Tasked with a network project and need help!
I have been tasked with a project to allow external vendors to access our private network and to white list IP address that they can access by security groups. I already have the Juniper firewall in place that uses LDAP to our DC for authentication but I need to get more granular on what they can access. For example, Vendor A needs access to specific IP addresses on a 10.90.0.0 network but Vendor B also needs access to a few IP addresses on the same subnet. The end devices do not support Radius/Tacacs and basically the only login has full admin rights. Anyone using a content filter device that could do this? I would prefer centralized management over using dot1x on each router because I have over 1000 remote sites and would like to control access from the entry point.
“The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln
Comments
-
jibbajabba Member Posts: 4,317 ■■■■■■■■□□Am I missing something or doesn't Juniper support ACLs ???
It's a firewall after all so you should be able to allow certain IPs to access certain IPs, shouldn't you ?!?
confused_dot_comMy own knowledge base made public: http://open902.com -
TechGuy215 Member Posts: 404 ■■■■□□□□□□Why not use an IPSEC VPN?
You can define the interesting traffic, so only IP address A can get to IP Address B and bring up the tunnel.
Also, I would assume if you're looking to get even more granular as jibbajabba stated you can setup ACLs with IP Addresses and Specific Ports allowed.* Currently pursuing: PhD: Information Security and Information Assurance
* Certifications: CISSP, CEH, CHFI, CCNA:Sec, CCNA:R&S, CWNA, ITILv3, VCA-DCV, LPIC-1, A+, Network+, Security+, Linux+, Project+, and many more...
* Degrees: MSc: Cybersecurity and Information Assurance; BSc: Information Technology - Security; AAS: IT Network Systems Administration -
Hondabuff Member Posts: 667 ■■■□□□□□□□It is a SSL VPN and once you authenticate to our website, it installs a client on your machine. I was hoping for "dreaming" of a web page IIS that I can put the IP address and Name of site that you can choose a la carte. So vendor A would have their IP's presented to them and Vendor B would have their IP range to choose from. Windows Secure Application manager is the client that gets installed on your pc and sets up the vpn tunnel.“The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln
-
Heero Member Posts: 486IPSec tunnel, define the interesting traffic. Throw up some firewall rules if needed. I mean, it's not that complex.
-
Hondabuff Member Posts: 667 ■■■□□□□□□□IPSec tunnel, define the interesting traffic. Throw up some firewall rules if needed. I mean, it's not that complex.“The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln
-
ccnxjr Member Posts: 304 ■■■□□□□□□□Are you just looking at the web-interface?
I know you can specify IP Addresses filtering under the "firewall" section hierarchy and have it perform actions based on source-address to destination-address rules.
After defining a rule set you'll then have to apply it to an interface.
http://www.juniper.net/us/en/training/jnbooks/day-one/fundamentals-series/configuring-junos-policies/ -
PurpleIT Member Posts: 327If I am reading you correctly I THINK I am doing what you want:
I have a SonicWALL SSL VPN. Users authenticate against AD and it assigns access to resources based on their group memberships within AD.
I set up resources such as "Server A" and then allow Group1, Group2 and Group5 access to that resource. Group1 may have access to other resources that may or may not overlap with the others. Resources can be file shares, IPs, subnets, etc.
For each resource they have access to you can place icons on the web page so they can just click on whatever they need.
Is this what you are looking for? Are you looking for a replacement for the Juniper or something downstream?
There are also firewall rules which can limit it to RDP or other protocols and services.WGU - BS IT: ND&M | Start Date: 12/1/12, End Date 5/7/2013
What next, what next... -
Hondabuff Member Posts: 667 ■■■□□□□□□□PurpleIT, that's exactly what Im looking for. We are using a Juniper SSL VPN to a web page and right now after they authenticate, the vendor types in a IP address and they sign into the local admin account on the equipment. It seems very limited on what it can do. Which Sonicwall appliance do you have?“The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln
-
PurpleIT Member Posts: 327It's the Aventail EX6000.
I was able to get a 30 day trial, but that was before Dell bought them out.WGU - BS IT: ND&M | Start Date: 12/1/12, End Date 5/7/2013
What next, what next... -
kohr-ah Member Posts: 1,277Hondabuff perchance are you using Juniper SAS device? If so that is how we let vendors into our work and we setup a profile and specify specifics for certain vendors (like ip/32) and others get to use the whole /24.
If you do let me know I can help.