The bastion host toplogy is well suited for relatively simple networks (e.g. those that don't offer any public Internet services.) The key factor to keep in mind is that it offers only a single boundary. Once someone manages to penetrate that boundary, they've gained unrestricted (at least from a perimeter protection perspective) access to the protected network.
Two questions to those who are using bastion in their environment:
• Is it protected from attackers?
• When it is compromised, will the integrity of the internal network still be protected?
The bastion model does have following downsides:"Anyone with a Screwdriver Can Break In"
- Bastion must be managed and patched.
- It accrues cost while it is running.
- Each of your security groups that allow bastion access require a security group ingress rule, normally port 22 for SSH or port 3389 for RDP.
- Private RSA keys for the bastion host and application hosts need to be managed, protected, and rotated.
- SSH activity isn’t natively logged.
"System logs are invaluable tools for detecting and terminating attacks"
Harden your Bastion - Ensure you haven't left a hole:
- Enforce - Two factor Authentication
- Implement Fail2ban - Restrict against automated SSH attempts if your Bastion IP's are red-handed
- Disable all non-required services
- Monitoring processor utilization to see the current system loads
- Analysing system logs to understand how the system runs normally - Enable in-depth logging
- Run network weakness scanners such as NESSUS,NAMAP,SATAN
- Ensure your Operating system is frequently updated with latest Patches,Service packs and Software upgrades.
The Solution:
Move away from Bastion!!
If your Bastion is not hardened or failed to establish a recommened baselines yet - Jump out ofJump Hostand prefer any of following natively secured topologies.
- Replace a Bastion Host with Amazon EC2 Systems Manager
- Using OpenVPN Server
No comments:
Post a Comment