This is called Single Packet Authorization with Firewall Knock Operator (FWKNOP). To accomplish this, you alter packet filter rules to permit traffic only from a specific IP address (yours), once you have been authenticated via strong (mutually verified) signatures. At the network level, an ideal bastion host would be inaccessible (invisible) from an unsecured network unless you are authenticated and authorized to connect. The topic of systems hardening is complex and has many layers. Since the bastion host is key to infrastructure security, it must be hardened. Hardening The Bastion Host With Single Packet Authorization (SPA) This invisibility is a super power any organization needs, if it’s going to be serious about security. In the case of being a VPN-like endpoint, Single Packet Authorization can render your bastion host (mostly) invisible to the Internet. Or, depending on your company’s security standards, it might be accessible directly from the Internet, and logically function as a VPN-like endpoint itself. In a traditional datacenter-based architecture, or AWS VPC, your bastion hosts might be inside your firewall perimeter and accessible with a two-factor VPN. Your network-layer security architecture should allow access to administrative services, such as SSH, backend admin web-based user interfaces, and network infrastructure (firewalls, load balancers, switches, et cetera), from only hardened bastion hosts. Amazon Web Services VPC is a hybrid of the two, in that compute resources can be on isolated networks, but network-layer security is still distributed via Security Groups. Or a cloud-based infrastructure where all hosts are, in some way, attached directly to the Internet: distributed network-layer security. I call this consolidated network-layer security. There are two common infrastructure deployment patterns: first, a traditional firewall-based infrastructure, complete with isolated networks and a DMZ. Windows bastion hosts will not be discussed. For the purpose of this post, however, I will only be writing in the context of operating a Linux/Unix platform. The principles of using bastion hosts apply to Linux/Unix and Windows-based platforms. On the last point about AWS Regions: I will touch on some powerful capabilities of bastion hosts, AWS Security Groups, and cross AWS account-access that we use here at Panda Strike. It is the most commonly used term for the system’s function: a server, which has undergone security hardening steps, that is the operational and administrative control point for systems and hosts in a datacenter (or AWS Region). In this post I will simply use the term bastion host. A bastion-host, in this context, is actually more properly, but more obscurely, called a jump server. Panda Strike Let's Chat Team Blog Bastion Hostsīastion host(s) are a useful and important component of a system management infrastructure.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |