-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jones, Barry wrote: > > Hello all. I am looking at a variety of systems/methods to provide > (vendor, employee) access into my dmz's. I want to reduce the FW rule > sets and connections to as minimal as possible. And I want the accessing > party to only get to the destination I define (like a fw rule). > > When I refer to access, I'm referring to the ability of a vendor or > employee to perform maintenance tasks on a server(s). The server(s) will > be running apps for doing different tasks - such as Shavlik, etc.., > (patching, reports, logging, etc..), so I am envisioning allowing an > outside vendor/employee (from the internet or corp. net) to RDP or SSH > to a given Windows or Unix based machines, then perform their > application work from that jumping off point - kind of like a terminal > server; but I'd like to control and audit the sessions as well. > > Overall, I can allow a host/port through the FW to a single host, but I > wanted to be able to do the session management and endpoint controls. > FW's are ok, but you know as well as I that I now deal with lots of > rules sets. And I need to also authenticate the user. > > We are a couple smaller facilities (150 hosts each) and I need to be > able to control and audit the sessions when requested. I have considered > doing a meetingplace server, then providing escorted access for them, or > doing just the FW and a "jump" host - but need the endpoint and session > solution, or just using VPN - but don't want to install a host on the > vendor machines. I also have looked at a product called EDMZ - wondered > if anyone had experience with it? > > And did I say I wanted to keep it as simple as possible? :-) It's been a > few years since I've done hands-on networking work, so excuse the > long-winded letter. Feel free to email me directly too. >
The Cisco ASA firewall/VPN appliance with SSLVPN can provide the kind of control you are asking for. You can customize for different connection profiles that are based individuals and/or groups that specify where they can connect to and what types of connection protocols can be used. - -- ========= bep -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5gacEACgkQE1XcgMgrtybBWgCgyh9YPD8eNMN1f/UknmL1kHoa jUYAoNcCKqjxwo3QOv/0nSmp1aF+UPn/ =RtBT -----END PGP SIGNATURE-----
