Re: Layer 2 edge switch management

tech · ‎12-23-2006

A layer 2 edge switch between an Internet router and the outside interface of a firewall could have a public IP address for the vlan interface for switch management. Another setup is to assign a private IP address from the internal management vlan to the vlan interface of the edge switch. Then assign a port in the management vlan on the edge switch and connect that port with a network cable to a port on the management vlan on the management switch on the inside of the firewall. This setup will only work if both switches are physically close enough. Which is more secure? Is there another option or what is the best security practice for in-band management on an Internet edge switch?

Thanks,

RJ

Collin Clark · ‎12-26-2006

Our security policy dictates no management IP, so we use a console server to manage all public facing devices. Otherwise your second scenario is probably a hair safer than using a public IP.

tech · ‎12-26-2006

Thanks for the reply. So how do you monitor the switch (i.e. syslogs)?

Collin Clark · ‎12-26-2006

Either through a firewall or in certain devices we're not allowed too :-(

tech · ‎12-27-2006

Is there a documnet for security best practices on Internet edge device monitoring?

Collin Clark · ‎12-27-2006

I don't know of any from Cisco, but the gov't has some.

http://iase.disa.mil/ditscap/ditscap-to-diacap.html#diacap

HTH and please rate if it does.

tech · ‎12-27-2006

I am not sure what document you are suggesting.

Collin Clark · ‎12-27-2006

Probably because I gave you the wrong link!

http://iase.disa.mil/stigs/stig/

About half way down you should see Network.