Educause Security Discussion mailing list archives
Re: How to Protect Campus Sensitive Servers
From: Christian Hroux <Christian.Heroux () ETSMTL CA>
Date: Mon, 8 Feb 2010 12:05:20 -0500
Hello! We just upgraded our Cisco vpn 3000 to ASA and we tried to simplify the desing for the same reasons you mentioned. There is a function in ASA called DAP that we used that can keep your base group clean. We have defined few base groups (employees, research, student, contractor) and we joins a basic permit ACL link to each base group for normal application. If other servers need to be reached by VPN a specific DAP (ACL) is created in the VPN and is linked to an AD group. DAP are cumulative so permission ACL are added. Any user that need access to that server will need to be in the LDAP group created. Help desk can do that http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml The trade off is to defined how broad is your base group ACL so you don`t have to add too many DAP later. We created specific DAP for HR, Accounting, sysadmin servers. We try to reflex the permission the user has when he is inside the university with the cable network. I realised we tried to do more security on the VPN than what is done in the cable network. Christian Héroux Analyste de l'informatique Université du Québec ETS Montréal Qc Canada -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of schilling Sent: 4 février 2010 09:01 To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] How to Protect Campus Sensitive Servers Hi All, Our university are trying to protect some sensitive servers like database, financial, admission etc. The rising request of these server access is from people who use laptops. In order to give people the access, we create a VPN group for this special interest group and give access to only certain people who need the access, then put the VPN address pool range in the iptables/ipf of corresponding servers. Now people is complaining that too many VPN groups and it's hard to remember which one to use, meanwhile, each small server group is trying to ask for a VPN group. It looks like we might have one VPN group for each server. We propose a one central Information Technology Services(ITS) VPN profile which could have access to all the resources, all employee in ITS will have access to this VPN group. Then In all the servers, host based user/group authentication/authorization will decide whether a user can login or what to do. We thought about the per user/group ACL from VPN servers, but not sure about the management nightmare to maintain the per user/group ACL. I would like to know what alternatives we have for this kind of situation. Thanks. Shiling Ding 850-645-6810 Information Technology Services Florida State University
Current thread:
- Re: How to Protect Campus Sensitive Servers, (continued)
- Re: How to Protect Campus Sensitive Servers Pete Hickey (Feb 04)
- Re: How to Protect Campus Sensitive Servers Sam Stelfox (Feb 04)
- Re: How to Protect Campus Sensitive Servers Sarazen, Daniel (Feb 04)
- Re: How to Protect Campus Sensitive Servers Julian Y. Koh (Feb 04)
- Re: How to Protect Campus Sensitive Servers Valdis Kletnieks (Feb 04)
- Re: How to Protect Campus Sensitive Servers Di Fabio, Andrea (Feb 04)
- Re: How to Protect Campus Sensitive Servers schilling (Feb 04)
- Re: How to Protect Campus Sensitive Servers schilling (Feb 04)
- Re: How to Protect Campus Sensitive Servers Julian Y. Koh (Feb 04)
- Re: How to Protect Campus Sensitive Servers Richard Hopkins (Feb 05)
- Re: How to Protect Campus Sensitive Servers Christian Hroux (Feb 08)