Educause Security Discussion mailing list archives
Re: How to Protect Campus Sensitive Servers
From: schilling <schilling2006 () GMAIL COM>
Date: Thu, 4 Feb 2010 12:09:38 -0500
We do use ASA, please email you config example related to the group mapping and routes/ACL assignment, and I might have more question for you after reading the example snippet. Thanks, Shiling On Thu, Feb 4, 2010 at 11:33 AM, Di Fabio, Andrea <adifabio () nsu edu> wrote:
Here at NSU we have one VPN group called NSU. When a user authenticates against our CISCO ASA, the RADIUS AD Group attributes is used to dynamically map the user to the appropriate VPN group. So basically, the client is configured with one group, but the ASA knows many different groups that are dynamically mapped based on radius attributes. Once dynamically mapped to a VPN group, the user gets specific routed and ACL to access that group services. If you are using CISCO, I can shoot you our specific config if that helps. Andrea Di Fabio Information Security Officer High Performance Computing Technology Coordinator Norfolk State University Office of Information Technology Marie V. McDemmond Center for Applied Research, Rm 401F 555 Park Avenue, Suite 401 Norfolk, Virginia 23504 757-823-2896 Office 757-823-2128 Fax -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of schilling Sent: Thursday, February 04, 2010 9:01 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] How to Protect Campus Sensitive Servers Hi All, Our university are trying to protect some sensitive servers like database, financial, admission etc. The rising request of these server access is from people who use laptops. In order to give people the access, we create a VPN group for this special interest group and give access to only certain people who need the access, then put the VPN address pool range in the iptables/ipf of corresponding servers. Now people is complaining that too many VPN groups and it's hard to remember which one to use, meanwhile, each small server group is trying to ask for a VPN group. It looks like we might have one VPN group for each server. We propose a one central Information Technology Services(ITS) VPN profile which could have access to all the resources, all employee in ITS will have access to this VPN group. Then In all the servers, host based user/group authentication/authorization will decide whether a user can login or what to do. We thought about the per user/group ACL from VPN servers, but not sure about the management nightmare to maintain the per user/group ACL. I would like to know what alternatives we have for this kind of situation. Thanks. Shiling Ding 850-645-6810 Information Technology Services Florida State University
Current thread:
- How to Protect Campus Sensitive Servers schilling (Feb 04)
- <Possible follow-ups>
- Re: How to Protect Campus Sensitive Servers Pete Hickey (Feb 04)
- Re: How to Protect Campus Sensitive Servers Sam Stelfox (Feb 04)
- Re: How to Protect Campus Sensitive Servers Sarazen, Daniel (Feb 04)
- Re: How to Protect Campus Sensitive Servers Julian Y. Koh (Feb 04)
- Re: How to Protect Campus Sensitive Servers Valdis Kletnieks (Feb 04)
- Re: How to Protect Campus Sensitive Servers Di Fabio, Andrea (Feb 04)
- Re: How to Protect Campus Sensitive Servers schilling (Feb 04)
- Re: How to Protect Campus Sensitive Servers schilling (Feb 04)
- Re: How to Protect Campus Sensitive Servers Julian Y. Koh (Feb 04)
- Re: How to Protect Campus Sensitive Servers Richard Hopkins (Feb 05)
- Re: How to Protect Campus Sensitive Servers Christian Hroux (Feb 08)