS, etc) there is no way, except for console, to remotely access the appliance.

We had a DDoS attack once. It caused our two routers to have 100% CPU. We could not get in via the usual methods. The only way was using the Mgmt0 port because the Mgmt0 was connected to a separate network (different WAN) to the rest.

Joseph W. Doherty · ‎06-22-2023

Anytime you wire across an "air gap", you've provided an attack path.

Does this never ever do this? Not at all. It just means you secure that path to make it extremely difficult to be used to get into your network. For example, at the core port you might block all unexpected traffic such as only allowing SSH return traffic to a specific IP.

betaaaa · ‎06-22-2023

is that means, this setup really not recommended to deployed ? as there are still potentially breach

Joseph W. Doherty · ‎06-22-2023

"not recommend"? Again, not at all.

It just means there's another path into you internal network. You need to be as security conscience about it, and configuring it, as you should be with your main Internet path.

"Conscience", above, doesn't imply you treat this path exactly like you do your main path, it means you recognize you opened an alternate attack path so you should determine how much you believe is worthwhile to do to mitigate potential attacks.

What I suggested, earlier, is rather simple to implement and support, but makes it much more difficult to effectively attack via your proposed connection.

Personally, I think it unlikely anyone wil mount any attack via this management connection, but however low the risk is, it's no longer zero.

MHM Cisco World · ‎06-22-2023

Router FW and Core SW can connect tk same subnet and you can OOB mgmt these device.

https://opengear.com/blog/taking-your-cisco-out-of-band-management-to-the-next-level/