nanog mailing list archives

Re: Access and Session Control System?

From: John Peach <john-nanog () johnpeach com>
Date: Fri, 02 Sep 2011 08:21:44 -0400

On Thu, 1 Sep 2011 17:45:55 -0400
Rafael Rodriguez <packetjockey () gmail com> wrote:

I recommend you look into the Juniper SSL VPN products (SA Series). Very power boxes, intuitive admin interface (web 
driven) and are perfect for the "Vendor Access" type of applications.


They work fine (mostly), but your definition of intuitive obviously does
not coincide with mine.


Sent from my iPhone

On Sep 1, 2011, at 16:30, "Jones, Barry" <BEJones () semprautilities com> wrote:

Hello all.
I am looking at a variety of systems/methods to provide (vendor, employee) access into my dmz's. I want to reduce
the FW rule sets and connections to as minimal as possible. And I want the accessing party to only get to the
destination I define (like a fw rule).

When I refer to access, I'm referring to the ability of a vendor or employee to perform maintenance tasks on a
server(s). The server(s) will be running apps for doing different tasks - such as Shavlik, etc.., (patching,
reports, logging, etc..), so I am envisioning allowing an outside vendor/employee (from the internet or corp. net)
to RDP or SSH to a given Windows or Unix based machines, then perform their application work from that jumping off
point - kind of like a terminal server; but I'd like to control and audit the sessions as well.

Overall, I can allow a host/port through the FW to a single host, but I wanted to be able to do the session
management and endpoint controls. FW's are ok, but you know as well as I that I now deal with lots of rules sets.
And I need to also authenticate the user.

We are a couple smaller facilities (150 hosts each) and I need to be able to control and audit the sessions when
requested. I have considered doing a meetingplace server, then providing escorted access for them, or doing just
the FW and a "jump" host - but need the endpoint and session solution, or just using VPN - but don't want to
install a host on the vendor machines. I also have looked at a product called EDMZ - wondered if anyone had
experience with it?

And did I say I wanted to keep it as simple as possible? :-) It's been a few years since I've done hands-on
networking work, so excuse the long-winded letter. Feel free to email me directly too.

Sincerely
Barry Jones
CISSP, GSNA




-- 
john

Current thread:

Access and Session Control System? Jones, Barry (Sep 01)
- Re: Access and Session Control System? Rafael Rodriguez (Sep 01)
  - Re: Access and Session Control System? John Peach (Sep 05)
    - Re: Access and Session Control System? Eugeniu Patrascu (Sep 11)
- Silently dropping QoS marked packets on the greater Internet Jesse McGraw (Sep 05)
  - Re: Silently dropping QoS marked packets on the greater Internet Mark Radabaugh (Sep 05)
  - RE: Silently dropping QoS marked packets on the greater Internet Jeff Saxe (Sep 05)
    - Re: Silently dropping QoS marked packets on the greater Internet Mark Tinka (Sep 08)
    - Re: Silently dropping QoS marked packets on the greater Internet Dobbins, Roland (Sep 08)
  - Re: Silently dropping QoS marked packets on the greater Internet Saku Ytti (Sep 05)
    - Re: Silently dropping QoS marked packets on the greater Internet Valdis . Kletnieks (Sep 05)
    - Re: Silently dropping QoS marked packets on the greater Internet Saku Ytti (Sep 05)
    - Re: Silently dropping QoS marked packets on the greater Internet Mark Tinka (Sep 08)

(Thread continues...)