[lmm]

I've always regarded networking equipment as outside my security boundary. All it does is forward packets to the right places; an attacker can deny service by shutting that down or sending them to the wrong place, but nothing else. All my connections are encrypted and authenticated at a higher level.

Do you terminate SSL or something on yours? Or have open unauthenticated services running on your internal network? If not, what's the actual threat here?

[technion]

- Plenty of services that can't adequately be secured any other way are often mitigated by restricting access to VPN users coming in over a network device. I appreciate that "just secure the service" is supposed to be the best practice, but when you're talking about things like IPMI interfaces or SCADA devices the alternatives approache zero

- Controlling the networking equipment can open you up to things like sslstrip

[rsync]

"things like IPMI interfaces or SCADA devices the alternatives approache zero"

My strategy with IPMI has been to assign IPMI non-routable, private IP addresses, then block that address space at the interior of the network (which is sort of redundant) and then require folks to SSH onto an interior host and connect to IPMI that way.

I would be very interested in, and receptive to, criticisms of this model ...

[lmm]

The argument there would be that it's very hard to secure all access to a network - anyone compromising any network device, or e.g. physical access to the cable runs in the building, then had access to IPMI.

In a high security situation I'd keep the IPMI network physically segregated, with a small number of machines acting as access to it. Or maybe connect IPMI only within each (locked) rack, and require using something like ansible if you want to perform an operation across more than one rack. Whether the cost/benefit fits for your circumstances is another question of course.

[technion]

If you consider "ssh jump host" and "vpn" somewhat similar implementations of the same general strategy (forcing users to jump through something secure) we have a similar recommendation.

[nathwhal]

In my experience, IPMI is generally considered a part of the control plane, and not accessed via the same network as apps/data, but through a separate, more restricted/audited privatenetwork.

[ghshephard]

Lots of enterprises use JunOS to terminate VPNs.

[ra1n85]

Nit: ScreenOS is the impacted network operating system, not JunOS.

[hueving]

Very few places follow that threat model. The cost of encrypting between the web tier and the db tier (even from a management perspective) is more than most organizations are willing to pay.

Your threat model is also missing the fact that a network can mitm your connections and also silently duplicate sensitive traffic.

[superuser2]

Well, no, not if it's SSL across the router. Only if it's terminating there or earlier.

[anExcitedBeast]

On an individual scale, you're right. But the fact is almost every corporation, non-profit, and government agency is weak inside the perimeter security stack; once you're in, you're in. A backdoor in networking equipment is a pretty serious problem.

[EthanHeilman]

What software do you use to achieve end-to-end VPN?