Access and Session Control System?

Bruce Pinsky bep at whack.org
Fri Sep 2 00:29:38 CDT 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jones, Barry wrote:
> 
> Hello all. I am looking at a variety of systems/methods to provide
> (vendor, employee) access into my dmz's. I want to reduce the FW rule
> sets and connections to as minimal as possible. And I want the accessing
> party to only get to the destination I define (like a fw rule).
> 
> When I refer to access, I'm referring to the ability of a vendor or
> employee to perform maintenance tasks on a server(s). The server(s) will
> be running apps for doing different tasks - such as Shavlik, etc..,
> (patching, reports, logging, etc..), so I am envisioning allowing an
> outside vendor/employee (from the internet or corp. net) to RDP or SSH
> to a given Windows or Unix based machines, then perform their
> application work from that jumping off point - kind of like a terminal
> server; but I'd like to control and audit the sessions as well.
> 
> Overall, I can allow a host/port through the FW to a single host, but I
> wanted to be able to do the session management and endpoint controls.
> FW's are ok, but you know as well as I that I now deal with lots of
> rules sets. And I need to also authenticate the user.
> 
> We are a couple smaller facilities (150 hosts each) and I need to be
> able to control and audit the sessions when requested. I have considered
> doing a meetingplace server, then providing escorted access for them, or
> doing just the FW and a "jump" host - but need the endpoint and session
> solution, or just using VPN - but don't want to install a host on the
> vendor machines. I also have looked at a product called EDMZ - wondered
> if anyone had experience with it?
> 
> And did I say I wanted to keep it as simple as possible? :-) It's been a
> few years since I've done hands-on networking work, so excuse the
> long-winded letter. Feel free to email me directly too.
> 

The Cisco ASA firewall/VPN appliance with SSLVPN can provide the kind of
control you are asking for.  You can customize for different connection
profiles that are based individuals and/or groups that specify where they
can connect to and what types of connection protocols can be used.

- -- 
=========
bep

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5gacEACgkQE1XcgMgrtybBWgCgyh9YPD8eNMN1f/UknmL1kHoa
jUYAoNcCKqjxwo3QOv/0nSmp1aF+UPn/
=RtBT
-----END PGP SIGNATURE-----




More information about the NANOG mailing list