I'm a systems admin for a small business, and I'm feeling a bit overwhelmed with my workload, especially since my background isn't in computers. We've been required to implement MFA for all network devices with administrative access due to security insurance. Previously, we outsourced this task for a Barracuda Backup appliance that unfortunately doesn't support native MFA or act as a RADIUS client. Our chosen consultant managed to secure it behind a Cisco Meraki switch (which requires MFA) but since that license expired and we opted not to renew due to costs, I need a new solution. I'm considering using a jump host (a repurposed server) for access to the backup appliance, which would only be reachable via this jump host that has DUO installed. This server would also allow the appliance to connect to the Barracuda cloud for replication. What would be the best approach to ensure I meet the MFA requirement?
4 Answers
In our setup, our firewall denies access to devices that don’t support MFA. For those that can’t, we use an SSH tunnel through a Rocky Linux server with Google Authenticator. This means password access is turned off, and only users with encrypted SSH keys can connect. They authenticate using TOTP codes from their app after that. Here's a good resource for the implementation: [Google Authenticator PAM](https://github.com/google/google-authenticator-libpam/).
Setting up a PAW or jump box is a smart move! Just restrict access to the Barracuda appliance so it's only reachable via the jump box, and enforce MFA for connections to that box. It'll help keep everything secure without complicating your setup too much.
If you're accessing the device via HTTP/S, consider using a reverse proxy or a Web Application Firewall (WAF) to enforce MFA. It shouldn't take too long to set up and can be very effective.
A good rule of thumb is if you can't add MFA directly to a device, just create a barrier around it with MFA. This is essentially what you had planned with the jump host, which sounds like a solid approach. Just make sure your jump host is secure and easily manageable.
That sounds great! Can you elaborate on how I would set up a reverse proxy with our Sonicwall NSA 2650? I'm eager to understand the specifics.