[secops] Initial problem statement

[Bart Kus]

Hello,

I'd like to kick off discussion about HamWAN security with a relatively 
high level problem statement.

We need to limit access to our control infrastructure (routers, 
switches, modems, hypervisors, iLOs, etc) while still allowing easy 
reliable access for amateur administrators to control that 
infrastructure.  We also need to support the case of a person on a tower 
with a cell phone being able to easily login it to a modem to get 
real-time signal readings for dish alignment.

The current network is mostly a single flat OSPF routing domain.  We 
have a couple peering points, and some IPsec tunnels.  Our routers are 
mostly RouterOS flavor, which supports a pretty wide set of 
capabilities.  We may want to look at switching the edge routers to VyOS 
though.

What general high level design would be useful in keeping access easy, 
while moving the control points out of public reach?

--Bart