Description
The proliferation of networks is accompanied by a small revolution at work: the workplace no longer depends on the location of the server. The quality of a workplace at home improves tremendously with access to company resources. And there is no need to do without these new opportunities on business trips, either.
Participants from different companies can use the network to work on the same project without leaving their familiar workplace. For example, a web designer can update her customer's site even if the web server is operated by a third data centre.
If there is an incident, emergency staff can intervene day and night.
However, all these new opportunities, if implemented carelessly, also open the door to misuse by unwanted visitors. Unlike the services provided by a web server – delivery of web content -, administrative access constitutes an incomparably greater threat to the integrity of the server.
tacJUMP
MonitoringCustomer Benefit
The jumpstation is, to a degree, an interactive firewall. Individuals wanting to work on a server in a protected network first have to register with the jumpstation. The jumpstation then allows them access to the server.
As the only way to get from the public area to the protected area, the jumpstation is protected especially carefully, as befits a publicly visible server. Without the jumpstation, these security measures would have to be taken for every single server in the protected network that is accessible for remote maintenance. The jumpstation helps to reduce the servers' security requirements to a reasonable level.
Scope of Services
tacJUMP is terreActive's jumpstation with the following features:
- Login via SSH: tacJUMP allows only SSH for remote access. Passwords and data are encrypted for transmission.
- Source address per visitor: the jumpstation knows from which source IP it may expect a given visitor and denies access if the visitor comes from an unusual location.
- Time window per visitor: tacJUMP permits the specification of time windows per user. Any access attempts outside of these time windows are prevented.
- Secure environment: following successful log-in to the jumpstation, the visitor ends up in an command interpreter. This command interpreter has been designed especially for the jumpstation and protects both the jumpstation and visitors from prying eyes and attacks from each other.
- Privilege management: once at the jumpstation, the visitor can log on to the servers within the protected network. However, the jumpstation permits access only to a clearly defined number of servers. This number is specified per user.
- File transfer control: visitors to the jumpstation can be given the following file transfer privileges: 1) permission to upload files to the jumpstation; 2) permission to download files from the jumpstation; 3) permission to upload files to the secure server; 4) permission to download files from the secure server. File transfer always takes place via the jumpstation and therefore requires two steps. The available options are scp and rsync via SSH.
- Tunnelling of any TCP protocols via SSH: the SSH connection to the jumpstation allows for the tunnelling of certain TCP protocols like pcAnywhere or SQL. The visitor logs on to the jumpstation and is then able to access a server in the secure network through the SSH tunnel with pcAnywhere. Once again, access is permitted only to the explicitly authorised servers.
- GUI for configuration: visitor management – including password management functions – is provided via the web-based Jump GUI.
Operator cockpit: the jumpstation operator can always get an idea of what is going on: 1) active visitors to the jumpstation 2) log-in and log-out times 3) files copied 4) accessed servers in the secure network 5) tunnelled protocols. Furthermore, sessions can be immediately interrupted from the operator cockpit. - Optionally, strong authentication with ACE/Server and SecurID: in the basic version, visitors sign on to the jumpstation with their username and password. However, SecurID is a powerful alternative for access control.
tacJUMPOUT is an add-on to tacJUMP, designed especially with the requirements of helpdesks and data centres in mind. After signing on using tacJUMPOUT, the visitor has access to a graphical interface listing all accessible computers in the secure network. By simply selecting the computer, a new window with interactive command interpreters opens up on the target machine. tacJUMPOUT can be used for:
- UNIX machines
- Routers and switches with telnet access
- Terminal concentrators with telnet access
- Windows machines (with OpenSSH for Windows)
The required passwords are stored in the configuration file of tacJUMPOUT. Passwords can be managed and stored on a third server with the add-on tacPWS.
Topic overview:
- IT alarm system:
- Security Monitoring
- Alarming
- Reporting
- Compliance
- Monitoring:
- Netzwerk
- System
- Application
- LogManagement
- SIEM/SEM-Soutions
- Netzwork-Security
- Server-Security
- Application-Security
- E-Mail Security
terreActive AG is SPLUNK Partner in Switzerland
We offer:
- Consulting & Offering
- Workshops & Training
- Integration & Configuration
- Support & Maintenance