Educause Security Discussion
mailing list archives
Re: Remote Terminal Services / SharePoint Servers
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Thu, 11 Jan 2007 21:15:24 +1300
Bristol, Gary L. wrote:
Besides the use of SSL VPN devices, which we have a couple flavors
of, another option that we use are SSH Bastion hosts.
I have several in place that provide different parts of the user
community access to the resources they need.
The Hosts are linux based and authenicate the users via Kerberos to
the Microsoft AD domain controllers.
This provides a very effective means of connecting securely and still
having the resources on the inside available to the users and isolated
from common off campus access, ie hackers.
We also operate ssh gateway machines (in our case protected by two
factor Auth) and it is used almost exclusively by systems administration
staff and the odd tech savy academic. The thought of getting 'ordinary'
users to do this make me rather nervous because of the support issues.
The big disadvantage that I see is that each service requires
configuration in the ssh client and then the user has to do something
different with each application that the want to use. The big advantage
of a decent VPN is that once the connection is established it is largely
transparent to the user. Everything works just as if they are on campus
-- so long as they have a nice fast DSL connection.
Currently we use Cisco VPN which works OK for the most part. I have the
odd problem with the Mac client which sometimes throws it toys out of
the cot declaring that it "cant initialise VPN system because there are
no internet connections" at which point I give up on it and use SSH.