Which interface should be put into Security Management VLAN?

Unanswered Question
Apr 27th, 2009
User Badges:

May I ask a very basic question?

Which interface should be put into Security Management VLAN? eth0 or eth1?


Thanks,

Cedar

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (3 ratings)
Loading.
Farrukh Haroon Tue, 04/28/2009 - 01:04
User Badges:
  • Red, 2250 points or more

What do you mean by "Security Management VLAN"?


Ideally you should leave MARS to use one port (with default route) for all polling/device telnet etc.


And the second one for OOB management. This port should be in the same subnet as the management/secop guy. As MARS can have default route only on one of its interfaces.


Regards


Farrukh

cedar_lee Tue, 04/28/2009 - 08:49
User Badges:

It's from the Book, Security Monitoring with Cisco Security MARS.


It says:

As a best practice, you should create a network as a security management network if you don't already have one. This network should contain various servers used for administering and monitoring the security of your network. The entire network should be protected by a firewall and IDS/IPS. Access to it should be tightly restricted, and any remote access to it should be through a Virtual Private Network (VPN).


MARS has eth0 and eth1 and they need to be in seperate network. So, I am not sure if this book recommends to put eth0 or eth1 to the Security Management Network.


Thanks,

Cedar

pmccubbin Wed, 04/29/2009 - 09:32
User Badges:
  • Silver, 250 points or more

Put ethernet 1 on your management network. Its hardware has more memory and will refresh your screen faster. This also makes your MARS box less susceptible to DOS on your production network.


You will need to go into the CLI and add a route for the Ethernet 1 so you can access the box.



Ethernet 0 will be the interface which receives all syslogs and netflow. Its IP address needs to be able to reach the default gateway you configure on the box.



Hope this helps.

cedar_lee Wed, 04/29/2009 - 10:08
User Badges:

I think I am confused about what the book says and need a help on the question of which port should I put in the security network that is protected by firewall and IDS/IPS? Another words, which port, etho or eth1, do you protect by your firewall and IDS/IPS?


Thanks,

Cedar

Farrukh Haroon Wed, 04/29/2009 - 10:56
User Badges:
  • Red, 2250 points or more

Technically you should protect both :)


But the book is talking about the 'port' used for management. For example only host 10.10.10.4 and 5 are allowed to manage the MARS box.


You can put ACL that port 22,443 etc from those two IPS is the only traffic allowed, rest block all.


Regards


Farrukh

pmccubbin Fri, 05/01/2009 - 07:56
User Badges:
  • Silver, 250 points or more

Hi Farrukh,

Spot-on answer and a "5" from NYC.

Paul

Actions

This Discussion