[ILUG] Remote access to multiple networks with authentication

Thu Nov 4 13:36:34 GMT 2004

>I'm not sure how I would manage this, so any input would be appreciated.

Not entirely clear about your environment, but here's what we do.

We have a hardened SSH gateway that permits access though our firewall
from a number of ISPs. Our administrators are issued with private SSH keys
that allow access to this gateway. The administrators then create SSH
tunnels to the gateway through which they can break out to the various
boxes they support. The boxes themselves determine who is allowed login.
If you wanted to control access to diffent networks you could deploy
different SSH Gateways ie users who need access to UNIX only get a key for
the UNIX gateway, which only has access to the UNIX network.

We see a lot of port scanning on the SSH gateway, but as long as you keep
everything up to date and only allow key-based logins, you should be OK.
OpenSSL and OpenSSH are constantly being probed for vulnerabilities (no
more than MS or Cisco) but the the support community is on the ball and
very capable. We also re-issue keys on a regular basis.

We like this solution, because its secure, lite, flexible and very free
(ie no Cisco, Radius etc).

rgds

Garreth

> Hi all
>
> I am trying to come up with a solution for remote access to multiple
> networks. We have multiple admins (UNIX, Windows, DBA's, etc) that need
> access to some customer machines we have in a hosting site. none of
> these customers have internet access from their networks, but they all
> have access to our network that is shared across all customers. This
> network is used for backups and monitoring of their servers. This
> network is connected to the outside world, and we want to be able to
> connect in through this connection, and from there connect to each
> customer for remote admin use. This is the easy (-ish) part where we
> will probably set up a VPN solution or something like that. The problem
> is that we need to authenticate users, and depending on their role.
> (UNIX, Windows, etc) give them access to only the networks they need.
> I'm not sure how I would manage this, so any input would be appreciated.
>
> Here is a diagram of what we have/are trying to do:
>
>
>
>
>
>             ------  -------   ----------
> --Internet--| FW |--| New |---| Switch |
>             ------  -------   ----------
> 	                          |
> 				  |
> 				  |    ------      ----------
> 				  |----| FW |------| Cust A |
> 				  |    ------      ----------
> 				  |
> 				  |    ------      ----------
> 				  |----| FW |------| Cust B |
> 				  |    ------      ----------
> 				  |
> 				  |    ------      ----------
> 				  |----| FW |------| Cust N |
> 				  |    ------      ----------
> 				  |
> 				  |
> 				  |
>     ----------      ------        |
>     | Shared |------| FW |--------|
>     ----------      ------
>
>
> New = The new server i would be installing.
>
> All firewalls are Cisco PIX ones.
>
> I haven't really looked into what way we can/should be doing this, so I
> though I'd ask here first. I don't have much Cisco experience so I don't
> know how they would tie in with this solution. Any solution we go ahead
> with would have to be very secure. None of these customers want dedicated
> internet access due to security, and we don't want to expose their
> setup.
>
> Without having looked at this much yet, I was thinking about an initial
> VPN setup either on the first Cisco FW (apparently it does some sort of
> VPN), and then at least a second authentication on the New server.
> Perhaps a Radius server?
>
> If anyone has ever done anything similar, or has any great ideas to
> share I would really like to hear them. Comments welcomed too :-)
>
> A pint goes out to the best suggestions....
>
>
> --
>
> Best Regards,
> Tor Bendiksen
> --
> Irish Linux Users' Group
> http://www.linux.ie/mailman/listinfo/ilug/
>
>