Hi All. Maybe it would be easier to talk solution if I talk problem first:
We run Cisco HA ASA internet security stacks at our edges. On those firewalls we have the typical SSL VPN setup for our employees but additionally we have 50 or so unique users we create manually using dynamic access policies to assign network acls to them. The reason for that is employees have full access but these 'special users' do not and need specific access locked down. They keep pouring in and we're gonna have another 100 we'll need to setup soon.
The problem is constantly creating special setups on all our firewalls and modifying network acls associated with them is not sustainable everytime they need something or leave the company. What are my options for limiting access to internal and external resources beyond layer 3 and 4 in a centralized location? We have ISE but i'm not about to pass out dacls to everyone. Yeah it's centralized, but it's still a ton of dacls we can't sustain.
There are some cloud-based items we have a solution for, but most of what they access is internal and homegrown. From what I've seen Cisco Secure Workload, formerly Tetration, may be an option but I feel like almost all of the documentation surrounding it is sales talk. Not to mention that requirements for running it are hefty af. Hardware or virtual. Not really digging the SaaS option.
Can anyone recommend what they do to lock down access at the application level? Hell, even at the layer 3-4 level? Need something that can scale and has plenty of documentation and maturity rather than a bunch of powerpoint slides.
Thanks!
No comments:
Post a Comment