Mirket PAM – Reference Architecture & Security Guide

1. Architectural Overview

Mirket PAM is designed as a centralized privileged access control point.

Core principle:

Users must not access target systems directly
All privileged access must be performed through Mirket PAM
Direct RDP and SSH access must be restricted at network level

2. High-Level Architecture

User → HTTPS (443) → Mirket PAM → RDP / SSH → Target Servers

Flow:

Users access the PAM web interface via HTTPS.
Authentication and authorization are enforced.
PAM initiates the RDP or SSH connection to the target system.
Sessions are proxied and recorded through PAM.

3. User Access

Users access PAM only via HTTPS (TCP 443).
A valid TLS certificate must be configured.
Multi-Factor Authentication (MFA) should be enforced.
PAM should be deployed in a secure network segment or DMZ.

4. Blocking Direct Access

Firewall-Level Restrictions

The following controls must be implemented:

Direct RDP (TCP 3389) access from user networks to Windows servers must be blocked.
Direct SSH (TCP 22) access from user networks to Linux servers must be blocked.

Only the Mirket PAM server IP address should be allowed to access:

RDP (3389)
SSH (22)

5. Lateral Movement Prevention

To prevent horizontal lateral movement between servers:

Windows Servers

Windows Firewall should be configured so that:

RDP (3389) inbound connections are allowed only from the Mirket PAM IP address
All other RDP sources must be blocked

Linux Servers

Linux firewall (iptables / ufw) should be configured so that:

SSH (22) access is allowed only from the Mirket PAM IP address
All other SSH connections must be denied

6. Network Segmentation

Recommended segmentation:

User Network
PAM Network (Control Zone)
Server Network (Privileged Zone)

There must be no direct connectivity from user networks to target servers.

Mirket PAM acts as the controlled access bridge between users and privileged systems.

7. Additional Security Recommendations

Enforce MFA for all privileged users.
Enable session recording for RDP and SSH sessions.
Use credential vaulting and password injection (users should not see raw credentials).
Implement Role-Based Access Control (RBAC).
Regularly patch and harden the PAM server.
Restrict exposed ports to the minimum required.

8. Security Model Summary

Layer

Control

Network

RDP/SSH allowed only from PAM IP

Identity

MFA enforcement

Session

Proxy-based access + recording

Credential

Secure vault + injection

Monitoring

Logging and auditing

PreviousMirket PAM – Installation & Upgrade Guide NextDashboard

Last updated 1 month ago

hashtag1. Architectural Overview

hashtag2. High-Level Architecture

hashtag3. User Access

hashtag4. Blocking Direct Access

hashtagFirewall-Level Restrictions

hashtag5. Lateral Movement Prevention

hashtagWindows Servers

hashtagLinux Servers

hashtag6. Network Segmentation

hashtag7. Additional Security Recommendations

hashtag8. Security Model Summary