I think a lot of traditional organizations lock their switches and routers management plane down, allowing snmp traffic only from designated NMS servers, allowing NTP, DNS, and other services only from designated sources—but most importantly allowing SSH access only from the designated subnet where your network engineers sit. This subnet might be one VLAN off one of your IDF stacks. Users in that subnet can SSH to any device and log in at will.
So this is based on a geographic “place” in the network.
But the Coronavirus Pandemic of 2020 has kind of shaken things up. Now many network engineers are working remotely and VPN’ing in.
So my question is, what’s the new best practice? Network engineers on VPN can be given IPs out of a different pool based on user/role? But how trustworthy could that be? Or perhaps you continue requiring them to RDP to their old workstations? But what if you never go back to the office? Eventually corporate sells the office building and you just lost that geographic point in network?
It seems like restricting device access to a dedicated jump box might be the best solution. I know some orgs were already doing it that way. But now you’ve got to worry about maintaining that jump box including patching and vulnerabilities management, which can quickly become burdensome. You also need resiliency plan so that jump box doesn’t become a single point of failure. So I’m not sure I like the idea.
What do you all think?
No comments:
Post a Comment