Every organization that stores its data in the cloud or in data centers, need a secure way to access their data or infrastructure in the cloud. Remote Desktop Protocol (RDP) or Secure Shell (SSH) are the leading software protocols that make it secure to access your data securely in the cloud. But the problem arises when these management protocols are exposed to a public network. Thus, increasing the chances of malware attacks. To limit the exposure of these management protocols a server was introduced, named Bastion Host also known as a Jump Box.
In this post, we will discuss bastion hosts and how it works with Amazon Web Services (AWS), Google Cloud Platform (GCP), and Azure.
What is a Bastion Host?
A bastion host or jump box is a server exposed on a public network whose purpose is to withstand malicious attacks or threats. Every individual or organization demands a source where they can share their data more securely. Marcus J. Ranum, a cybersecurity researcher, highlighted the concept of bastion host in 1990. As per his article, he stated bastion hosts are crucial for network security. The server will conduct regular audits and act as a guard to protect your vital data from threats.
To state it the other way, a Bastion host acts like a bridge that stands between the users and private network to tighten access to your resources, instances, gateways, etc. Once the connectivity is established, the server allows users to access these instances in private subnets via SSH or RDP.
There are various methods to connect with virtual private cloud (VPC) with or without an external IP address. Bastion Host is one of them that helps create SSH connections without an external IP address. The role of the bastion host is to provide users with private network access from an outside network, like the Internet, and minimize the chances of threat penetrations into the walls of a private network.
There are several benefits of running bastion hosts, but there are disadvantages too. These servers may add more load to your administrator with continuous running, monitoring, and patching. Also, if you have to run a large user base, then you might require more bastion hosts. Thus, more expensive hosting. Also, if any hacker founds out the auth bypass or remote code execution for OpenSSH, he will get extremely lucky in no time.
Benefits of a Bastion Host (Jump Box)
- Provides Easy Security Compliance
- Lessen the malicious attacks.
- Comprises network access threats.
- Helps waste Less time on cryptic connection requests.
- The server is easy to use and provides enhanced security to the private network.
How Does a Bastion Host Work?
A bastion host connects intranet and the Internet. It is one of the defence systems inside the intranet firewall that works as a shield and protects the instances from malicious attacks. Also, known as the Jump box, the server is used in the cloud environments and help clients connect to the remote server by acting like a proxy server.
Bastion host is the main point of entry that allows users to reach a private network instance. Your Virtual Private cloud comprise only internal IP addresses. However, Bastion host comprise both the internal and external IP address. To connect with the internal instances without external IPs and other firewall rules, you need to exercise the two-step SSH connection.
Log in to the host server and then try entering the private instance.
Bastion Host Best Practices
1. Disable Network Services
Every network service is disabled on the bastion host to keep it safe except for a few specific internet accesses. For example, the bastion server must not contain user accounts as if any outsider cracks the log in detail, he can take control and reach out to the intranet. Similarly, all the Network File Systems (NFS) must be disabled so that no outsider may gain access to these files on the intranet. The only safe way out is to use bastion host to place them inside the intranet firewall. This way, even if they are broken, the resources are nowhere compromised or lost.
2. Enable Server logging
Also, these servers log all activities and maintain a backup for security purposes. The main reason to log activities is to update the administrators as and when the intranet gets attacked by an outsider. Further, the backup can be used even if a single log got tampered with or destroyed. The only way to keep the backup safe and secure is to connect the bastion host to a dedicated computer by means of a serial port. The purpose of introducing this connection is to monitor the backup log and keep it safe.
3. Enable Server Monitoring
There are automated monitors inside the system that help keep a track of the bastion server’s system logs. These monitors work better than the auditing software and notify in case of any suspicious activity. For instance, more than three wrong attempts, and the system will receive a notification about the suspicious trial.
4. Isolate Multiple Bastion Hosts Dedicated to Parts of your Network it only needs access to
Depending on the user base, you can find more than one bastion host inside the firewall. A larger user base requires more bastion host servers. Also, each server holds one or two Internet services for the intranet. The server is exempted from the use of all services except a few internet services. Thus, it can be used as a victim machine in some cases for proxying or a filtering router. Further, with the help of other services, one can add service to the victim machine, and if someone breaks into the server, the other bastion hosts will not be compromised or affected.
5. Implement a Filtering Router
- To provide additional security, place a filtering router between the bastion host server and the intranet. The job of the filtering router is to check traffic and filter the unauthorized traffic moving between the Internet and the intranet.
- Bastion host does not handle the requests received for any service. For example, if a user sends a Web page or transfers an e-mail, the bastion host will not respond. Rather, it connects with the intranet server and passes the request forward. Later the intranet server reverts back to the bastion host with the information, which is further forwarded to the original sender via the host server.
6. Enable Auditing
A few Bastion host servers run audit programs to keep track of malicious attacks or threats. Bastion hosts can perform an audit in different ways. One method is to track if any software changes were made on the bastion server by some unauthorized person. This technique is known as the Checksum program. It calculates the size of an executable program and monitors it regularly. If the auditor program notices any alteration to the software, it immediately updates about the attack or signal threat.
Bastion Host in AWS
It is much easy to deploy an AWS Bastion host if you have a pre-existing AWS infrastructure. On an Amazon Web Service infrastructure, VPC configuration with both public and private subnets is essential. It helps offer users their individual virtual network. It also requires a gateway for the bastion host to receive and transfer the private network traffic.
- The only way to create a bastion host on AWS is to sign in to your AWS account and create an EC2 instance.
- Apply OS hardening as per the requirement.
- Specify security groups and select a source. Change the instances and ensure the inbound SSH can be accessed only by the Bastion Host’s IP address.
- Add SSH-agent forwarding or Remote Desktop Gateway for Linux and Windows Connectivity
- Make sure that the security group accepts inbound requests only from SSH or RDP via the bastion host. Now, deploy the AWS bastion host to every Availability Zone you are going to use.
Make sure that the inbound and outbound traffic is restricted at the protocol level and tight security is maintained. AWS suggests the implementation of Remote Desktop Protocol (RDP) and Secure Shell Protocol (SSH) to eliminate the use of storing private keys on the bastion host.
Remember if the Availability Zone hosting breaks or falls, you will lose all the connecting to other AZs’ private instances.
Bastion Host in Azure
Azure Bastion helps secure remote access to your virtual machines using the Azure portal. The platform provides secure Remote Desktop Protocol (RDP) and Secure Shell Protocol (SSH) connectivity to all machines from the portal. As you connect by means of Azure Bastion, you no longer require a public IP address.
Under Azure Bastion, RDP/SSH ports will protect your virtual machines from getting exposed to the outside world. A user can connect to the Azure portal with the help of an HTML5 browser. Select virtual machines and open the RDP/SSH session with a single click on the browser.
It is a fully managed platform with in-built features that also reduce the hassle of managing Network Security Groups (NSGs) every time you try to connect with VMs. It also helps protect against port scanning and zero-day exploits.
Bastion Host in GCP
SSH Bastion Host is one of the best tools for Google Cloud VPC that allows only SSH traffic users to connect with a single instance. Bastion host provides a single point for defense or audit. The server helps connect a VM without an external IP address and to instances on other peered VPC networks. This method helps manage database instances only for external applications and uses a two-step login system. There is no private key. You need to log in first and then visit Private VM. To reach the target machine, use ssh forwarding rather than the private key. To manage private keys, install and configure gcloud command-line tool.
A bastion host or jump box is one of the best servers with interesting built-in features. It has the ability to provide full session logging, perform audits, and manage data securely by detecting the threats. Go through the above listed platforms – AWS, Azure, GCP and check how bastion host works well for them.