Symantec Privileged Access Management

  • 1.  CA PAM- Connect to external endpoints

    Posted Dec 21, 2017 02:38 AM

    Hello Team,

     

    We have PAM appliance in our internal network. So, PAM is able to connect to all the internal servers. 

     

    Now, if we want to connect to the servers which are behind the firewall(internet facing or in DMZ) then how can we use the same PAM appliance to connect to those endpoints. 

     

    I have checked the below link however that is what required in my case?

    Is it possible to add additional NIC cards to a virtual CA PAM appliance? 

     

    How can we implement PAM to connect to external endpoints through internal network? 

     

    Thanks,

    Nikunj



  • 2.  Re: CA PAM- Connect to external endpoints

    Broadcom Employee
    Posted Dec 21, 2017 09:59 AM

    Hi Nikunj, I am not sure what you are looking for. In general, whether you PAM server is able to connect to devices outside your internal network or not depends on your network configuration and firewall settings, not by what you configure in PAM. What PAM provides is configuration of additional routes where you can specify the gateway that should be used for connections to a range of destination IPs, and also which interface should be used for the communication to these IPs if you have multiple network interfaces configured. Additional routes can be configured under Configuration > Network > Additional Routes.



  • 3.  Re: CA PAM- Connect to external endpoints

    Posted Dec 21, 2017 10:21 AM

    Thanks for the reply. 

     

    Actually what I want is to connect to the endpoints(which are not in internal network) through PAM(which is in internal network). So configuring the NIC can help ?

     

    Suppose our PAM appliance is internal network(.net domain) and we want to access endpoints which are in DMZ/external network(.biz domain). Now there is no direct connectivity from .net to .biz domain.

     

     So, how to connect to .biz servers from PAM. 

     

    Hope this makes sense. 



  • 4.  Re: CA PAM- Connect to external endpoints

    Broadcom Employee
    Posted Dec 21, 2017 10:33 AM

    Hi, This is a question that your network team has to answer.



  • 5.  Re: CA PAM- Connect to external endpoints

    Posted Dec 21, 2017 10:07 AM

    You may need to open a support case to get assistance in configuring your appliance(s) from multiple networks (NICs).

     

    Kirk



  • 6.  Re: CA PAM- Connect to external endpoints
    Best Answer

    Posted Dec 21, 2017 01:53 PM

    You have two options. 

    1. Open respective ports from PAM to the end device ie rdp/ssh/https etc and proxy ports for password management, exact port number can be found in docops site. 

     

    2. PAM has 8 physical ports or interface on physical appliances, you can connect these ports to the network where your device are residing for example DMZ. Same logic applies to virtual appliance. 

     

    Hope this helps. 



  • 7.  Re: CA PAM- Connect to external endpoints

    Posted Dec 22, 2017 03:36 AM

    Thanks for this. I have some more queries:

     

    1. Open respective ports from PAM to the end device ie rdp/ssh/https etc and proxy ports for password management, exact port number can be found in docops site. 

    [Nikunj]: This doesn't seem to be feasible solution as suppose if we have 500 servers in DMZ then we have to configure firewall each time. Also, if new server is introduced in external network then need to change the firewall settings each time for each new servers. This will only increase the overhead. Although can consider as a last option.

     

    2. PAM has 8 physical ports or interface on physical appliances, you can connect these ports to the network where your device are residing for example DMZ. Same logic applies to virtual appliance. 

    [Nikunj]: This looks interesting. So, my query is if I configure the network address of .biz domain(which is external and behind the firewall), will this not need any firewall settings? Do PAM will be able to connect directly to external servers? How PAM will know from which port to connect ? I am confused. I am not getting this logically on how this can be implemented. Request you to please explain in detail about this point. 

     

    Thanks in advance. 



  • 8.  Re: CA PAM- Connect to external endpoints

    Broadcom Employee
    Posted Dec 22, 2017 09:58 AM
    1. Firewall rules don't need to be so strict that you would need a new one for every device in your DMZ.  A single blanket firewall rule that says to "allow all traffic from the PAM appliance(s) into the DMZ” would be adequate.  If you add a device to the DMZ, then it would inherit that rule.

     

    1. Connecting PAM (or any other device) to multiple networks is called multi-homing.  Essentially, PAM will have a valid interface and IP address on more than one separate networks (those networks don't even have to be able to connect to each other).  Using a route defined in PAM you can tell it which IP addresses to access via the second (third, fourth… ) interface.  All other traffic will follow the default route (likely out your internal network).  Please talk to your network team for a better understanding of this, they should be able to explain it in more detail both generally and as it relates to your network.

     

    If your PAM appliance is multi-homed, then the traffic may not need to traverse any firewalls when it leaves PAM… it goes out one interface for internal devices, and another for external, and both of those interfaces are connected to their respective networks.  This adds a bit of risk, as PAM now becomes a potential ingress point for attackers who compromise a server in your DMZ, allowing them to bypass the firewall and gain access to your network (the whole point of a DMZ is prevent ingress in the event of a compromised public facing server).  Of course, the likelihood of PAM getting compromised in such a way is very slim, I would argue that your firewall is less secure, but multi-homing PAM into your DMZ does increase your attack surface.