Hi there ! First post on the community, so critics and advices are welcome ;)
Context: A few years ago, I land in an infrastructure where administration access is physically (switches, fw, routers) and logically (VPN) separated from the service side. Means that each server (mail, phone, printers, etc) has at least 2 interfaces - >the admin and the service (which is the default route). Administrators use a specific dial up VPN with their own admin account to reach servers through administration interface. Today, I try to remove the admin VPN without suppressing the concept of segregation between service and administration.
If I remove VPN, admins will reach servers from the same subnet than regular users. So servers will received admin connection request on their administration interface and answer on their service interface. This is the moment where router says "no way".
Now the question: What could be my options in order to not screw up the routing side while removing admin vpn ? How would you address this situation? - Dedicated subnet for my admins ? - Bastion ofc but it's not in the road map yet - Routing trick on servers ? - Some NAT ?
I feel like I miss some obvious solutions but can't see it.
Thanks for your answers fellows, any tips will be appreciated. I can clarify any points if needed.
Have a nice day
No comments:
Post a Comment