11/19/2023 0 Comments Ssh bastion host nfs![]() Privilege sprawl on jump hosts is a massive problem in organizations of all sizes and industries/sectors. Consider triggering an initial data collection script to run periodically and/or when the XDR solution thinks it has detected something (e.g., list all open TCP connections and the owning process so you can see what is communicating with that device, list all user sessions so you know whose credentials may be compromised, etc.) and store the output separately. Log and audit all connections to and from that system and all DNS queries from that system in the same way. Log and audit all activity on the jump host OS (e.g., configuration changes, new local users, powershell script block logging/transcript logging, etc.) and sync those logs off that system in real time. This is the most commonly overlooked need (most orgs seem to be aware of their privilege sprawl issue) and it has a MASSIVE impact on your ability to quickly begin effective investigation and response efforts in the event of an incident (most orgs do NOT seem to be aware of this and it costs them time and meaningful information during incidents). ![]() Wherever possible, use DevOps-friendly solutions for configuration management (think Ansible and Terraform vice Github Actions :) ) and remember that, if you're responding to an incident, you're going to want to suspend all of your jump boxes, retain any storage and their full memory state, and spin up verifiably clean jump boxes so you have confidence in your connections into the environment. If you need to rely on open source endpoint security solutions like Wazuh make sure they integrate nicely with SIEM, SOAR, and remote management. If you need to met regulatory requirements (HIPAA, CMMC, FISMA, PCI, etc.), consider OpenSCAP or whatever paid solution you use for agent-based vuln scans (avoid less intensive solutions that only run unauthenticated scans or network-based audits, they tend to avoid non-CVE vulns that exist in the configuration). If you need a Windows OS, consider hardening kitty as it offers a locally executable option for both hardening and auditing. Consider the jump host capability as a core component of each system/environment/platform/application it's used to access/manage and assess value and risk with all those business processes/functions in mind even though you're using one jump host for each of those use cases because, inevitably, the same template/container/configuration/script will be reused so any misconfigurations will replicate. I think CyberArk has a solution as well but I haven't explored it much.Ĭritically, harden the OS. For multiple jump hosts (or other applications behind a tunnel) there's app launcher as well. ![]() Run the tunnel service in a dedicated container on the same subnet as the jump host then set up the application to restrict access and render SSH or VNC in browser and point it to the jump host. If you need access for fewer than 50 users and only need to facilitate basic interaction (VNC or SSH), consider using a cloudflare tunnel. There's a pattern from MS for using Apache Guacamole and Azure also offers a bastion host service that supports connection through the browser, this pattern does a decent job of showing the concept of a dedicated bastion subnet pretty well. Separately, avoid RDP/SSH as those protocols are most heavily targeted and more difficult to secure. If anything, the number of options listed should tell you how difficult it can be to get things right.Īvoid a persistent OS for jump hosts if possible, deploy a container on demand from your own container registry with only the applications you need for the specific use case. ![]() This is a super common question, it's disappointing to see so many people in your situation with so little awareness of the options (and I'm sure I'm not even touching on many good options here). TL DR: Kasm, Apache Guacamole, Azure Bastion, and Cloudflare Tunnels are all viable options least functionality/least privilege, OS hardening, require phish-resistant MFA, automated vuln scans, redeployments, and audits frequently.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |