LISTSERV mailing list manager LISTSERV 15.5

Help for NORDNOG Archives


NORDNOG Archives

NORDNOG Archives


View:

Next Message | Previous Message
Next in Topic | Previous in Topic
Next by Same Author | Previous by Same Author
Chronologically | Most Recent First
Proportional Font | Monospaced Font

Options:

Join or Leave NORDNOG
Reply | Post New Message
Search Archives


Subject: Re: Beer + Wlan
From: Måns Nilsson <[log in to unmask]>
Reply-To:Network management discussion for Nordic region <[log in to unmask]>
Date:Wed, 20 Mar 2002 14:29:28 +0100
Content-Type:text/plain
Parts/Attachments:
Parts/Attachments

text/plain (35 lines)


--On Wednesday, March 20, 2002 12:40:10 +0100 John Angelmo
<[log in to unmask]> wrote:

> WLAN is as much as a security issue as regular LAN, bad management is
> the big problem.
> The easiest way to implent WLAN at a NOC for service personel is to
> simply but a VPN box behind the AP. You get IP from the DHCP server but
> to access ANYTHING you need to authenticate yourself trough the VPN

Or "Do not telnet to the core routers from the WLAN directly without data
channel encryption, bounce on a management box." That plus clever
directives about system security and other practices goes a long way
towards securing the management system.

In a greater picture, this certainly mirrors some of the "separation of
control channel from the production channel" discussions on NANOG lately.
My personal view is that "data is data", whether control or production --
the big crucial strength of IP is that a "telnet packet"[0] looks the same
as a "HTTP packet" to a network element. We should not "give in" to the
"telco practices" of a separate managment network, at least not when it
would conserve our bad habits, or tie our hands. While there might be valid
reasons for OOB access (coping with outages in the production network, or
doing "saw-off-the-branch" config changes), I would argue that all control
protocols (as in telnet or SNMP) should be made robust enough to survive an
open WLAN -- or they should not be used. That is the proper fix, not a
band-aid like a VPN or limited access to management resources.

This of course is somewhat utopic. But still, it is what we should strive
for.
--
Måns Nilsson            Systems Specialist
+46 70 681 7204         KTHNOC
                        MN1334-RIPE

[0]     As in "An IP packet with TELNET data in it"

Back to: Top of Message | Previous Page | Main NORDNOG Page

Permalink



LISTSRV.NORDU.NET

CataList Email List Search Powered by the LISTSERV Email List Manager