Tasked with a network project and need help!

I have been tasked with a project to allow external vendors to access our private network and to white list IP address that they can access by security groups. I already have the Juniper firewall in place that uses LDAP to our DC for authentication but I need to get more granular on what they can access. For example, Vendor A needs access to specific IP addresses on a 10.90.0.0 network but Vendor B also needs access to a few IP addresses on the same subnet. The end devices do not support Radius/Tacacs and basically the only login has full admin rights. Anyone using a content filter device that could do this? I would prefer centralized management over using dot1x on each router because I have over 1000 remote sites and would like to control access from the entry point.

Find more posts tagged with

Comments

jibbajabba

Am I missing something or doesn't Juniper support ACLs ???

It's a firewall after all so you should be able to allow certain IPs to access certain IPs, shouldn't you ?!?

confused_dot_com

TechGuy215

Why not use an IPSEC VPN?

You can define the interesting traffic, so only IP address A can get to IP Address B and bring up the tunnel.

Also, I would assume if you're looking to get even more granular as jibbajabba stated you can setup ACLs with IP Addresses and Specific Ports allowed.

Hondabuff

It is a SSL VPN and once you authenticate to our website, it installs a client on your machine. I was hoping for "dreaming" of a web page IIS that I can put the IP address and Name of site that you can choose a la carte. So vendor A would have their IP's presented to them and Vendor B would have their IP range to choose from. Windows Secure Application manager is the client that gets installed on your pc and sets up the vpn tunnel.

Heero

IPSec tunnel, define the interesting traffic. Throw up some firewall rules if needed. I mean, it's not that complex.

Hondabuff

Heero wrote: »

IPSec tunnel, define the interesting traffic. Throw up some firewall rules if needed. I mean, it's not that complex.

Its not as simple as setting an ACL and define the interesting traffic. Both Vendor A/B need access to the same subnet but can not access each others nodes on the same subnet. The company that we purchased never thought they would grow as big as they did before we bought them. Big mess. I have 6 different vendors equipment on the same subnets and we are trying to restrict who can access what. I would need +1000 ACL's to get as granular as I need. I have worked with a Barracuda firewall before where I could define security groups, add users to the security group, add IP address that I want to allow to the white list and then deny all. I think the Juniper firewall only does URL filtering and wont do it by IP address.

ccnxjr

Are you just looking at the web-interface?

I know you can specify IP Addresses filtering under the "firewall" section hierarchy and have it perform actions based on source-address to destination-address rules.
After defining a rule set you'll then have to apply it to an interface.

http://www.juniper.net/us/en/training/jnbooks/day-one/fundamentals-series/configuring-junos-policies/

PurpleIT

If I am reading you correctly I THINK I am doing what you want:

I have a SonicWALL SSL VPN. Users authenticate against AD and it assigns access to resources based on their group memberships within AD.

I set up resources such as "Server A" and then allow Group1, Group2 and Group5 access to that resource. Group1 may have access to other resources that may or may not overlap with the others. Resources can be file shares, IPs, subnets, etc.

For each resource they have access to you can place icons on the web page so they can just click on whatever they need.

Is this what you are looking for? Are you looking for a replacement for the Juniper or something downstream?

There are also firewall rules which can limit it to RDP or other protocols and services.

Hondabuff

PurpleIT, that's exactly what Im looking for. We are using a Juniper SSL VPN to a web page and right now after they authenticate, the vendor types in a IP address and they sign into the local admin account on the equipment. It seems very limited on what it can do. Which Sonicwall appliance do you have?

PurpleIT

It's the Aventail EX6000.

I was able to get a 30 day trial, but that was before Dell bought them out.

kohr-ah

Hondabuff perchance are you using Juniper SAS device? If so that is how we let vendors into our work and we setup a profile and specify specifics for certain vendors (like ip/32) and others get to use the whole /24.

If you do let me know I can help.