[secops] Initial problem statement

Doug Kingston dpk at randomnotes.org
Mon Feb 20 11:33:25 PST 2023 

There claims to be an OpenVPN client for Android available from the
Play Store.
https://play.google.com/store/apps/details?id=de.blinkt.openvpn&hl=en_US&gl=US

I have not tried this but can check it out to confirm viability and process.

There also appears to be iOS support.

-Doug-

On Mon, Feb 20, 2023 at 9:52 AM Bart Kus <me at bartk.us> wrote:

> For lack of any other guidance, this sounds good to me.  I'm definitely
> not a security professional though, so it could be awful.  No idea how
> it'll work with phones in the field yet.
>
> I think we should tag both the public + mgmt networks, since an untagged
> network can always have tags inserted by users and gain access to the mgmt
> VLAN?
>
> I propose we use 10.44.0.0/16 for the mgmt space, with a VLAN number of
> 1044.  Each site can take a /24 from that /16.
>
> For sectors that carry public untagged, that must also for some reason
> carry mgmt, maybe they can macsec?  I dunno if we can do that on RouterOS.
>
> Also no idea how the VRF and any route leaking are gonna work.  They've
> been problematic on VyOS, and always tricky on RouterOS, but maybe that's
> just me holding them wrong.
>
> This may also be a good time to flip the cell sites to mostly bridge
> modems?  Our R1 CPUs aren't very strong though, so that may be a blocker.
>
> I'm about to install a switch at SnoDEM that should definitely not be on
> the Internet, so I guess the mgmt VLAN will start there.
>
> --Bart
>
> On 2/15/2023 11:33 PM, Doug Kingston wrote:
>
> I am guessing that we will want some form of overlay admin network
> potentially using VLANS and VPN access of some form?
> I have been working recently to get OpenVPN up and running with various
> client platforms to Mikrotik routers with some success.
>
> -Doug-
>
> On Sun, Feb 12, 2023 at 4:03 PM Bart Kus <me at bartk.us> wrote:
>
>> Hello,
>>
>> I'd like to kick off discussion about HamWAN security with a relatively
>> high level problem statement.
>>
>> We need to limit access to our control infrastructure (routers,
>> switches, modems, hypervisors, iLOs, etc) while still allowing easy
>> reliable access for amateur administrators to control that
>> infrastructure.  We also need to support the case of a person on a tower
>> with a cell phone being able to easily login it to a modem to get
>> real-time signal readings for dish alignment.
>>
>> The current network is mostly a single flat OSPF routing domain.  We
>> have a couple peering points, and some IPsec tunnels.  Our routers are
>> mostly RouterOS flavor, which supports a pretty wide set of
>> capabilities.  We may want to look at switching the edge routers to VyOS
>> though.
>>
>> What general high level design would be useful in keeping access easy,
>> while moving the control points out of public reach?
>>
>> --Bart
>>
>> _______________________________________________
>> SecOps mailing list
>> SecOps at hamwan.org
>> http://mail01.fmt.hamwan.net/mailman/listinfo/secops
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail01.fmt.hamwan.net/pipermail/secops/attachments/20230220/d54891c6/attachment.html>

More information about the SecOps mailing list