Re: How to Protect Campus Sensitive Servers

["Julian Y. Koh" <kohster () NORTHWESTERN EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We use an SSL VPN product for things like system administration of servers,
sensitive data, and vendor/consultant access.  The point of course is not
that it's SSL VPN per se, but we just classify users by group and assign
specific pools of IPs to each group.  If multiple groups need access to the
same server, then we just allow both pools of IPs.  After all, assuming
there's proper logging of VPN access and server activity, we can trace back
any bad activity to a specific user rather easily.

The users then don't have to remember which group to log in as a member of,
since that's all handled automatically when they log into the SSL VPN.  The
system is smart enough to know that when a user is a member of multiple
groups, he/she gets a merged set of resources that he/she can access.  This
does raise some complications in terms of which actual IP address is used
from the client perspective, but this is only an issue in a few cases and
can usually be dealt with by opening up the conflicting resources to an
extra IP pool.


-----BEGIN PGP SIGNATURE-----
Version: 9.9.1.287

wj8DBQFLat2qDlQHnMkeAWMRApnXAKC6sjKn8O6xYHVcdyFFO1JSb5uEKwCg4ey/
saLiJ3dCBCO5GimbpdXpe24=
=lPcG
-----END PGP SIGNATURE-----

--
Julian Y. Koh                         <mailto:kohster () northwestern edu>
Manager, Network Transport                         <phone:847-467-5780>
Telecommunications and Network Services         Northwestern University
PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html>