Best Practice for Secure NMS Implementation?

damiancbessemer

Hello,

I work in a secure, paranoid environment. Solarwinds will be fired up shortly.

There are security concerns regarding where to place the SW servers in the network since they'll be able to communicate with virtually every device, particularly Internet edge routers, firewalls, and switches.

Have you placed your SW installation inside your trusted network, in a DMZ, etc.?

What security compromises are made by sending Netflow data and Syslog from an edge router via its management port? Specifically, If a router is compromised on its outside interface, can the management port be used as a portal into the network(bearing in mind basic hardening is performed)?

Is a Network management VLAN sufficient for segmenting management data from other VLAN traffic? Are there any real advantages to building out a separate management infrastructure(switch connected to management interfaces of all network gear), when it will still connect back to the core switch anyway?

Is there a governing body(like CIS) that issues best practices for securely implementing an NMS.

Thank you

john.ta

You would not want to put SW in a DMZ, because then you are just opening up holes to/from outside your firewall which just makes zero sense.

There isn't really much of a security compromise when using a management port on a router, they are specifically designed for management and keep everything separate.

You would just use a management vlan for segmenting management traffic.

Not that I am aware of.t