Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

jump server vs push server

Posted on 2016-09-11
6
Medium Priority
?
218 Views
1 Endorsement
Last Modified: 2016-11-27
I had this question after viewing Jump servers for remote access across very large enterprise.

I have an update to our requirements for a jump server.  They want a jump server for the enterprise for maintenance only.  They want the ability to ssh to internal devices (behind the firewall) and to ping (icmp) so that they can check the health of devices behind the firewall.  The firewall would only allow ping and ssh from the jump servers.  So two basic questions:

1.  Is it viable to create a ping "jump server"?  I haven't seen any in practice and don't know if it is commonly done.  How is it done?

For the file transfers and reports, etc. they are proposing to "push" the updates out as opposed to pulling the data from remote requests.  This would be better as far as traversing the firewall.

2.  Looking for tips on how to create a "push" reporting (file transfer) application.  Any experience out there?

Network Detail:  This enterprise network has several branch offices behind firewalls.  The ssh and ping come from hq and maintenance centers into the branch offices.  The outgoing reports go from branch office to other branches and to hq.
1
Comment
Question by:Ted James
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 

Author Comment

by:Ted James
ID: 41795139
I seem to be neglected, maybe take it one question at a time...First question:

How do I use the "jump server" approach to ICMP?  There are several maintenance personnel that use ping to monitor the health of the network, including being able to ping thru the perimeter firewall to internal boxes at various branch offices.
We want to limit the scope of "ping" thru the firewall.  So instead of allowing "ping" from a large amount of IP addresses throughout the enterprise, we want to allow "ping" only from a limited amount.  Only limited amount of IPs allowed to ping thru the firewall.  This is what I mean by a "jump server" approach.

How can this be done?  It doesn't seem reasonable to have remote maintenance log into a real jump server just to do ping.  Another way to do this?
0
 
LVL 30

Assisted Solution

by:serialband
serialband earned 900 total points
ID: 41795224
A "jump server" would just be a server you use as a starting point to access all other servers.  The simplest way to ping the internal servers would be to ssh to that server and run ping from there.  There shouldn't be anything special on that server except that it's the only one exposed on the internet.  The other thing you could do is to tunnel ICMP with a standard ssh tunnel and you can ping internal servers directly from your system.  You should probably change the default port to reduce script kiddie attacks and keep your logs smaller and easier/faster to parse.

Why wouldn't you just use Site-Site VPNs?  Once set up, they should be easier to manage.  Each office would have its own subnet, just for easier human management.
0
 
LVL 80

Accepted Solution

by:
arnold earned 1100 total points
ID: 41835800
A push server to update configs, files is possible, you've not defined what you need so it is hard to suggest.

What does the environment consists of.
i.e a push server is often used in the absence of a centrally managed credentials, or without database driven backend
to push updates to systems that lets say are part of a web server farm, to update all servers to have the same web serverconfig presuming that the data each access is from an NFS share.
IF data needs to be copied to each system, rsync is likely the .....
puppet is a good tool to push config changes ..

Jump servers are often setup on the outside with two factor authentication to provide admins a more secure/more hack proof mechanism to connect into the network to do what is needed without the need to drive in.

Depending on what you want to ping, the it is possible to limit the jump server to those functionalities.

As far as log, what are you using to transfer the files, if using rsync it has a loging option......
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 

Author Comment

by:Ted James
ID: 41865531
I have been out of commission for a while. Sorry.

The file transfer they are using is FTP.  Instead of many outside hosts from many branches throughout the enterprise nationwide coming thru the firewall to access the files in these local servers, the aim was to have these files "pushed" out instead.  From a security standpoint, that would be preferred.  Scheduled automatically if possible.
0
 
LVL 80

Expert Comment

by:arnold
ID: 41865538
What access options fo you have from the central location into the branches?
0
 

Author Closing Comment

by:Ted James
ID: 41903590
Thank you!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
Ransomware, the malware that locks down its victim’s files until they pay up, has always been a frustrating issue to deal with. However, a recent mobile ransomware will make the issue a little more personal… by sharing the victim’s mobile browsing h…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question