On 16.08.2013 12:46, Jay Ashworth wrote:
----- Original Message -----
From: "Brandon Martin" <lists.na...@monmotha.net>
As to why people wouldn't put them behind dedicated firewalls,
imagine
something like a single-server colo scenario. Most such providers
don't
offer any form of lights-out management aside from maybe remote
reboot
(power-cycle) nor do they offer any form of protected/secondary
network
to their customers. So, if you want to save yourself from a trip,
you
chuck the thing raw on a public IP and hope you configured it right.
Well, *I* would firewall eth1 from eth0 and cross-over eth1 to the
ILO jack;
let the box be the firewall. Sure, it's still as breakable as the
box
proper, but security-by-obscurity isn't *bad*, it's just *not good
enough*.
That's great until you muck up your firewall config or the kernel hangs
etc. and you're up for a trip to the data centre.
