M4IP - Any IP Access
Enable remote access if you want to
What is an IP resource?
An IP resource is any subnet or ip + port(s) combination. For example,
10.0.1.0/24 & ports 22,80,443,5600-5609
10.0.2.124/32 & ports 80,443
It is recommend that users NOT be provided with direct IP access to ssh and databases. Best practice is for those connections to go through their respective proxies. This provides improved management, security, monitoring and activity recording.
Overview
Remote access is provided via wireguard vpn. Wireguard is a fast VPN that uses state-of-the-art cryptography. It is faster and simpler than IPsec and considerably more performant than OpenVPN.
Mamori simplifies the wireguard configuration and integrates it with identity management, 2FA, Access On-Demand and monitoring services.
What triggers user's multi-factor authentication?
A user's multi-factor authentication is triggered when they access an IP - not when they activate the network. The authentication remains active until a user is inactive for a specified amount of time.
Steps
To configure remote access via mamori follow the steps below
Prerequisites
Step 1 - Configure Wireguard
Step 2 - Define IP resources
Step 3 - Grant IP resources to users and/or roles
Step 4 - Add user devices
Step 5 - Define on-demand resources to users and/or roles
Configure Wireguard
The wireguard configuration is broken up into three parts:
- Virtual peer network
- Subnets to publish
- Email template users recieve for a new peer
To view and manage the wireguard configuation
Click Wireguard
Click Settings
Click NETWORK in the dialog
Next, enter the details
Field Description Public Address defaults to your mamori server ip Port defaults to 51871 Private IP Address Desired Server IP in new subnet Private IP Subnet Mask defaults to 255.255.255.0 Your DNS Server IP (optional) Set if you want to access resources by name Maximum Transmission Unit (MTU) Default 1420. If connectivity issues exist, then set to lower value. Intrusion Alert Channels The alert channel to notify when a device is locked. Intrusion Scan Threshhold Default 25. Number of unique IPs and ports a device can scan before being blocked. Auto-enrollment Role(s) Select PUBLIC to ensure all users will have peers automatically added when they login for the first time. Max number Of User Added Peer(s) Max number of devices a user can self-register. Click SUBNETS in the dialog
Next, enter the details
Field Description Exposed Subnets comma separated list of local subnets to publish.
eg, 192.168.1.0/24, 10.50.0.0/16Network Interface comma separated list of interfaces for each subnet.
eg, 192.168.1.0/24, 10.50.0.0/16Click Generate to generate the network UP script
Click EMAIL in the dialog
Review & edit the new user peer email template
Click Save
Define IP resources
To view and manage the wireguard configuation
Click Wireguard
Click IP Resources
Click Add
Next, enter the details
Field Description Resource Name grant reference label IP Address Example: 10.0.100.0/24 will cover 10.0.100.* Ports Example: 22,43,80,5000-6000 Click ADD
Grant IP resources to users and/or roles
To grant IP resources to a user or role
Navigate to users or roles
Click Users
Or
Click Roles
Click Edit
Click SSH & SERVER ACCESS
Click IP Resources
Select IP Resources
For on-demand access grant the IP resources to a roles. The role will be then be granted to the specified user by an on-demand policy. The grant will expire as per the policy.
Add User Device(s)
To grant IP resources to a user or role
Click Wireguard
Click Peers
Click Add
Next, enter the details
Field Description Mamori User The identity this device will be linked to Device Name Reference name for device Advanced Option: Peer Public Key Device's public key Advanced Option: Peer Private IP Address Device's IP in wireguard network Click Add Peer
After adding the peer mamori will display the device configuration.
Click on Email Configuration to email the configuration and client setup instructions to the user.
Define on-demand access policies
To create on-demand IP resource policies
Prerequisites
Click Policies
Click Access On Demand
Click Add
Policy Editor
For detailed field descriptions click here
Add a time parameter
Enter the statement below in the policy script
On Demand PolicyGRANT YOUR_IPRESOURCE_NAME TO :applicant VALID for :time minutes;
Example Policy Grant Statements
- dev_web & dev_ssh are IP Resources
- :applicant is the user making the request
- :time is the custom parameter
GRANT dev_web TO :applicant VALID for :time minutes;
GRANT dev_ssh TO :applicant VALID for :time minutes;