Here's a subject that I'm only obliquely exposed to at work, that seems to be in major discussion in light of recent events (i.e. Bloomberg Businessweek Supermicro story).
I'm in the slow process of redoing my home lab, mostly downsizing/consolidating to fewer systems. Currently I manage each system by accessing it directly as my homelab is partially located in my home office. I'll be moving almost everything to my garage, so it'd be a pain to run back and forth from home office/garage. I'll also be picking up more IPMI enabled systems as time goes on to replace my current hardware.
The high level view of my current setup is everything goes through a pfSense router, split between WAN, LAN, WiFi, GUEST, OPT4. OPT4 is currently not being utilized. WiFi clients must VPN into LAN to access LAN resources. I also use OpenVPN for my laptop/mobile to access LAN when I'm road warrioring.
Here are some questions for network security gurus:
I'm in the slow process of redoing my home lab, mostly downsizing/consolidating to fewer systems. Currently I manage each system by accessing it directly as my homelab is partially located in my home office. I'll be moving almost everything to my garage, so it'd be a pain to run back and forth from home office/garage. I'll also be picking up more IPMI enabled systems as time goes on to replace my current hardware.
The high level view of my current setup is everything goes through a pfSense router, split between WAN, LAN, WiFi, GUEST, OPT4. OPT4 is currently not being utilized. WiFi clients must VPN into LAN to access LAN resources. I also use OpenVPN for my laptop/mobile to access LAN when I'm road warrioring.
Here are some questions for network security gurus:
- What are the best practices for isolating the management network (IPMI) from my other networks?
- Is it enough to place the management network on a separate VLAN, or on the physical OPT4 network, with all outbound traffic from the management network blocked?
- Is it necessary to have a completely different router for the management network? I'd also need to be able to VPN into the management network occasionally from separate physical locations.
- What are the best practices for local management? A VM existing on a system residing on LAN/WiFi that's VPN'd into OPT4, or a physical system (e.g. NUC/laptop or something similar) connected directly to the management network?