[144083] in North American Network Operators' Group
Access and Session Control System?
daemon@ATHENA.MIT.EDU (Jones, Barry)
Thu Sep 1 16:31:31 2011
From: "Jones, Barry" <BEJones@semprautilities.com>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Thu, 1 Sep 2011 13:30:41 -0700
In-Reply-To: <CAB+pCuF6BNsKXbiAEXPqMXucqTJ0hfTLbDrqWBLkoY3z8+FH0g@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
=20
Hello all.
I am looking at a variety of systems/methods to provide (vendor, employee) =
access into my dmz's. I want to reduce the FW rule sets and connections to =
as minimal as possible. And I want the accessing party to only get to the d=
estination I define (like a fw rule).
When I refer to access, I'm referring to the ability of a vendor or employe=
e to perform maintenance tasks on a server(s). The server(s) will be runnin=
g apps for doing different tasks - such as Shavlik, etc.., (patching, repo=
rts, logging, etc..), so I am envisioning allowing an outside vendor/employ=
ee (from the internet or corp. net) to RDP or SSH to a given Windows or Uni=
x based machines, then perform their application work from that jumping off=
point - kind of like a terminal server; but I'd like to control and audit =
the sessions as well.
Overall, I can allow a host/port through the FW to a single host, but I wan=
ted to be able to do the session management and endpoint controls. FW's are=
ok, but you know as well as I that I now deal with lots of rules sets. And=
I need to also authenticate the user.
We are a couple smaller facilities (150 hosts each) and I need to be able t=
o control and audit the sessions when requested. I have considered doing a =
meetingplace server, then providing escorted access for them, or doing just=
the FW and a "jump" host - but need the endpoint and session solution, or =
just using VPN - but don't want to install a host on the vendor machines. I=
also have looked at a product called EDMZ - wondered if anyone had experie=
nce with it?
And did I say I wanted to keep it as simple as possible? :-) It's been a fe=
w years since I've done hands-on networking work, so excuse the long-winded=
letter. Feel free to email me directly too.
Sincerely
Barry Jones
CISSP, GSNA=
