Educause Security Discussion mailing list archives
Re: How to Protect Campus Sensitive Servers
From: Sam Stelfox <SStelfox () VTC VSC EDU>
Date: Thu, 4 Feb 2010 09:36:00 -0500
That sounds like a pretty big headache... How are your users connecting to the sensitive servers? I think in this case, the small sacrifice in security is justified by the severely reduced workload from both clients and administrators. It would also be a good time to review the hardening on all of your sensitive servers. Pretend like you have to connect them directly to an unfiltered internet connection and harden them accordingly. Seems like overkill, but in the event one of your user's workstations become compromised this is more or less what your servers will be facing with or without a VPN. On 02/04/2010 09:00 AM, schilling wrote:
Hi All, Our university are trying to protect some sensitive servers like database, financial, admission etc. The rising request of these server access is from people who use laptops. In order to give people the access, we create a VPN group for this special interest group and give access to only certain people who need the access, then put the VPN address pool range in the iptables/ipf of corresponding servers. Now people is complaining that too many VPN groups and it's hard to remember which one to use, meanwhile, each small server group is trying to ask for a VPN group. It looks like we might have one VPN group for each server. We propose a one central Information Technology Services(ITS) VPN profile which could have access to all the resources, all employee in ITS will have access to this VPN group. Then In all the servers, host based user/group authentication/authorization will decide whether a user can login or what to do. We thought about the per user/group ACL from VPN servers, but not sure about the management nightmare to maintain the per user/group ACL. I would like to know what alternatives we have for this kind of situation. Thanks. Shiling Ding 850-645-6810 Information Technology Services Florida State University
-- Sam Stelfox Network Administrator Vermont Technical College
Current thread:
- How to Protect Campus Sensitive Servers schilling (Feb 04)
- <Possible follow-ups>
- Re: How to Protect Campus Sensitive Servers Pete Hickey (Feb 04)
- Re: How to Protect Campus Sensitive Servers Sam Stelfox (Feb 04)
- Re: How to Protect Campus Sensitive Servers Sarazen, Daniel (Feb 04)
- Re: How to Protect Campus Sensitive Servers Julian Y. Koh (Feb 04)
- Re: How to Protect Campus Sensitive Servers Valdis Kletnieks (Feb 04)
- Re: How to Protect Campus Sensitive Servers Di Fabio, Andrea (Feb 04)
- Re: How to Protect Campus Sensitive Servers schilling (Feb 04)
- Re: How to Protect Campus Sensitive Servers schilling (Feb 04)
- Re: How to Protect Campus Sensitive Servers Julian Y. Koh (Feb 04)
- Re: How to Protect Campus Sensitive Servers Richard Hopkins (Feb 05)
- Re: How to Protect Campus Sensitive Servers Christian Hroux (Feb 08)