Re: How to Protect Campus Sensitive Servers

[Christian Hroux <Christian.Heroux () ETSMTL CA>]

Hello!

We just upgraded our Cisco vpn 3000 to ASA and we tried to simplify the desing for the same reasons you mentioned. 

There is a function in ASA called DAP that we used that can keep your base group clean.

We have defined few base groups (employees, research, student, contractor) and we joins a basic permit ACL link to each 
base group for normal application. If other servers need to be reached by VPN a specific DAP (ACL) is created in the 
VPN and is linked to an AD group. DAP are cumulative so permission ACL are added. Any user that need access to that 
server will need to be in the LDAP group created. Help desk can do that

http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml

The trade off is to defined how broad is your base group ACL so you don`t have to add too many DAP later. We created 
specific DAP for HR, Accounting, sysadmin servers. 

We try to reflex the permission the user has when he is inside the university with the cable network. I realised we 
tried to do more security on the VPN than what is done in the cable network. 

Christian Héroux
Analyste de l'informatique
Université du Québec ETS
Montréal Qc
Canada

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of schilling
Sent: 4 février 2010 09:01
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] How to Protect Campus Sensitive Servers

Hi All,

Our university are trying to protect some sensitive servers like
database, financial, admission etc. The rising request of these server
access is from people who use laptops. In order to give people the
access, we create a VPN group for this special interest group and give
access to only certain people who need the access, then put the VPN
address pool range in the iptables/ipf of corresponding servers.  Now
people is complaining that too many VPN groups and it's hard to
remember which one to use, meanwhile, each small server group is
trying to ask for a VPN group. It looks like we might have one VPN
group for each server.

We propose a one central Information Technology Services(ITS) VPN
profile which could have access to all the resources, all employee in
ITS will have access to this VPN group.  Then In all the servers, host
based user/group authentication/authorization will decide whether a
user can login or what to do.

We thought about the per user/group ACL from VPN servers, but not sure
about the management nightmare to maintain the per user/group ACL.

I would like to know what alternatives we have for this kind of situation.

Thanks.

Shiling Ding
850-645-6810
Information Technology Services
Florida State University