[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

jump server vs push server

Posted on 2016-09-11
6
Medium Priority
?
223 Views
1 Endorsement
Last Modified: 2016-11-27
I had this question after viewing Jump servers for remote access across very large enterprise.

I have an update to our requirements for a jump server.  They want a jump server for the enterprise for maintenance only.  They want the ability to ssh to internal devices (behind the firewall) and to ping (icmp) so that they can check the health of devices behind the firewall.  The firewall would only allow ping and ssh from the jump servers.  So two basic questions:

1.  Is it viable to create a ping "jump server"?  I haven't seen any in practice and don't know if it is commonly done.  How is it done?

For the file transfers and reports, etc. they are proposing to "push" the updates out as opposed to pulling the data from remote requests.  This would be better as far as traversing the firewall.

2.  Looking for tips on how to create a "push" reporting (file transfer) application.  Any experience out there?

Network Detail:  This enterprise network has several branch offices behind firewalls.  The ssh and ping come from hq and maintenance centers into the branch offices.  The outgoing reports go from branch office to other branches and to hq.
1
Comment
Question by:Ted James
  • 3
  • 2
6 Comments
 

Author Comment

by:Ted James
ID: 41795139
I seem to be neglected, maybe take it one question at a time...First question:

How do I use the "jump server" approach to ICMP?  There are several maintenance personnel that use ping to monitor the health of the network, including being able to ping thru the perimeter firewall to internal boxes at various branch offices.
We want to limit the scope of "ping" thru the firewall.  So instead of allowing "ping" from a large amount of IP addresses throughout the enterprise, we want to allow "ping" only from a limited amount.  Only limited amount of IPs allowed to ping thru the firewall.  This is what I mean by a "jump server" approach.

How can this be done?  It doesn't seem reasonable to have remote maintenance log into a real jump server just to do ping.  Another way to do this?
0
 
LVL 31

Assisted Solution

by:serialband
serialband earned 900 total points
ID: 41795224
A "jump server" would just be a server you use as a starting point to access all other servers.  The simplest way to ping the internal servers would be to ssh to that server and run ping from there.  There shouldn't be anything special on that server except that it's the only one exposed on the internet.  The other thing you could do is to tunnel ICMP with a standard ssh tunnel and you can ping internal servers directly from your system.  You should probably change the default port to reduce script kiddie attacks and keep your logs smaller and easier/faster to parse.

Why wouldn't you just use Site-Site VPNs?  Once set up, they should be easier to manage.  Each office would have its own subnet, just for easier human management.
0
 
LVL 81

Accepted Solution

by:
arnold earned 1100 total points
ID: 41835800
A push server to update configs, files is possible, you've not defined what you need so it is hard to suggest.

What does the environment consists of.
i.e a push server is often used in the absence of a centrally managed credentials, or without database driven backend
to push updates to systems that lets say are part of a web server farm, to update all servers to have the same web serverconfig presuming that the data each access is from an NFS share.
IF data needs to be copied to each system, rsync is likely the .....
puppet is a good tool to push config changes ..

Jump servers are often setup on the outside with two factor authentication to provide admins a more secure/more hack proof mechanism to connect into the network to do what is needed without the need to drive in.

Depending on what you want to ping, the it is possible to limit the jump server to those functionalities.

As far as log, what are you using to transfer the files, if using rsync it has a loging option......
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 

Author Comment

by:Ted James
ID: 41865531
I have been out of commission for a while. Sorry.

The file transfer they are using is FTP.  Instead of many outside hosts from many branches throughout the enterprise nationwide coming thru the firewall to access the files in these local servers, the aim was to have these files "pushed" out instead.  From a security standpoint, that would be preferred.  Scheduled automatically if possible.
0
 
LVL 81

Expert Comment

by:arnold
ID: 41865538
What access options fo you have from the central location into the branches?
0
 

Author Closing Comment

by:Ted James
ID: 41903590
Thank you!
0

Featured Post

Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

826 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question