I have this idea, lmk if anyone else has heard of this before. I know there would need to be failovers for network outage, and redundancies all over the place.
Client & Admin VLAN 2: By default on the security appliance, all VLAN 2 clients can not RDP to either our servers or our domain controllers. The Admin needs to login to a server, so he goes to a local web server with HTTPS that asks for their password to extend their perms. Admin enters password, and the server using Meraki API moves the user to a less restricted group. Then the Admin needs RDP to a DC, so the user visits the page again, and this time they need to perform 2FA.
This kind of tier based security would make networks far more secure without the need to have like a million VLANs and SSIDs to pair with them. Yes, I am aware this will then come with the issue of MAC Spoofing, but this could be negated with Client SSL keys and a background API or some other form of device based auth.
No comments:
Post a Comment