Solved

jump server vs push server

Posted on 2016-09-11
6
94 Views
1 Endorsement
Last Modified: 2016-11-27
I had this question after viewing Jump servers for remote access across very large enterprise.

I have an update to our requirements for a jump server.  They want a jump server for the enterprise for maintenance only.  They want the ability to ssh to internal devices (behind the firewall) and to ping (icmp) so that they can check the health of devices behind the firewall.  The firewall would only allow ping and ssh from the jump servers.  So two basic questions:

1.  Is it viable to create a ping "jump server"?  I haven't seen any in practice and don't know if it is commonly done.  How is it done?

For the file transfers and reports, etc. they are proposing to "push" the updates out as opposed to pulling the data from remote requests.  This would be better as far as traversing the firewall.

2.  Looking for tips on how to create a "push" reporting (file transfer) application.  Any experience out there?

Network Detail:  This enterprise network has several branch offices behind firewalls.  The ssh and ping come from hq and maintenance centers into the branch offices.  The outgoing reports go from branch office to other branches and to hq.
1
Comment
Question by:Ted James
  • 3
  • 2
6 Comments
 

Author Comment

by:Ted James
ID: 41795139
I seem to be neglected, maybe take it one question at a time...First question:

How do I use the "jump server" approach to ICMP?  There are several maintenance personnel that use ping to monitor the health of the network, including being able to ping thru the perimeter firewall to internal boxes at various branch offices.
We want to limit the scope of "ping" thru the firewall.  So instead of allowing "ping" from a large amount of IP addresses throughout the enterprise, we want to allow "ping" only from a limited amount.  Only limited amount of IPs allowed to ping thru the firewall.  This is what I mean by a "jump server" approach.

How can this be done?  It doesn't seem reasonable to have remote maintenance log into a real jump server just to do ping.  Another way to do this?
0
 
LVL 27

Assisted Solution

by:serialband
serialband earned 225 total points
ID: 41795224
A "jump server" would just be a server you use as a starting point to access all other servers.  The simplest way to ping the internal servers would be to ssh to that server and run ping from there.  There shouldn't be anything special on that server except that it's the only one exposed on the internet.  The other thing you could do is to tunnel ICMP with a standard ssh tunnel and you can ping internal servers directly from your system.  You should probably change the default port to reduce script kiddie attacks and keep your logs smaller and easier/faster to parse.

Why wouldn't you just use Site-Site VPNs?  Once set up, they should be easier to manage.  Each office would have its own subnet, just for easier human management.
0
 
LVL 76

Accepted Solution

by:
arnold earned 275 total points
ID: 41835800
A push server to update configs, files is possible, you've not defined what you need so it is hard to suggest.

What does the environment consists of.
i.e a push server is often used in the absence of a centrally managed credentials, or without database driven backend
to push updates to systems that lets say are part of a web server farm, to update all servers to have the same web serverconfig presuming that the data each access is from an NFS share.
IF data needs to be copied to each system, rsync is likely the .....
puppet is a good tool to push config changes ..

Jump servers are often setup on the outside with two factor authentication to provide admins a more secure/more hack proof mechanism to connect into the network to do what is needed without the need to drive in.

Depending on what you want to ping, the it is possible to limit the jump server to those functionalities.

As far as log, what are you using to transfer the files, if using rsync it has a loging option......
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:Ted James
ID: 41865531
I have been out of commission for a while. Sorry.

The file transfer they are using is FTP.  Instead of many outside hosts from many branches throughout the enterprise nationwide coming thru the firewall to access the files in these local servers, the aim was to have these files "pushed" out instead.  From a security standpoint, that would be preferred.  Scheduled automatically if possible.
0
 
LVL 76

Expert Comment

by:arnold
ID: 41865538
What access options fo you have from the central location into the branches?
0
 

Author Closing Comment

by:Ted James
ID: 41903590
Thank you!
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now