top | item 28699064

(no title)

dormando | 4 years ago

It's not really realistic, you're right. For my own goals it's "defense in depth" - just because I can't think of a scenario now doesn't mean it's impossible to do. Access also makes it easier to accidentally configure it in a way that is in fact easy to blow up.

From a practical standpoint, I just don't want any not-me traffic hitting the management interface for any reason (intentional or not), as I assume they're poorly written and can easily be crashed or even bricked. I've locked myself out of very expensive enterprise switches in past lives by ssh'ing to them too many times.

So if IE someone can poke my management VLAN by sending an ICMP packet with a spoofed return address and my RPI doesn't filter that right because I did something wrong... I'm happier if that can't tickle the management interface at all.

discuss

No comments yet.