Re: [AFMUG] Securing Management Network?
Can you detail that Mike? On Tue, Sep 1, 2015 at 4:46 PM, Mike Hammett wrote: > Route filters are less intensive than firewall rules. > > > > - > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > - Original Message - > From: "Christopher Gray" > To: af@afmug.com > Sent: Tuesday, September 1, 2015 3:46:05 PM > Subject: [AFMUG] Securing Management Network? > > > I'm re-thinking my network arrangement and would like to know how others > secure or separate their management network. > > > My current setup is all Mikrotik running OSPF/MPLS/VPLS with VPLS tunnels > from the APs back to my edge routers, where customer traffic is handled and > I use firewall rules at those routers to prevent the tunnels from having > access into the network. I have public IPs available at the edge routers, > and all internal hardware has some slice of 10.0.0.0/8 . I don't have > firewall rules on most of the routers as they are all protected by the edge. > > > I'd like to move away from this model and have IP blocks at each AP site > that route over my OSPF/MPLS system. I can get them to route, but I am > wondering if there is an easy way to block routes or limit OSPF > distribution to prevent access to my hardware (other than running several > firewall rules on every router). I am running many RB750, RB750UP, and > RB750P routers and would like to keep firewall rules to a minimum if > possible. > > > Thanks - Chris > -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team.
Re: [AFMUG] Securing Management Network?
Route filters are less intensive than firewall rules. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com - Original Message - From: "Christopher Gray" To: af@afmug.com Sent: Tuesday, September 1, 2015 3:46:05 PM Subject: [AFMUG] Securing Management Network? I'm re-thinking my network arrangement and would like to know how others secure or separate their management network. My current setup is all Mikrotik running OSPF/MPLS/VPLS with VPLS tunnels from the APs back to my edge routers, where customer traffic is handled and I use firewall rules at those routers to prevent the tunnels from having access into the network. I have public IPs available at the edge routers, and all internal hardware has some slice of 10.0.0.0/8 . I don't have firewall rules on most of the routers as they are all protected by the edge. I'd like to move away from this model and have IP blocks at each AP site that route over my OSPF/MPLS system. I can get them to route, but I am wondering if there is an easy way to block routes or limit OSPF distribution to prevent access to my hardware (other than running several firewall rules on every router). I am running many RB750, RB750UP, and RB750P routers and would like to keep firewall rules to a minimum if possible. Thanks - Chris
Re: [AFMUG] Securing Management Network?
We just run a basic input rule, its a drop rule with a NOT management address list, did realize yesterday it needed to have NOT established and related, NTP was not updating On Tue, Sep 1, 2015 at 3:46 PM, Christopher Gray wrote: > I'm re-thinking my network arrangement and would like to know how others > secure or separate their management network. > > My current setup is all Mikrotik running OSPF/MPLS/VPLS with VPLS tunnels > from the APs back to my edge routers, where customer traffic is handled and > I use firewall rules at those routers to prevent the tunnels from having > access into the network. I have public IPs available at the edge routers, > and all internal hardware has some slice of 10.0.0.0/8. I don't have > firewall rules on most of the routers as they are all protected by the edge. > > I'd like to move away from this model and have IP blocks at each AP site > that route over my OSPF/MPLS system. I can get them to route, but I am > wondering if there is an easy way to block routes or limit OSPF > distribution to prevent access to my hardware (other than running several > firewall rules on every router). I am running many RB750, RB750UP, and > RB750P routers and would like to keep firewall rules to a minimum if > possible. > > Thanks - Chris > -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team.
[AFMUG] Securing Management Network?
I'm re-thinking my network arrangement and would like to know how others secure or separate their management network. My current setup is all Mikrotik running OSPF/MPLS/VPLS with VPLS tunnels from the APs back to my edge routers, where customer traffic is handled and I use firewall rules at those routers to prevent the tunnels from having access into the network. I have public IPs available at the edge routers, and all internal hardware has some slice of 10.0.0.0/8. I don't have firewall rules on most of the routers as they are all protected by the edge. I'd like to move away from this model and have IP blocks at each AP site that route over my OSPF/MPLS system. I can get them to route, but I am wondering if there is an easy way to block routes or limit OSPF distribution to prevent access to my hardware (other than running several firewall rules on every router). I am running many RB750, RB750UP, and RB750P routers and would like to keep firewall rules to a minimum if possible. Thanks - Chris