[144406] in North American Network Operators' Group
Re: Access and Session Control System?
daemon@ATHENA.MIT.EDU (Eugeniu Patrascu)
Sun Sep 11 07:17:19 2011
In-Reply-To: <20110902082144.06a49f7a@bart>
Date: Sun, 11 Sep 2011 14:16:22 +0300
From: Eugeniu Patrascu <eugen@imacandi.net>
To: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
If you also want to control where they go from the jump box, you might
want to look at http://www.xceedium.com/en/index.php as they claim to
add rules to what a remotely logged in user can do.
Juniper SA is very nice and get's intuitive after you familiriaze
yourself with it's workflow which is a pain if you're new to the box.
On Fri, Sep 2, 2011 at 15:21, John Peach <john-nanog@johnpeach.com> wrote:
> On Thu, 1 Sep 2011 17:45:55 -0400
> Rafael Rodriguez <packetjockey@gmail.com> wrote:
>
>> I recommend you look into the Juniper SSL VPN products (SA Series). Very=
power boxes, intuitive admin interface (web driven) and are perfect for th=
e "Vendor Access" type of applications.
>
> They work fine (mostly), but your definition of intuitive obviously does
> not coincide with mine.
>
>>
>> Sent from my iPhone
>>
>> On Sep 1, 2011, at 16:30, "Jones, Barry" <BEJones@semprautilities.com> w=
rote:
>>
>> >
>> > Hello all.
>> > I am looking at a variety of systems/methods to provide (vendor, emplo=
yee) access into my dmz's. I want to reduce the FW rule sets and connection=
s to as minimal as possible. And I want the accessing party to only get to =
the destination I define (like a fw rule).
>> >
>> > When I refer to access, I'm referring to the ability of a vendor or em=
ployee to perform maintenance tasks on a server(s). The server(s) will be r=
unning apps for doing different tasks - such as Shavlik, etc.., =A0(patchin=
g, reports, logging, etc..), so I am envisioning allowing an outside vendor=
/employee (from the internet or corp. net) to RDP or SSH to a given Windows=
or Unix based machines, then perform their application work from that jump=
ing off point - kind of like a terminal server; but I'd like to control and=
audit the sessions as well.
>> >
>> > Overall, I can allow a host/port through the FW to a single host, but =
I wanted to be able to do the session management and endpoint controls. FW'=
s are ok, but you know as well as I that I now deal with lots of rules sets=
. And I need to also authenticate the user.
>> >
>> > We are a couple smaller facilities (150 hosts each) and I need to be a=
ble to control and audit the sessions when requested. I have considered doi=
ng a meetingplace server, then providing escorted access for them, or doing=
just the FW and a "jump" host - but need the endpoint and session solution=
, or just using VPN - but don't want to install a host on the vendor machin=
es. I also have looked at a product called EDMZ - wondered if anyone had ex=
perience with it?
>> >
>> > And did I say I wanted to keep it as simple as possible? :-) It's been=
a few years since I've done hands-on networking work, so excuse the long-w=
inded letter. Feel free to email me directly too.
>> >
>> > Sincerely
>> > Barry Jones
>> > CISSP, GSNA
>>
>
>
>
> --
> john
>
>
