Re: How to Protect Campus Sensitive Servers

[schilling <schilling2006 () GMAIL COM>]

We do use ASA, please email you config example related to the group
mapping and routes/ACL assignment, and I might have more question for
you after reading the example snippet.

Thanks,

Shiling

On Thu, Feb 4, 2010 at 11:33 AM, Di Fabio, Andrea <adifabio () nsu edu> wrote:
> Here at NSU we have one VPN group called NSU.  When a user authenticates
> against our CISCO ASA, the RADIUS AD Group attributes is used to dynamically
> map the user to the appropriate VPN group.  So basically, the client is
> configured with one group, but the ASA knows many different groups that are
> dynamically mapped based on radius attributes.  Once dynamically mapped to a
> VPN group, the user gets specific routed and ACL to access that group
> services.
>
> If you are using CISCO, I can shoot you our specific config if that helps.
>
> Andrea Di Fabio
> Information Security Officer
> High Performance Computing Technology Coordinator
> Norfolk State University
> Office of Information Technology
> Marie V. McDemmond Center for Applied Research, Rm 401F
> 555 Park Avenue, Suite 401
> Norfolk, Virginia 23504
> 757-823-2896 Office
> 757-823-2128 Fax
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of schilling
> Sent: Thursday, February 04, 2010 9:01 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] How to Protect Campus Sensitive Servers
>
> Hi All,
>
> Our university are trying to protect some sensitive servers like database,
> financial, admission etc. The rising request of these server access is from
> people who use laptops. In order to give people the access, we create a VPN
> group for this special interest group and give access to only certain people
> who need the access, then put the VPN address pool range in the iptables/ipf
> of corresponding servers.  Now people is complaining that too many VPN
> groups and it's hard to remember which one to use, meanwhile, each small
> server group is trying to ask for a VPN group. It looks like we might have
> one VPN group for each server.
>
> We propose a one central Information Technology Services(ITS) VPN profile
> which could have access to all the resources, all employee in ITS will have
> access to this VPN group.  Then In all the servers, host based user/group
> authentication/authorization will decide whether a user can login or what to
> do.
>
> We thought about the per user/group ACL from VPN servers, but not sure about
> the management nightmare to maintain the per user/group ACL.
>
> I would like to know what alternatives we have for this kind of situation.
>
> Thanks.
>
> Shiling Ding
> 850-645-6810
> Information Technology Services
> Florida State University