Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1976
Views
3
Helpful
2
Replies

External/DMZ Switch Management

Go to solution
absmith9195
Level 1
Level 1

‎08-25-2006 02:41 PM - edited ‎03-09-2019 04:01 PM

How do you recommend managing switches that are external to a firewall. We have a switch on the external side of our firewall that I would like to be able to connect to with snmp and also use TACACS, NTP, remote syslog, etc. Would it be better to give it in IP in the physical (read: external) subnet, or put one of the ports into a separate vlan and connect that port to the internal segment. It seems as if the latter is insecure as it crosses boundaries, but I'm not sure. Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
a.kiprawih
Level 7
Level 7

‎08-26-2006 10:36 AM

Hi,

Since you mentioned about external to firewall, the very least setup is a switch connecting your firewall outside interface to external devices like internet router and vpn boxes.

On firewall side, you need to static NAT address of TACACS/NTP/SNMP/syslog server to a Public IP to be reachable from outside, specifically by the switch. Create an ACL (or add to existing) strictly permitting the switch (via its public IP) to reach specific services like TACACS (tcp 49)/NTP(udp 123)/SNMP(udp 161/162)/Syslog(udp514) to your internal server(s).

On switch side, you can assigned public IP to the switch with all access authentication be default pointing to internal TACACS server's Public IP (NATted in firewall). Your aaa configuration must point to your internal ACS server.

Cisco recommendation on switch, especially when you placed it outside firewall, is more or less similar to the steps to secure your router. It talks about securing access to the box, managing/limiting services, flood and so on. Read the Cisco doc on how to secure router for a reference:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

http://www.nsa.gov/snac/downloads_cisco.cfm?MenuID=scg10.3.1

Rgds,

AK

View solution in original post

0 Helpful
2 Replies 2

Go to solution
grant.maynard
Level 4
Level 4

‎08-25-2006 02:56 PM

You could give it a public IP but no default gateway, and again it will only talk to devices on its local subnet i.e. your NATed addresses.

Also disable unneccessary services and add ACLs to vty, snmp. Be careful to tie down the security.

Or you manage the internet router you could use a private (RFC1918) address and add that as a secondary address to the internet router. As a private IP it will not be reachable from the internet side.

Go to solution
a.kiprawih
Level 7
Level 7

‎08-26-2006 10:36 AM

Hi,

Since you mentioned about external to firewall, the very least setup is a switch connecting your firewall outside interface to external devices like internet router and vpn boxes.

On firewall side, you need to static NAT address of TACACS/NTP/SNMP/syslog server to a Public IP to be reachable from outside, specifically by the switch. Create an ACL (or add to existing) strictly permitting the switch (via its public IP) to reach specific services like TACACS (tcp 49)/NTP(udp 123)/SNMP(udp 161/162)/Syslog(udp514) to your internal server(s).

On switch side, you can assigned public IP to the switch with all access authentication be default pointing to internal TACACS server's Public IP (NATted in firewall). Your aaa configuration must point to your internal ACS server.

Cisco recommendation on switch, especially when you placed it outside firewall, is more or less similar to the steps to secure your router. It talks about securing access to the box, managing/limiting services, flood and so on. Read the Cisco doc on how to secure router for a reference:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

http://www.nsa.gov/snac/downloads_cisco.cfm?MenuID=scg10.3.1

Rgds,

AK

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents