Access and Session Control System?

["Jones, Barry" <BEJones () semprautilities com>]

Hello all.
I am looking at a variety of systems/methods to provide (vendor, employee) access into my dmz's. I want to reduce the 
FW rule sets and connections to as minimal as possible. And I want the accessing party to only get to the destination I 
define (like a fw rule).

When I refer to access, I'm referring to the ability of a vendor or employee to perform maintenance tasks on a 
server(s). The server(s) will be running apps for doing different tasks - such as Shavlik, etc..,  (patching, reports, 
logging, etc..), so I am envisioning allowing an outside vendor/employee (from the internet or corp. net) to RDP or SSH 
to a given Windows or Unix based machines, then perform their application work from that jumping off point - kind of 
like a terminal server; but I'd like to control and audit the sessions as well.

Overall, I can allow a host/port through the FW to a single host, but I wanted to be able to do the session management 
and endpoint controls. FW's are ok, but you know as well as I that I now deal with lots of rules sets. And I need to 
also authenticate the user.

We are a couple smaller facilities (150 hosts each) and I need to be able to control and audit the sessions when 
requested. I have considered doing a meetingplace server, then providing escorted access for them, or doing just the FW 
and a "jump" host - but need the endpoint and session solution, or just using VPN - but don't want to install a host on 
the vendor machines. I also have looked at a product called EDMZ - wondered if anyone had experience with it?

And did I say I wanted to keep it as simple as possible? :-) It's been a few years since I've done hands-on networking 
work, so excuse the long-winded letter. Feel free to email me directly too.

Sincerely
Barry Jones
CISSP, GSNA