[secops] Initial problem statement

Bart Kus me at bartk.us
Mon Feb 20 09:52:28 PST 2023 

For lack of any other guidance, this sounds good to me.  I'm definitely 
not a security professional though, so it could be awful.  No idea how 
it'll work with phones in the field yet.

I think we should tag both the public + mgmt networks, since an untagged 
network can always have tags inserted by users and gain access to the 
mgmt VLAN?

I propose we use 10.44.0.0/16 for the mgmt space, with a VLAN number of 
1044.  Each site can take a /24 from that /16.

For sectors that carry public untagged, that must also for some reason 
carry mgmt, maybe they can macsec?  I dunno if we can do that on RouterOS.

Also no idea how the VRF and any route leaking are gonna work. They've 
been problematic on VyOS, and always tricky on RouterOS, but maybe 
that's just me holding them wrong.

This may also be a good time to flip the cell sites to mostly bridge 
modems?  Our R1 CPUs aren't very strong though, so that may be a blocker.

I'm about to install a switch at SnoDEM that should definitely not be on 
the Internet, so I guess the mgmt VLAN will start there.

--Bart

On 2/15/2023 11:33 PM, Doug Kingston wrote:
> I am guessing that we will want some form of overlay admin network 
> potentially using VLANS and VPN access of some form?
> I have been working recently to get OpenVPN up and running with 
> various client platforms to Mikrotik routers with some success.
>
> -Doug-
>
> On Sun, Feb 12, 2023 at 4:03 PM Bart Kus <me at bartk.us> wrote:
>
>     Hello,
>
>     I'd like to kick off discussion about HamWAN security with a
>     relatively
>     high level problem statement.
>
>     We need to limit access to our control infrastructure (routers,
>     switches, modems, hypervisors, iLOs, etc) while still allowing easy
>     reliable access for amateur administrators to control that
>     infrastructure.  We also need to support the case of a person on a
>     tower
>     with a cell phone being able to easily login it to a modem to get
>     real-time signal readings for dish alignment.
>
>     The current network is mostly a single flat OSPF routing domain.  We
>     have a couple peering points, and some IPsec tunnels.  Our routers
>     are
>     mostly RouterOS flavor, which supports a pretty wide set of
>     capabilities.  We may want to look at switching the edge routers
>     to VyOS
>     though.
>
>     What general high level design would be useful in keeping access
>     easy,
>     while moving the control points out of public reach?
>
>     --Bart
>
>     _______________________________________________
>     SecOps mailing list
>     SecOps at hamwan.org
>     http://mail01.fmt.hamwan.net/mailman/listinfo/secops
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail01.fmt.hamwan.net/pipermail/secops/attachments/20230220/2079bfa7/attachment.html>

More information about the SecOps mailing list