Ted James
asked on
Jump servers for remote access across very large enterprise
I need to stand up jump servers in our data center to provide single access point for maintenance personnel to authenticate and login in to servers and network gear throughout a large enterprise that spans over 200 offices around the west coast.
Prefer to be a Linux box and looking for what works best from your experience.
-which flavor of Linux is best
-multifactor authentication
-tools to lock down server
-tools for anti-malware, anti-spyware to protect server, etc.
-recommendations for originating box logging into jump box
-jump server a virtual machine vs metal chassis
-any other considerations
Previously the access to all these machines was like the wild wild west with credentialed personnel logging in from everywhere -bad idea for many reasons.
Need to do this pretty quickly. Any help for a jump start is appreciated.
-
Prefer to be a Linux box and looking for what works best from your experience.
-which flavor of Linux is best
-multifactor authentication
-tools to lock down server
-tools for anti-malware, anti-spyware to protect server, etc.
-recommendations for originating box logging into jump box
-jump server a virtual machine vs metal chassis
-any other considerations
Previously the access to all these machines was like the wild wild west with credentialed personnel logging in from everywhere -bad idea for many reasons.
Need to do this pretty quickly. Any help for a jump start is appreciated.
-
ASKER
ssh yes for access to the network gear at each site. For servers they are downloading data so probably ftp or sftp if the remote servers (some are very old!) support it. Other than that I want to keep it simple -no other use than a jump server.
I'm looking into multi-factor key, don't have it defined. How is that set up?
Any other option for a second authentication besides a fab key?
I'm looking into multi-factor key, don't have it defined. How is that set up?
Any other option for a second authentication besides a fab key?
it usually gets added to the Pam.d handling that authenticates/authorizes access.
The default behavior for username/password is to authenticate/authorize in one step.
Have used fabs to access dual factor protected systems.
Presumably you are looking to implement something not already present in your environment.
I believe there are open source alternatives that one can use an app on their smartphone as an alternate to key fabs. But have not looked at it or its implementation.
The default behavior for username/password is to authenticate/authorize in one step.
Have used fabs to access dual factor protected systems.
Presumably you are looking to implement something not already present in your environment.
I believe there are open source alternatives that one can use an app on their smartphone as an alternate to key fabs. But have not looked at it or its implementation.
ASKER
Only other thing I would need on the server is to be able to push code upgrades (eg. Cisco IOS updgrades/patches) up to the networking gear.
Check what tools are available, usually, would you not need to be logged onto the device and the device having FTP/tftp access to the repository which usually will not be the jumpserver.
Usually, you need a separate internal "jumpserver" that has access to the infrastructure.
Usually, you need a separate internal "jumpserver" that has access to the infrastructure.
ASKER
Currently they are accessing (from wherever) one of the switches in the infrastructure of a given site and then jumping from there internally. I don't mind if they do that for their touch to the other network gear (other switches and routers and firewalls). But not from just anywhere in any of the other sites. All must come thru the external jump server first. Is that OK, is that what you mean?
Not sure how to handle the ftp/tftp access. You're right, the jump server would not be the ftp repository also. So how to handle that.
Not sure how to handle the ftp/tftp access. You're right, the jump server would not be the ftp repository also. So how to handle that.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks! Good start for me. I'll check back again once I get in the middle of this.
Preference otherwise. Do you need something other than ssh/tunneling?
Do you currently have multi-factor fab key?