[secops] Initial problem statement

Bart Kus me at bartk.us
Mon Feb 20 12:02:47 PST 2023 

Wireguard is also a recent popular option.  Someone also suggested 
ZeroTier.  SO many choices.

--Bart

On 2/20/2023 11:33 AM, Doug Kingston wrote:
> There claims to be an OpenVPN client for Android available from the 
> Play Store.
> https://play.google.com/store/apps/details?id=de.blinkt.openvpn&hl=en_US&gl=US 
> <https://play.google.com/store/apps/details?id=de.blinkt.openvpn&hl=en_US&gl=US>
>
> I have not tried this but can check it out to confirm viability and 
> process.
>
> There also appears to be iOS support.
>
> -Doug-
>
> On Mon, Feb 20, 2023 at 9:52 AM Bart Kus <me at bartk.us> wrote:
>
>     For lack of any other guidance, this sounds good to me. I'm
>     definitely not a security professional though, so it could be
>     awful.  No idea how it'll work with phones in the field yet.
>
>     I think we should tag both the public + mgmt networks, since an
>     untagged network can always have tags inserted by users and gain
>     access to the mgmt VLAN?
>
>     I propose we use 10.44.0.0/16 <http://10.44.0.0/16> for the mgmt
>     space, with a VLAN number of 1044.  Each site can take a /24 from
>     that /16.
>
>     For sectors that carry public untagged, that must also for some
>     reason carry mgmt, maybe they can macsec?  I dunno if we can do
>     that on RouterOS.
>
>     Also no idea how the VRF and any route leaking are gonna work. 
>     They've been problematic on VyOS, and always tricky on RouterOS,
>     but maybe that's just me holding them wrong.
>
>     This may also be a good time to flip the cell sites to mostly
>     bridge modems?  Our R1 CPUs aren't very strong though, so that may
>     be a blocker.
>
>     I'm about to install a switch at SnoDEM that should definitely not
>     be on the Internet, so I guess the mgmt VLAN will start there.
>
>     --Bart
>
>     On 2/15/2023 11:33 PM, Doug Kingston wrote:
>>     I am guessing that we will want some form of overlay admin
>>     network potentially using VLANS and VPN access of some form?
>>     I have been working recently to get OpenVPN up and running with
>>     various client platforms to Mikrotik routers with some success.
>>
>>     -Doug-
>>
>>     On Sun, Feb 12, 2023 at 4:03 PM Bart Kus <me at bartk.us> wrote:
>>
>>         Hello,
>>
>>         I'd like to kick off discussion about HamWAN security with a
>>         relatively
>>         high level problem statement.
>>
>>         We need to limit access to our control infrastructure (routers,
>>         switches, modems, hypervisors, iLOs, etc) while still
>>         allowing easy
>>         reliable access for amateur administrators to control that
>>         infrastructure.  We also need to support the case of a person
>>         on a tower
>>         with a cell phone being able to easily login it to a modem to
>>         get
>>         real-time signal readings for dish alignment.
>>
>>         The current network is mostly a single flat OSPF routing
>>         domain.  We
>>         have a couple peering points, and some IPsec tunnels. Our
>>         routers are
>>         mostly RouterOS flavor, which supports a pretty wide set of
>>         capabilities.  We may want to look at switching the edge
>>         routers to VyOS
>>         though.
>>
>>         What general high level design would be useful in keeping
>>         access easy,
>>         while moving the control points out of public reach?
>>
>>         --Bart
>>
>>         _______________________________________________
>>         SecOps mailing list
>>         SecOps at hamwan.org
>>         http://mail01.fmt.hamwan.net/mailman/listinfo/secops
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail01.fmt.hamwan.net/pipermail/secops/attachments/20230220/adbebb6f/attachment.html>

More information about the SecOps mailing list