Dome9 provides functionality that enables you to fully protect your cloud servers by default. To gain access to a server, the admin requests a secure access lease, which by default provides access for 1 hour, for a specific server and protocol, connecting from a specific IP. Dome9 Central notifies the Dome9 Agent on your cloud server that there is a new policy to enforce (e.g., Allow SSH from IP address 18.104.22.168). The Agent then opens the designated port, enabling the identified user to gain access and carry out his tasks. After the lease expires (default is 1 hour), Dome9 Central notifies the Dome9 Agent to close the cloud server port.
For more see: http://dome9.com/