Harden your Bastion or Move away !!

         The bastion host toplogy is well suited for relatively simple networks (e.g. those that don't offer any public Internet services.) The key factor to keep in mind is that it offers only a single boundary. Once someone manages to penetrate that boundary, they've gained unrestricted (at least from a perimeter protection perspective) access to the protected network. 

Two questions to those who are using bastion in their environment:

• Is it protected from attackers?
• When it is compromised, will the integrity of the internal network still be protected?

"Anyone with a Screwdriver Can Break In"

The bastion model does have following downsides:

1. Bastion must be managed and patched.
2. It accrues cost while it is running.
3. Each of your security groups that allow bastion access require a security group ingress rule, normally port 22 for SSH or port 3389 for RDP.
4. Private RSA keys for the bastion host and application hosts need to be managed, protected, and rotated.
5. SSH activity isn’t natively logged.

"System logs are invaluable tools for detecting and terminating attacks"

Harden your Bastion - Ensure you haven't left a hole:

1. Enforce - Two factor Authentication
2. Implement Fail2ban - Restrict against automated SSH attempts if your Bastion IP's are red-handed
3. Disable all non-required services 

Establish a Bastion Baseline:

1. Monitoring processor utilization to see the current system loads
2. Analysing system logs to understand how the system runs normally - Enable in-depth logging 
3. Run network weakness scanners such as NESSUS,NAMAP,SATAN
4. Ensure your Operating system is frequently updated with latest Patches,Service packs and Software upgrades. 

The Solution:

Move away from Bastion!!

If your Bastion is not hardened or failed to establish a recommened baselines yet - Jump out of Jump Host and prefer any of following natively secured topologies. 

1. Replace a Bastion Host with Amazon EC2 Systems Manager
2. Using OpenVPN Server

AWS vs Azure - Battle of the Clouds

Preface:

Microsoft’s Azure & Amazon’s AWS cloud platforms are the top choices when it comes to Enterprise-level IaaS.

Both the platforms offers largely similar basic capabilities around flexible Computing, Storage, and Networking. They also share the common elements of a public cloud such as Self-service, Instant provisioning, Auto scaling,Security, Compliance, and Identity management features etc.,

Enterprise Public Cloud Adoption:

AWS continues to lead in public cloud adoption but Azure continues to grow quickly, reducing AWS’s lead, especially among enterprises.

Overall Azure adoption grew from 34 to 45 percent of respondents, while AWS grew from 57 to 64 percent of respondents.

Among enterprises, Azure did even better: Azure increased adoption significantly from 43 percent to 58 percent while AWS adoption in this group increased from 59 percent to 68 percent

PROS & CONS:

AWS CONS	Azure PROS
Incompatible and Weak Hybrid Strategy: AWS is less open to Private clouds, forcing companies to forego their own cloud infrastructure. This makes it an unpopular storage option for sensitive industries like banking, healthcare etc.	Open to Hybrid Cloud Systems: Azure offers substantial support for hybrid cloud applications and helps companies protect their client's information that could be sensitive in nature.
Large and Complex Scale of Offerings: AWS has a vast range of products to offer its users. However, to be able to navigating through these products and choosing what is suitable to one's requirements is a tiresome work.	Ease of Transition: Most organizations use Microsoft to run their on-premise systems. Therefore, these organizations will find transition to the cloud system easier.

AWS PROS	Azure CONS
Data is easily available: AWS has several availability zones, so users can choose to store data closer to them and save money.	Low Quality Support: Azure services are laden with glitches. To fix these bugs, users have to spend additional money.
High Transfer Stability: Minimal data is lost during server and storage transfer (SnowMobile, Snowball Direct connect)	Restrictive Platform: Less flexibility with regard to non-windows platforms,when compared to AWS.

AWS is clearly on higher ground, But does Azure stand a chance ?? Here it is.....

AWS Vs Azure: The Bottom Line

Azure and AWS both have global footprints and continue to compete in terms of their cloud feature sets:

• AWS tends to lead in terms of the variety of its infrastructure as a service (IaaS) offerings
• Azure has a strong platform as a service (PaaS) portfolio.

Azure Vs AWS: Features

All features offered on Azure have a corresponding or similar feature on AWS. It is difficult to come up with an exhaustive features list and you might find it interesting that some Azure services have no AWS equivalent.

• Azure includes the Azure Visual Studio Online, Azure Site Recovery, Azure Event Hubs, and Azure Scheduler.
• The Disaster Recovery Planning service in Azure is more efficient than AWS Disaster Recovery.
• Hybrid clouds are easier with Azure, partly because Microsoft has foreseen the need for hybrid clouds early on.
• Amazon realizes that it needs to strengthen its offerings to support hybrid clouds, it is still catching up, with more investments earmarked for hybrid clouds.

Highlights - Azure :

• Azure has advantage in that it allows deploying Windows client apps with a RemoteApp service which the AWS lacks.
• For Windows-centric development or hosting, Azure offers slightly better options – Visual Studio, .NET and Windows programming languages such as VB and Visual C++ are all fully supported and well integrated.
• Azure’s service endpoints and firewalls are available for its cloud service Azure Storage at no additional billing to its customers. Service endpoints provide a direct connection from a network to an Azure service, such as storage, securing the data for the customer.
• Overpaying - AWS offers a plethora of various EC2 virtual machines under several billing approaches and these configurations are not customizable.

Recent Q1 FY 2018 earnings report, Microsoft's revenue from Azure grew over 90% this year, doubling the growth rate of AWS. 

Conclusion:  Rise or Fall?

What will come next??

In 2015, no one thought Azure could catch up; but they’ve proven the naysayers wrong. The cloud wars are unpredictable and exciting. Who would you count on - AWS or Azure? Will Azure overtake AWS? Will Google Cloud be the underdog that will disrupt the cloud domain? Only time will tell. 

"But one thing is certain - cloud is here to stay"

Sources:

https://www.rightscale.com/blog/cloud-industry-insights/cloud-computing-trends-2018-state-cloud-survey#azure-grows

https://www.simplilearn.com/aws-vs-azure-cloud-certification-article

https://stackify.com/azure-vs-aws-comparison/

https://azure.microsoft.com/en-in/overview/azure-vs-aws/

Zero Touch-Up in Operations - AIOps

AIOps or Algorithmic IT Operations, is a solution that uses smart algorithms (powered by AI and ML) in which machines solve known IT issues and intelligently automate repetitive and mundane jobs — Gartner

AIOps platforms encompass the IT disciplines of Performance Management, Service Management, Automation, and Process Improvement, along with technologies such as monitoring, service desk, capacity management, cloud computing, SaaS, mobility, IoT and more.

See-Analyze-Automate — Approach

See-Analyze-Automate — Approach

Visibility— Monitoring systems monitor everything going on currently in the environment and the predictive analytics systems monitors and based on past trends, it tries to forecast what is going to happen. It can predict if a negative trend or an incident is about to happen.

Prediction— Once the system has this ability, then it will be able to alert the operation team and also automatically assign appropriate pre-automated solution to solve the issues. As a result, the issues will be identified and addressed in advance before they occur.

Automation — Of-course, if there are no automated solutions in place, the operation team can automate the process using RPA’s (Robotic Process Automation tools). So that, when the next time, an accident happens, it will be resolved automatically.

This process obviously goes on circular basis, if we repeat it over a period of time, eventually we will get hand full of benefits in operations, on the following aspects as the end result.

• Reduced MTTD and Faster MTTR
• Greater Visibility
• Real-Time Analysis
• Data-Driven Recommendations

--The Future--

AIOps is a rapidly developing area. Current AIOps systems struggle to understand the relationships between applications, infrastructure, and other datasets. Looking to the future by applying AI to IT operations, IT issues become easier to identify, predict, prevent, and even fix.

References:

https://dzone.com/articles/aiops-how-ai-and-automation-are-transforming-busin

https://www.gartner.com/en/newsroom/press-releases/2017-04-11-gartner-says-algorithmic-it-operations-drives-digital-business

Spacewalk Installation on Centos

Introduction:

Spacewalk is an open source configuration/Patch management tool sponsored by Red Hat. Spacewalk is alternate of Redhat network satellite server on Centos / Fedora / Scientific Linux.

Features of Spacewalk:
Ø  Manage Inventory of Servers (hardware and software information)
Ø  Install and update software on Servers
Ø  Manage and deploy configuration files to your systems
Ø  Monitor your systems / Servers

Step: 1 Setup Spacewalk Repo:

 #  rpm -Uvh http://yum.spacewalkproject.org/1.9/RHEL/6/x86_64/spacewalk-repo-1.9-1.el6.noarch.rpm

Step: 2 Setup Additional Repositories

Spacewalk on CentOS will require additional dependencies that are needed from jpackage

#  vim /etc/yum.repos.d/jpackage-generic.repo

then Paste the below command and save the Editor

[jpackage-generic]
name=JPackage generic
#baseurl=http://mirrors.dotsrc.org/pub/jpackage/5.0/generic/free/
mirrorlist=http://www.jpackage.org/mirrorlist.php?dist=generic&type=free&release=5.0
enabled=1
gpgcheck=1
gpgkey=http://www.jpackage.org/jpackage.asc

Enable EPEL Repository:

Spacewalk requires a Java Virtual Machine with version 1.6.0 or greater

# rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm

Step: 3 Spacewalk Database Server Installation:

Spacewalk uses database to store its primary data, it supports PostgreSQL

# yum install spacewalk-setup-embedded-postgresql
# yum install spacewalk-postgresql

Create a file under /root called ‘answer’ with below contents:

# vi /root/answers

admin-email = root@localhost
ssl-set-org = Nextstep4it
ssl-set-org-unit = IT
ssl-set-city = Delhi
ssl-set-state = Delhi
ssl-set-country = IN
ssl-password = Ppts@123
ssl-set-email = root@localhost
ssl-config-sslvhost = Y
db-backend=postgresql
db-name=spacewalkdb
db-user=spacewalk
db-password=Ppts@123
db-host=localhost
db-port=5432
enable-tftp=Y

Now Install Spacewalk with an Answer File

#  spacewalk-setup --disconnected –answer-file=/root/answers

(After spacewalk-setup is complete, application is ready to use)

Step:5 Access the Spacewalk using below URL and set administrative account:

Spacewalk URL: ‘https://10.10.1.01

After Setting the Administrative account, we can login to spacewalk admin GUI:

After completing the account setup, you will be redirected to the main window. Here you can see the detailed overview of each and everything that are related to Spacewalk.

Setting Software Channels:

Step: 1

Set a Base channel this channel will contain all base packages for a system. The first Base Channel that we will set will be the one for CentOS 6.0 the version of CentOS used for the Spacewalk Server. Follow this steps one logged in:

1.       Click on Channels

2.       Click on Manage Software Channels

3.       Click on Manage Repositories

4.       Click on Create New Repository

Step: 2 GPG Key import

Spacewalk Server will not deploy packages from any repository for which it does not have the GPG Public key used to sign the packages. These keys are placed in the root of the version of the repository that one will use. First we need to download these keys import them so as to get the key ID and Fingerprint for when setting the channel and they should also be imported using rpm on the Spacewalk server. For the base CentOS repository we download the keys to import them with GPG to get the key information:

# mkdir repo_keys
# cd repo_keys
# curl -O http://mirror.facebook.net/centos/6/os/i386/RPM-GPG-KEY-CentOS-6

Create one channel per set of repositories so it is easier to manage the key:

gpg --list-keys --fingerprint C105B9DE
rpm --import http://mirror.facebook.net/centos/6/os/i386/RPM-GPG-KEY-CentOS-6

Creating Repositories:

We will create 2 Repositories for CentOS 6.X the first one will be the base repository and second is the Updates.

1. Repository Labe – PPTS-CentOS6-i386-Base
2. Repository URL - http://mirror.facebook.net/centos/6/os/i386/
3. Then click on Create Repository

For the updates repository enter:

Let’s create a repository for VMWare Tools for vSphere 5.1:

 
1. Repository Label - VMware-Tools-ESX-5.1-RHL6
2. Repository URL - http://packages.vmware.com/tools/esx/5.1/rhel6/x86_64/index.html
3. Then click on Create Repository
   Creating Channels: 
   We will create a new channel that will use both Repositories:

1.       Click on Channels

2.       Click on Manage Software Channels

3.       Click on Create New Channel

Enter the Following Mandatory Parameters:

Channel Name –

Channel Label –

Parent Channel – 

Parent Channel Architecture – 

Yum Repository Checksum Type – 

Channel Summary -

As like below screen shot provided.

Under Channel Access Control Select:

·         All users within your organization may subscribe to this channel.

·         This channel is public and may be accessed by any of the trusted organizations trusted by this organization.

Click Create channel
 

Goto

Channels –> Manage Software Channels –> Select the created channel –> Repository –> Select the previously created repository –> Update repository

(Here you can link the repository to the channel based on architecture).

Once updated, click on Sync and then click on Sync Now to start package synchronization from the upstream server

Once the package synchronization is completed, you can list the synchronized packages by going to

Channels –> Manage Software Channels –> Select your channel –> Packages –> List / Remove

Goto

Systems –> Activation Keys –> Create New Key

(Here create a activation keys for client subscription, in this page you need to select the base channel (Newly created channel). Whenever any client uses this key, the client machine will be automatically subscribed to the created channel. Create multiple keys; in case to use multiple channels).

Note: Better to leave the key blank for automatic generation.

You can get the activation key by going to Systems –> Activation Keys.

 
 

Client software Installation:

To connect the system the appropriate client software must be installed on the system

#  yum install -y rhn-client-tools rhn-check rhn-setup rhnsd m2crypto yum-rhn-plugin rhncfg rhncfg-actions rhncfg-client

Now Register Linux Server with Spacewalk

#  rhnreg_ks --force --serverUrl=http://10.10.20.101 /XMLRPC --activationkey=1-6f0183f8cb1815adeebe38f4ffd445d6
# rhn-actions-control --enable-all

Above commands will register your Linux server with Spacewalk, just replace activation key according to your setup.

Now Login to Spacewalk admin panel, Click on System, then click on Register Server Name, As we can see updates are available.

 
 

Schedule to install all the updates:

Select all the packages and Click on Upgrade Package.
When clicking on ‘Upgrade Package‘, then it will ask to schedule upgrade.