Hi all
I am trying to come up with a solution for remote access to multiple
networks. We have multiple admins (UNIX, Windows, DBA's, etc) that need
access to some customer machines we have in a hosting site. none of
these customers have internet access from their networks, but they all
have access to our network that is shared across all customers. This
network is used for backups and monitoring of their servers. This
network is connected to the outside world, and we want to be able to
connect in through this connection, and from there connect to each
customer for remote admin use. This is the easy (-ish) part where we
will probably set up a VPN solution or something like that. The problem
is that we need to authenticate users, and depending on their role.
(UNIX, Windows, etc) give them access to only the networks they need.
I'm not sure how I would manage this, so any input would be appreciated.
Here is a diagram of what we have/are trying to do:
------ ------- ----------
--Internet--| FW |--| New |---| Switch |
------ ------- ----------
|
|
| ------ ----------
|----| FW |------| Cust A |
| ------ ----------
|
| ------ ----------
|----| FW |------| Cust B |
| ------ ----------
|
| ------ ----------
|----| FW |------| Cust N |
| ------ ----------
|
|
|
---------- ------ |
| Shared |------| FW |--------|
---------- ------ =
New =3D The new server i would be installing.
All firewalls are Cisco PIX ones. =
I haven't really looked into what way we can/should be doing this, so I
though I'd ask here first. I don't have much Cisco experience so I don't
know how they would tie in with this solution. Any solution we go ahead
with would have to be very secure. None of these customers want dedicated
internet access due to security, and we don't want to expose their
setup.
Without having looked at this much yet, I was thinking about an initial
VPN setup either on the first Cisco FW (apparently it does some sort of
VPN), and then at least a second authentication on the New server.
Perhaps a Radius server?
If anyone has ever done anything similar, or has any great ideas to
share I would really like to hear them. Comments welcomed too :-)
A pint goes out to the best suggestions.... =
--
Best Regards, =
Tor Bendiksen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: Digital signature
Url : http://mail.linux.ie/pipermail/ilug/attachments/20041104/9577b542/att=
achment.pgp
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
