CSA

paddyxdoyle · ‎02-22-2005

Hi,

Can someone tell me if CSA can help in the following

I need to provide remote access to a third party untrusted company to a system they manage via VPN.

It consists of two Unix servers and two Windows servers and runs a web based app which will be accessed on our internal network.

They also need a PC running some kind of VNC type app so they can access the web front end.

They have requested shell access to the unix boxes using SSH and i assume this will mean root

My concern is that once they are logged onto the servers they can potentially attempt to connect to other servers on our LAN.

I'm fully aware of creating DMZs, vaulting etc, however i am also fully aware of the work involved in this as these servers will all need to communicate with each other. As windows servers are also involved, this could also mean portmapper and potentially opening tcp high ports etc etc....basically its a whole can of worms.

So...

Can CSA help me achieve isolation of these servers to outside connections in any way??

Thanks in advance

Paddy

tsteger1 · ‎02-22-2005

Short answer - Yes

CSA can protect the host it's installed on and can protect other machines from it. You choose what it can do and lock everything else out. However, the servers need to use services and protocols to do their normal jobs and you may be opening the network to whatever those are.

You could protect your other servers by not allowing the managed servers to act as clients to anything. You might also create Dynamic Application classes that lock the servers down when they are being managed. You would have to do some baselining first to determine the minimum that you could run in order for them to function properly.

Lots of possibilities but it all depends on your environment.