How to Protect Campus Sensitive Servers

[schilling <schilling2006 () GMAIL COM>]

Hi All,

Our university are trying to protect some sensitive servers like
database, financial, admission etc. The rising request of these server
access is from people who use laptops. In order to give people the
access, we create a VPN group for this special interest group and give
access to only certain people who need the access, then put the VPN
address pool range in the iptables/ipf of corresponding servers.  Now
people is complaining that too many VPN groups and it's hard to
remember which one to use, meanwhile, each small server group is
trying to ask for a VPN group. It looks like we might have one VPN
group for each server.

We propose a one central Information Technology Services(ITS) VPN
profile which could have access to all the resources, all employee in
ITS will have access to this VPN group.  Then In all the servers, host
based user/group authentication/authorization will decide whether a
user can login or what to do.

We thought about the per user/group ACL from VPN servers, but not sure
about the management nightmare to maintain the per user/group ACL.

I would like to know what alternatives we have for this kind of situation.

Thanks.

Shiling Ding
850-645-6810
Information Technology Services
Florida State University