[144084] in North American Network Operators' Group
Re: Access and Session Control System?
daemon@ATHENA.MIT.EDU (Rafael Rodriguez)
Thu Sep 1 17:46:58 2011
In-Reply-To: <E36EB8E60B5EB244AAFCFEF0AF0A116D02FC90C57B@MS-EX7MB-P03.corp.se.sempra.com>
From: Rafael Rodriguez <packetjockey@gmail.com>
Date: Thu, 1 Sep 2011 17:45:55 -0400
To: "Jones, Barry" <BEJones@semprautilities.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I recommend you look into the Juniper SSL VPN products (SA Series). Very pow=
er boxes, intuitive admin interface (web driven) and are perfect for the "Ve=
ndor Access" type of applications.
Sent from my iPhone
On Sep 1, 2011, at 16:30, "Jones, Barry" <BEJones@semprautilities.com> wrote=
:
>=20
> Hello all.
> I am looking at a variety of systems/methods to provide (vendor, employee)=
access into my dmz's. I want to reduce the FW rule sets and connections to a=
s minimal as possible. And I want the accessing party to only get to the des=
tination I define (like a fw rule).
>=20
> When I refer to access, I'm referring to the ability of a vendor or employ=
ee to perform maintenance tasks on a server(s). The server(s) will be runnin=
g apps for doing different tasks - such as Shavlik, etc.., (patching, repor=
ts, logging, etc..), so I am envisioning allowing an outside vendor/employee=
(from the internet or corp. net) to RDP or SSH to a given Windows or Unix b=
ased machines, then perform their application work from that jumping off poi=
nt - kind of like a terminal server; but I'd like to control and audit the s=
essions as well.
>=20
> Overall, I can allow a host/port through the FW to a single host, but I wa=
nted to be able to do the session management and endpoint controls. FW's are=
ok, but you know as well as I that I now deal with lots of rules sets. And I=
need to also authenticate the user.
>=20
> We are a couple smaller facilities (150 hosts each) and I need to be able t=
o control and audit the sessions when requested. I have considered doing a m=
eetingplace server, then providing escorted access for them, or doing just t=
he FW and a "jump" host - but need the endpoint and session solution, or jus=
t using VPN - but don't want to install a host on the vendor machines. I als=
o have looked at a product called EDMZ - wondered if anyone had experience w=
ith it?
>=20
> And did I say I wanted to keep it as simple as possible? :-) It's been a f=
ew years since I've done hands-on networking work, so excuse the long-winded=
letter. Feel free to email me directly too.
>=20
> Sincerely
> Barry Jones
> CISSP, GSNA
