Solved

jump server vs push server

Posted on 2016-09-11
6
196 Views
1 Endorsement
Last Modified: 2016-11-27
I had this question after viewing Jump servers for remote access across very large enterprise.

I have an update to our requirements for a jump server.  They want a jump server for the enterprise for maintenance only.  They want the ability to ssh to internal devices (behind the firewall) and to ping (icmp) so that they can check the health of devices behind the firewall.  The firewall would only allow ping and ssh from the jump servers.  So two basic questions:

1.  Is it viable to create a ping "jump server"?  I haven't seen any in practice and don't know if it is commonly done.  How is it done?

For the file transfers and reports, etc. they are proposing to "push" the updates out as opposed to pulling the data from remote requests.  This would be better as far as traversing the firewall.

2.  Looking for tips on how to create a "push" reporting (file transfer) application.  Any experience out there?

Network Detail:  This enterprise network has several branch offices behind firewalls.  The ssh and ping come from hq and maintenance centers into the branch offices.  The outgoing reports go from branch office to other branches and to hq.
1
Comment
Question by:Ted James
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 

Author Comment

by:Ted James
ID: 41795139
I seem to be neglected, maybe take it one question at a time...First question:

How do I use the "jump server" approach to ICMP?  There are several maintenance personnel that use ping to monitor the health of the network, including being able to ping thru the perimeter firewall to internal boxes at various branch offices.
We want to limit the scope of "ping" thru the firewall.  So instead of allowing "ping" from a large amount of IP addresses throughout the enterprise, we want to allow "ping" only from a limited amount.  Only limited amount of IPs allowed to ping thru the firewall.  This is what I mean by a "jump server" approach.

How can this be done?  It doesn't seem reasonable to have remote maintenance log into a real jump server just to do ping.  Another way to do this?
0
 
LVL 30

Assisted Solution

by:serialband
serialband earned 225 total points
ID: 41795224
A "jump server" would just be a server you use as a starting point to access all other servers.  The simplest way to ping the internal servers would be to ssh to that server and run ping from there.  There shouldn't be anything special on that server except that it's the only one exposed on the internet.  The other thing you could do is to tunnel ICMP with a standard ssh tunnel and you can ping internal servers directly from your system.  You should probably change the default port to reduce script kiddie attacks and keep your logs smaller and easier/faster to parse.

Why wouldn't you just use Site-Site VPNs?  Once set up, they should be easier to manage.  Each office would have its own subnet, just for easier human management.
0
 
LVL 78

Accepted Solution

by:
arnold earned 275 total points
ID: 41835800
A push server to update configs, files is possible, you've not defined what you need so it is hard to suggest.

What does the environment consists of.
i.e a push server is often used in the absence of a centrally managed credentials, or without database driven backend
to push updates to systems that lets say are part of a web server farm, to update all servers to have the same web serverconfig presuming that the data each access is from an NFS share.
IF data needs to be copied to each system, rsync is likely the .....
puppet is a good tool to push config changes ..

Jump servers are often setup on the outside with two factor authentication to provide admins a more secure/more hack proof mechanism to connect into the network to do what is needed without the need to drive in.

Depending on what you want to ping, the it is possible to limit the jump server to those functionalities.

As far as log, what are you using to transfer the files, if using rsync it has a loging option......
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Ted James
ID: 41865531
I have been out of commission for a while. Sorry.

The file transfer they are using is FTP.  Instead of many outside hosts from many branches throughout the enterprise nationwide coming thru the firewall to access the files in these local servers, the aim was to have these files "pushed" out instead.  From a security standpoint, that would be preferred.  Scheduled automatically if possible.
0
 
LVL 78

Expert Comment

by:arnold
ID: 41865538
What access options fo you have from the central location into the branches?
0
 

Author Closing Comment

by:Ted James
ID: 41903590
Thank you!
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question