[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 229
  • Last Modified:

jump server vs push server

I had this question after viewing Jump servers for remote access across very large enterprise.

I have an update to our requirements for a jump server.  They want a jump server for the enterprise for maintenance only.  They want the ability to ssh to internal devices (behind the firewall) and to ping (icmp) so that they can check the health of devices behind the firewall.  The firewall would only allow ping and ssh from the jump servers.  So two basic questions:

1.  Is it viable to create a ping "jump server"?  I haven't seen any in practice and don't know if it is commonly done.  How is it done?

For the file transfers and reports, etc. they are proposing to "push" the updates out as opposed to pulling the data from remote requests.  This would be better as far as traversing the firewall.

2.  Looking for tips on how to create a "push" reporting (file transfer) application.  Any experience out there?

Network Detail:  This enterprise network has several branch offices behind firewalls.  The ssh and ping come from hq and maintenance centers into the branch offices.  The outgoing reports go from branch office to other branches and to hq.
1
Ted James
Asked:
Ted James
  • 3
  • 2
2 Solutions
 
Ted JamesAuthor Commented:
I seem to be neglected, maybe take it one question at a time...First question:

How do I use the "jump server" approach to ICMP?  There are several maintenance personnel that use ping to monitor the health of the network, including being able to ping thru the perimeter firewall to internal boxes at various branch offices.
We want to limit the scope of "ping" thru the firewall.  So instead of allowing "ping" from a large amount of IP addresses throughout the enterprise, we want to allow "ping" only from a limited amount.  Only limited amount of IPs allowed to ping thru the firewall.  This is what I mean by a "jump server" approach.

How can this be done?  It doesn't seem reasonable to have remote maintenance log into a real jump server just to do ping.  Another way to do this?
0
 
serialbandCommented:
A "jump server" would just be a server you use as a starting point to access all other servers.  The simplest way to ping the internal servers would be to ssh to that server and run ping from there.  There shouldn't be anything special on that server except that it's the only one exposed on the internet.  The other thing you could do is to tunnel ICMP with a standard ssh tunnel and you can ping internal servers directly from your system.  You should probably change the default port to reduce script kiddie attacks and keep your logs smaller and easier/faster to parse.

Why wouldn't you just use Site-Site VPNs?  Once set up, they should be easier to manage.  Each office would have its own subnet, just for easier human management.
0
 
arnoldCommented:
A push server to update configs, files is possible, you've not defined what you need so it is hard to suggest.

What does the environment consists of.
i.e a push server is often used in the absence of a centrally managed credentials, or without database driven backend
to push updates to systems that lets say are part of a web server farm, to update all servers to have the same web serverconfig presuming that the data each access is from an NFS share.
IF data needs to be copied to each system, rsync is likely the .....
puppet is a good tool to push config changes ..

Jump servers are often setup on the outside with two factor authentication to provide admins a more secure/more hack proof mechanism to connect into the network to do what is needed without the need to drive in.

Depending on what you want to ping, the it is possible to limit the jump server to those functionalities.

As far as log, what are you using to transfer the files, if using rsync it has a loging option......
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
Ted JamesAuthor Commented:
I have been out of commission for a while. Sorry.

The file transfer they are using is FTP.  Instead of many outside hosts from many branches throughout the enterprise nationwide coming thru the firewall to access the files in these local servers, the aim was to have these files "pushed" out instead.  From a security standpoint, that would be preferred.  Scheduled automatically if possible.
0
 
arnoldCommented:
What access options fo you have from the central location into the branches?
0
 
Ted JamesAuthor Commented:
Thank you!
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now