Skip to main content
  • EN

Team,

 

Good morning, and Happy Friday!

 

I had a meeting with my server admins and network engineers. I was told they must access hundreds of servers through RDP and network gear, such as routers, switches, and administration consoles. In addition, smaller subnets /24s may be created. My plan is to make administration of NPA easier, I was going to add a /16 or /8 subnet range in my NPA configuration that includes all the above devices. I wanted to know if anyone had any issues or limitations with NPA using large subnets. The extensive subnet ranges will only be used for two groups. All other teams will have one-to-one NPA configuration.

 

Thanks again for your time and input.

If I understand you correctly, then you’ll create something like:

App definitions:

  • RDP-SSH-APP 10.0.0.0/16 ports 22, 3389
  • Business-APP1 10.0.0.1/32 ports XX

Policies: 

  • RDP-SSH-APP group Admins action Allow
  • Business-APP1 group BusApp1 action Allow

The key here in my experience is not to have overlapping host+port definitions in App definitions, so XX=22 or XX=3389 above might cause issues in policy processing in NPA.

From a ZTNA perspective you can argue, that building a 10.0.0.0/8 policy is hardly ZTNA, even if ports are locked down to administration tools, but I would expect it to work. We have played with /16 definitions without any issues.

Thanks for the reply. You are correct. The employees who support our infrastructure need access to the entire subnet for troubleshooting and building hundreds of servers and network devices.

I planned to create the below configuration.

APP1

RDP-SSH-APP 10.0.0.0/8 - Admins action allowed - This will cover all server and network admins. I have 10 admins that will have access to this private app. 

Ports - 22,3389 and any other ports that are needed. 

 

APP2

Business-APP (This will be configured separately) 

This will be done as true ZTNA. The apps will be entered individually with IPs and hostnames. 

Your thoughts?

 

 

As long as you don’t have overlaps in TCP/UDP ports between RDP-SSH-APP and the Business-APPs, then I suspect it will work.

From a policy perspective, it seems a bit lazy from your Admins, to just ask for 10.0.0.0/8 access.
IMHO, this too should be narrowed down to the server and network administration subnets.
This could be done with a script using API calls or a small Terraform file that maintains this, and if you build them as multiple apps and tag them all you can apply a bulk policy, such that no policy updates are required when you add/delete segments from that list.

Thanks for the update; excellent point.

I will verify if the subnets are divided between servers and network administration. I think the same team members access both. This is due to having backup personnel. 

 

 

Reply


Terms & ConditionsCookie settings