Give a Hacker Access to Your Database (And Sleep Well)

Your production database needs maintenance. The best DBA available is a freelance contractor — brilliant, but also a known hacker. You need him on the database server. You absolutely cannot give him access to anything else on your network. With Ghost Networks, this is a 2-minute setup.

The Problem

Traditional VPNs give contractors access to the entire network. Firewall rules are complex, error-prone, and often left open after the job is done. You need surgical access: one server, two devices, limited time.

Traditional VPN: contractor sees everything

Firewall rules: complex, fragile, forgotten

Manual revocation: someone has to remember

No visibility into what was accessed

Step 1: Create an Isolated Phantom Hub

Create a new Phantom Hub that contains only the database server. Nothing else from your network is visible inside this hub.

# Create an isolated hub for the DB server

ghost-cli hubs create --name "db-maintenance"

# Add only the database server to this hub

ghost-cli hubs add-device --hub <hub-id> \

--device <db-server-device-id>

The DB server is now in its own bubble. Even if the contractor scans the network, he sees nothing but the database.

Step 2: Generate a BiFrost Pass

Create a BiFrost Pass scoped to this hub. Allow 2 devices (the contractor's laptop and phone) with a 2-day expiration.

# Generate a BiFrost Pass

ghost-cli bifrost create --hub <hub-id> \

--max-devices 2 --expires 2d

code or link

devices max

48h

auto-expires

That's it. A QR code or link. 2 devices max. 48 hours. Auto-expires.

Step 3: Contractor Scans & Connects

Send the BiFrost link or QR code to the contractor. He opens Ghost Networks on his phone or laptop, scans the code, and selects which devices to connect.

Contractor opens Ghost Networks app

Scans the BiFrost QR code

Selects his devices (laptop + phone)

✓

Connected — sees only the DB server

Step 4: Work. Done. Gone.

The contractor does his work on the database. After 2 days, the BiFrost Pass expires automatically. No manual revocation needed.

Day 0

BiFrost Pass shared. Contractor connects.

Day 1-2

Contractor works on the database. Only sees the DB server.

Day 2 — 48h

BiFrost Pass expires. Access revoked. Zero leftovers.

What the Contractor Sees vs. What Exists

Contractor's view

db-server-01

172.16.0.10 — PostgreSQL

...nothing else

Only the database server. Cannot ping, scan, or discover any other device on your network. The rest of your infrastructure is invisible.

Your actual network

web-server-01, web-server-02

api-gateway, auth-service

file-server, backup-nas

47 workstations, 12 IoT devices

admin-panel, monitoring, CI/CD

Dozens of servers, workstations, IoT devices, internal services. None of them are reachable from the contractor's Phantom Hub.

Why This Works

Network-level isolation: not firewall rules, but actual cryptographic separation

Time-limited by design: access expires automatically, no one needs to remember

Device-limited: only 2 specific devices can connect, not "anyone with the password"

Zero trust: no VPN client config, no shared credentials, no leftover access

Full visibility: you know exactly who connected, when, and to what

Other Scenarios

🔍

External auditor

Give read-only access to financial servers for 1 week

🛠

Vendor support

Let a vendor debug their appliance without seeing your network

🕷

Pen test team

Scope the engagement to specific servers only

👤

Temporary employee

Day-1 access to their department, auto-revoke on last day

Get Started with Ghost Networks or See Enterprise Plans