[Info-vax] Securing IP based management consoles/ports
Arne Vajhøj
arne at vajhoej.dk
Sat Nov 7 22:27:56 EST 2009
JF Mezei wrote:
> OK, this isn't strictly VMS based but folks in c.o.v. would have
> valuable experience for this.
>
> My new server has a management interface on one of the 2 ethernet ports,
> shared with the OS, but with its own IP address separate from that of
> the OS. It has the power to turn the machine on and off (in other words,
> the ultimate in power).
>
> What steps should be taken to secure this port ? It can't be in a
> separate VLAN since it is shared with the ethernet used by the OS.
>
> But it could be in a separate subnet. (but that is just security by
> obscurity).
>
> From a firewall point of view should I program the internet-facing
> router to block any traffic to that IP address on the LAN ?
>
> And would there be a way to allow secure remote access to the console
> (say if I am away from the office and need to power off and power on the
> machine from the internet).
Block all unwanted access in firewalls and routers.
See if the management interface allows to be configured for:
- only allowing access from specific LAN addresses
- only allowing access with specific client certificate
Arne
More information about the Info-vax
mailing list