Access and Session Control System?

John Peach john-nanog at johnpeach.com
Fri Sep 2 12:21:44 UTC 2011 

On Thu, 1 Sep 2011 17:45:55 -0400
Rafael Rodriguez <packetjockey at gmail.com> wrote:

> I recommend you look into the Juniper SSL VPN products (SA Series). Very power boxes, intuitive admin interface (web driven) and are perfect for the "Vendor Access" type of applications.

They work fine (mostly), but your definition of intuitive obviously does
not coincide with mine.

> 
> Sent from my iPhone
> 
> On Sep 1, 2011, at 16:30, "Jones, Barry" <BEJones at semprautilities.com> wrote:
> 
> > 
> > Hello all.
> > I am looking at a variety of systems/methods to provide (vendor, employee) access into my dmz's. I want to reduce the FW rule sets and connections to as minimal as possible. And I want the accessing party to only get to the destination I define (like a fw rule).
> > 
> > When I refer to access, I'm referring to the ability of a vendor or employee to perform maintenance tasks on a server(s). The server(s) will be running apps for doing different tasks - such as Shavlik, etc..,  (patching, reports, logging, etc..), so I am envisioning allowing an outside vendor/employee (from the internet or corp. net) to RDP or SSH to a given Windows or Unix based machines, then perform their application work from that jumping off point - kind of like a terminal server; but I'd like to control and audit the sessions as well.
> > 
> > Overall, I can allow a host/port through the FW to a single host, but I wanted to be able to do the session management and endpoint controls. FW's are ok, but you know as well as I that I now deal with lots of rules sets. And I need to also authenticate the user.
> > 
> > We are a couple smaller facilities (150 hosts each) and I need to be able to control and audit the sessions when requested. I have considered doing a meetingplace server, then providing escorted access for them, or doing just the FW and a "jump" host - but need the endpoint and session solution, or just using VPN - but don't want to install a host on the vendor machines. I also have looked at a product called EDMZ - wondered if anyone had experience with it?
> > 
> > And did I say I wanted to keep it as simple as possible? :-) It's been a few years since I've done hands-on networking work, so excuse the long-winded letter. Feel free to email me directly too.
> > 
> > Sincerely
> > Barry Jones
> > CISSP, GSNA
> 



-- 
john

More information about the NANOG mailing list