For background, I have been asked to implement a monitoring/management network for a small service provider. Basically it would provide out of band access to things like management ports and console servers (for serial ports,) and various monitoring equipment. The higher ups are obsessed with security (rightfully so) but I think they are being paranoid beyond reason. I don't think they will be satisfied with anything less than a completely airgapped network with swivel seat workstations (I don't know who floated that idea, but I'm shaking my fist.) How do I get them to back off on that idea and implement a more reasonable (cheaper, less complicated, more user-friendly) solution?
I don't see what we can't accomplish with a combination of ACLs and a firewall gate-keeping "outside" from "monitoring." Maybe require a client-based VPN to get into the management network from outside. I would like to also be able to implement a backup connection for each site through a third party internet connection (because this is critical monitoring equipment,) but that would require exposing the firewall to the internet for IPSec. I don't get why exposing just IPSec/Client VPN to the internet is so unacceptable. Even just VPN from the inside corporate network is a hard sell for them. If even the best designed firewalls are unacceptable, what is?
I have worked with other, much larger providers and none of them have been this paranoid. they all have just used simple ACLs/firewalls to protect their management network, and some even do everything inband, only with ACLs.
I'm mostly just venting because of how gross some of the proposed solutions are and I probably won't be able to convince them of anything, but if anyone has some good talking points to pull them towards something less frustrating, I'm all ears.
No comments:
Post a Comment