Re: Access and Session Control System?
If you also want to control where they go from the jump box, you might want to look at http://www.xceedium.com/en/index.php as they claim to add rules to what a remotely logged in user can do. Juniper SA is very nice and get's intuitive after you familiriaze yourself with it's workflow which is a pain if you're new to the box. On Fri, Sep 2, 2011 at 15:21, John Peach wrote: > On Thu, 1 Sep 2011 17:45:55 -0400 > Rafael Rodriguez wrote: > >> I recommend you look into the Juniper SSL VPN products (SA Series). Very >> power boxes, intuitive admin interface (web driven) and are perfect for the >> "Vendor Access" type of applications. > > They work fine (mostly), but your definition of intuitive obviously does > not coincide with mine. > >> >> Sent from my iPhone >> >> On Sep 1, 2011, at 16:30, "Jones, Barry" wrote: >> >> > >> > Hello all. >> > I am looking at a variety of systems/methods to provide (vendor, employee) >> > access into my dmz's. I want to reduce the FW rule sets and connections to >> > as minimal as possible. And I want the accessing party to only get to the >> > destination I define (like a fw rule). >> > >> > When I refer to access, I'm referring to the ability of a vendor or >> > employee to perform maintenance tasks on a server(s). The server(s) will >> > be running apps for doing different tasks - such as Shavlik, etc.., >> > (patching, reports, logging, etc..), so I am envisioning allowing an >> > outside vendor/employee (from the internet or corp. net) to RDP or SSH to >> > a given Windows or Unix based machines, then perform their application >> > work from that jumping off point - kind of like a terminal server; but I'd >> > like to control and audit the sessions as well. >> > >> > Overall, I can allow a host/port through the FW to a single host, but I >> > wanted to be able to do the session management and endpoint controls. FW's >> > are ok, but you know as well as I that I now deal with lots of rules sets. >> > And I need to also authenticate the user. >> > >> > We are a couple smaller facilities (150 hosts each) and I need to be able >> > to control and audit the sessions when requested. I have considered doing >> > a meetingplace server, then providing escorted access for them, or doing >> > just the FW and a "jump" host - but need the endpoint and session >> > solution, or just using VPN - but don't want to install a host on the >> > vendor machines. I also have looked at a product called EDMZ - wondered if >> > anyone had experience with it? >> > >> > And did I say I wanted to keep it as simple as possible? :-) It's been a >> > few years since I've done hands-on networking work, so excuse the >> > long-winded letter. Feel free to email me directly too. >> > >> > Sincerely >> > Barry Jones >> > CISSP, GSNA >> > > > > -- > john > >
Re: Access and Session Control System?
On Thu, 1 Sep 2011 17:45:55 -0400 Rafael Rodriguez wrote: > I recommend you look into the Juniper SSL VPN products (SA Series). Very > power boxes, intuitive admin interface (web driven) and are perfect for the > "Vendor Access" type of applications. They work fine (mostly), but your definition of intuitive obviously does not coincide with mine. > > Sent from my iPhone > > On Sep 1, 2011, at 16:30, "Jones, Barry" wrote: > > > > > Hello all. > > I am looking at a variety of systems/methods to provide (vendor, employee) > > access into my dmz's. I want to reduce the FW rule sets and connections to > > as minimal as possible. And I want the accessing party to only get to the > > destination I define (like a fw rule). > > > > When I refer to access, I'm referring to the ability of a vendor or > > employee to perform maintenance tasks on a server(s). The server(s) will be > > running apps for doing different tasks - such as Shavlik, etc.., > > (patching, reports, logging, etc..), so I am envisioning allowing an > > outside vendor/employee (from the internet or corp. net) to RDP or SSH to a > > given Windows or Unix based machines, then perform their application work > > from that jumping off point - kind of like a terminal server; but I'd like > > to control and audit the sessions as well. > > > > Overall, I can allow a host/port through the FW to a single host, but I > > wanted to be able to do the session management and endpoint controls. FW's > > are ok, but you know as well as I that I now deal with lots of rules sets. > > And I need to also authenticate the user. > > > > We are a couple smaller facilities (150 hosts each) and I need to be able > > to control and audit the sessions when requested. I have considered doing a > > meetingplace server, then providing escorted access for them, or doing just > > the FW and a "jump" host - but need the endpoint and session solution, or > > just using VPN - but don't want to install a host on the vendor machines. I > > also have looked at a product called EDMZ - wondered if anyone had > > experience with it? > > > > And did I say I wanted to keep it as simple as possible? :-) It's been a > > few years since I've done hands-on networking work, so excuse the > > long-winded letter. Feel free to email me directly too. > > > > Sincerely > > Barry Jones > > CISSP, GSNA > -- john
Re: Access and Session Control System?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jones, Barry wrote: > > Hello all. I am looking at a variety of systems/methods to provide > (vendor, employee) access into my dmz's. I want to reduce the FW rule > sets and connections to as minimal as possible. And I want the accessing > party to only get to the destination I define (like a fw rule). > > When I refer to access, I'm referring to the ability of a vendor or > employee to perform maintenance tasks on a server(s). The server(s) will > be running apps for doing different tasks - such as Shavlik, etc.., > (patching, reports, logging, etc..), so I am envisioning allowing an > outside vendor/employee (from the internet or corp. net) to RDP or SSH > to a given Windows or Unix based machines, then perform their > application work from that jumping off point - kind of like a terminal > server; but I'd like to control and audit the sessions as well. > > Overall, I can allow a host/port through the FW to a single host, but I > wanted to be able to do the session management and endpoint controls. > FW's are ok, but you know as well as I that I now deal with lots of > rules sets. And I need to also authenticate the user. > > We are a couple smaller facilities (150 hosts each) and I need to be > able to control and audit the sessions when requested. I have considered > doing a meetingplace server, then providing escorted access for them, or > doing just the FW and a "jump" host - but need the endpoint and session > solution, or just using VPN - but don't want to install a host on the > vendor machines. I also have looked at a product called EDMZ - wondered > if anyone had experience with it? > > And did I say I wanted to keep it as simple as possible? :-) It's been a > few years since I've done hands-on networking work, so excuse the > long-winded letter. Feel free to email me directly too. > The Cisco ASA firewall/VPN appliance with SSLVPN can provide the kind of control you are asking for. You can customize for different connection profiles that are based individuals and/or groups that specify where they can connect to and what types of connection protocols can be used. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5gacEACgkQE1XcgMgrtybBWgCgyh9YPD8eNMN1f/UknmL1kHoa jUYAoNcCKqjxwo3QOv/0nSmp1aF+UPn/ =RtBT -END PGP SIGNATURE-
Re: Access and Session Control System?
I recommend you look into the Juniper SSL VPN products (SA Series). Very power boxes, intuitive admin interface (web driven) and are perfect for the "Vendor Access" type of applications. Sent from my iPhone On Sep 1, 2011, at 16:30, "Jones, Barry" wrote: > > Hello all. > I am looking at a variety of systems/methods to provide (vendor, employee) > access into my dmz's. I want to reduce the FW rule sets and connections to as > minimal as possible. And I want the accessing party to only get to the > destination I define (like a fw rule). > > When I refer to access, I'm referring to the ability of a vendor or employee > to perform maintenance tasks on a server(s). The server(s) will be running > apps for doing different tasks - such as Shavlik, etc.., (patching, reports, > logging, etc..), so I am envisioning allowing an outside vendor/employee > (from the internet or corp. net) to RDP or SSH to a given Windows or Unix > based machines, then perform their application work from that jumping off > point - kind of like a terminal server; but I'd like to control and audit the > sessions as well. > > Overall, I can allow a host/port through the FW to a single host, but I > wanted to be able to do the session management and endpoint controls. FW's > are ok, but you know as well as I that I now deal with lots of rules sets. > And I need to also authenticate the user. > > We are a couple smaller facilities (150 hosts each) and I need to be able to > control and audit the sessions when requested. I have considered doing a > meetingplace server, then providing escorted access for them, or doing just > the FW and a "jump" host - but need the endpoint and session solution, or > just using VPN - but don't want to install a host on the vendor machines. I > also have looked at a product called EDMZ - wondered if anyone had experience > with it? > > And did I say I wanted to keep it as simple as possible? :-) It's been a few > years since I've done hands-on networking work, so excuse the long-winded > letter. Feel free to email me directly too. > > Sincerely > Barry Jones > CISSP, GSNA
Access and Session Control System?
Hello all. I am looking at a variety of systems/methods to provide (vendor, employee) access into my dmz's. I want to reduce the FW rule sets and connections to as minimal as possible. And I want the accessing party to only get to the destination I define (like a fw rule). When I refer to access, I'm referring to the ability of a vendor or employee to perform maintenance tasks on a server(s). The server(s) will be running apps for doing different tasks - such as Shavlik, etc.., (patching, reports, logging, etc..), so I am envisioning allowing an outside vendor/employee (from the internet or corp. net) to RDP or SSH to a given Windows or Unix based machines, then perform their application work from that jumping off point - kind of like a terminal server; but I'd like to control and audit the sessions as well. Overall, I can allow a host/port through the FW to a single host, but I wanted to be able to do the session management and endpoint controls. FW's are ok, but you know as well as I that I now deal with lots of rules sets. And I need to also authenticate the user. We are a couple smaller facilities (150 hosts each) and I need to be able to control and audit the sessions when requested. I have considered doing a meetingplace server, then providing escorted access for them, or doing just the FW and a "jump" host - but need the endpoint and session solution, or just using VPN - but don't want to install a host on the vendor machines. I also have looked at a product called EDMZ - wondered if anyone had experience with it? And did I say I wanted to keep it as simple as possible? :-) It's been a few years since I've done hands-on networking work, so excuse the long-winded letter. Feel free to email me directly too. Sincerely Barry Jones CISSP, GSNA
