nanog mailing list archives
Re: Access and Session Control System?
From: Rafael Rodriguez <packetjockey () gmail com>
Date: Thu, 1 Sep 2011 17:45:55 -0400
I recommend you look into the Juniper SSL VPN products (SA Series). Very power boxes, intuitive admin interface (web driven) and are perfect for the "Vendor Access" type of applications. Sent from my iPhone On Sep 1, 2011, at 16:30, "Jones, Barry" <BEJones () semprautilities com> wrote:
Hello all. I am looking at a variety of systems/methods to provide (vendor, employee) access into my dmz's. I want to reduce the FW rule sets and connections to as minimal as possible. And I want the accessing party to only get to the destination I define (like a fw rule). When I refer to access, I'm referring to the ability of a vendor or employee to perform maintenance tasks on a server(s). The server(s) will be running apps for doing different tasks - such as Shavlik, etc.., (patching, reports, logging, etc..), so I am envisioning allowing an outside vendor/employee (from the internet or corp. net) to RDP or SSH to a given Windows or Unix based machines, then perform their application work from that jumping off point - kind of like a terminal server; but I'd like to control and audit the sessions as well. Overall, I can allow a host/port through the FW to a single host, but I wanted to be able to do the session management and endpoint controls. FW's are ok, but you know as well as I that I now deal with lots of rules sets. And I need to also authenticate the user. We are a couple smaller facilities (150 hosts each) and I need to be able to control and audit the sessions when requested. I have considered doing a meetingplace server, then providing escorted access for them, or doing just the FW and a "jump" host - but need the endpoint and session solution, or just using VPN - but don't want to install a host on the vendor machines. I also have looked at a product called EDMZ - wondered if anyone had experience with it? And did I say I wanted to keep it as simple as possible? :-) It's been a few years since I've done hands-on networking work, so excuse the long-winded letter. Feel free to email me directly too. Sincerely Barry Jones CISSP, GSNA
Current thread:
- Access and Session Control System? Jones, Barry (Sep 01)
- Re: Access and Session Control System? Rafael Rodriguez (Sep 01)
- Re: Access and Session Control System? John Peach (Sep 05)
- Re: Access and Session Control System? Eugeniu Patrascu (Sep 11)
- Re: Access and Session Control System? John Peach (Sep 05)
- Silently dropping QoS marked packets on the greater Internet Jesse McGraw (Sep 05)
- Re: Silently dropping QoS marked packets on the greater Internet Mark Radabaugh (Sep 05)
- RE: Silently dropping QoS marked packets on the greater Internet Jeff Saxe (Sep 05)
- Re: Silently dropping QoS marked packets on the greater Internet Mark Tinka (Sep 08)
- Re: Silently dropping QoS marked packets on the greater Internet Dobbins, Roland (Sep 08)
- Re: Silently dropping QoS marked packets on the greater Internet Saku Ytti (Sep 05)
- Re: Silently dropping QoS marked packets on the greater Internet Valdis . Kletnieks (Sep 05)
- Re: Silently dropping QoS marked packets on the greater Internet Saku Ytti (Sep 05)
- Re: Access and Session Control System? Rafael Rodriguez (Sep 01)