The Bastion Server That Isn't There ... Joshua Kite

•Télécharger en tant que PPTX, PDF•

0 j'aime•954 vues

The standard approach to setting up a bastion server (or jump box) has enough weaknesses already. Managing secure access to your VPC's for hundreds of users and hundreds of servers increases these exponentially. I found the available solutions lacking. Here I briefly cover the issues and present a working production solution immutably deploying ssh bastion access as a stateless service on AWS, managed entirely with Terraform - no build chain, no registries, no secrets management and instantaneous access. The result is a bastion server that isn't there, until the moment a user calls for it and then it can be their special snowflake, just for them, briefly, until it's gone.

Technologie

The Bastion Server That Isn’t
There
- Providing scalable secure access as a
stateless service with Terraform on AWS
Joshua Kite

About me:
Joshua Kite -
See my website for links, contact, etc:
www.joshuakite.co.uk
Site Reliability Engineer @ DAZN ‘The Netflix of sport’

A Word of thanks
I would like to thank the people who have helped to make this idea a reality and
supported this presentation:
Mike Bristow, Senior Engineer at NeuLion
Piotr Jaromin, Software Engineer; Marco Crivellaro System Architect;
Rick Burgess SRE Manager; Simon Coutts Head of Development at DAZN

What is the problem
that we are solving?

New Bastion server
New Bastion server is like:

<PIcture> ‘no face’ before and after
Old Bastion server is like:

So what solutions are
already out there?

Gravitational Teleport
http://gravitational.com/teleport

Aker
https://github.com/aker-gateway/Aker

Third party IAM solutions
Some install as a standalone binary, e.g.
https://keymaker.readthedocs.io/en/latest/ (Python)
Some are intended as a script to install a dedicate
server on EC2, e.g. https://github.com/widdix/aws-ec2-
ssh (Python; Bash)

“Take CVS as an example of what not to do; if
in doubt, make the exact opposite decision.”
- Linus on the Git design philosophy

So what do we aim
for (apart from the
above)?

That’s great for
RDS But my
services are on
ECS, not EC2!

So what does this look like to my user?
To reach bastion:
ssh-add ~/.ssh/billybob.rsa
ssh billybob@yourbastionservice.com
To reach ecs host:
ssh -J billybob@yourbastionservice.com billybob@yourecshost

What does the code look like?
You can use the community module directly or review on Github
● registry.terraform.io/modules/joshuamkite/ssh-bastion-service/aws
● github.com:joshuamkite/terraform-aws-ssh-bastion-service.git

Code Features
● What it doesn’t do is almost as important as what it does do.

reflections
Since the bastion service host is not running anything interesting besides the
dockerised service it doesn’t really matter if our users can see metadata and we
aren’t overly worried about a guest escape
Unlike a traditional bastion server our users are protected from ssh socket
stealing identity impersonation
Ssh host key is a conscious choice
Pull requests are welcome!

Thanks!
Questions?
Joshua Kite
www.joshuakite.co.uk

Contenu connexe

Plus de Michael Man

Chris Rutter: Avoiding The Security Brick

Michael Man

Extract: DevSecOps - London Gathering (March 2019)

Michael Man

Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...

Michael Man

Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...

Michael Man

Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...

Michael Man

Rolling slides to kick of the event. *** Description of the main talk *** Threat Modelling can be a laborious and time-consuming exercise, which is not a happy marriage with CI and DevOps methodologies. In this talk, I shall outline my Rapid Threat Model Prototyping paradigm, which I have successfully been using both at Visa and Photobox. My method enables automation and inclusion into fast-moving development cycles and is well-suited for today's IT environments.

August 2018: DevSecOps - London Gathering

Michael Man

DevSecOps - London Gathering : June 2018

Michael Man

Information Security departments often view containers as challenging to manage (code moves too fast for risk analysis, thousands of containers with limited visibility or control). Government organizations such as NIST have come out with guidelines for Application Container Security, while serverless technologies such as Azure Container Instances or AWS Fargate create additional challenges regarding how security risks are managed.

Continuous Security: From tins to containers - now what!

Michael Man

The mechanics behind how attackers exploit simple programming mistakes ...

Michael Man

Secret Management Journey - In the beginning there was a file and it contained all the passwords in the plain text, but then someone stole all the passwords, so we don't do that anymore. In this talk I will explore how secret management has evolved over the years, what is the common path to maturity, what good looks like and why "Just use HashiCorp Vault" is a good heuristic. Explore with me the perils of storing secrets in Jenkins, how ansible-vault leads to disasters and where does CyberArk Conjur sit in all of this.

Secret Management Journey - Here Be Dragons aka Secret Dragons

Michael Man

DevSecOps March 2018 - Extract

Michael Man

DevSecOps The Evolution of DevOps

Michael Man

Dynaminet -DevSecOps

Michael Man

DevSecOps: Test Automation

Michael Man

Project management experience security in agile 1309

Michael Man

Plus de Michael Man (15)

Chris Rutter: Avoiding The Security Brick

Extract: DevSecOps - London Gathering (March 2019)

Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...

Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...

Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...

August 2018: DevSecOps - London Gathering

DevSecOps - London Gathering : June 2018

Continuous Security: From tins to containers - now what!

The mechanics behind how attackers exploit simple programming mistakes ...

Secret Management Journey - Here Be Dragons aka Secret Dragons

DevSecOps March 2018 - Extract

DevSecOps The Evolution of DevOps

Dynaminet -DevSecOps

DevSecOps: Test Automation

Project management experience security in agile 1309

Dernier

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

🐬 The future of MySQL is Postgres 🐘

RTylerCroy

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Neo4j

The presentation explores the development and application of artificial intelligence (AI) from its inception to its current status in the modern world. The term "artificial intelligence" was first coined by John McCarthy in 1956 to describe efforts to develop computer programs capable of performing tasks that typically require human intelligence. This concept was first introduced at a conference held at Dartmouth College, where programs demonstrated capabilities such as playing chess, proving theorems, and interpreting texts. In the early stages, Alan Turing contributed to the field by defining intelligence as the ability of a being to respond to certain questions intelligently, proposing what is now known as the Turing Test to evaluate the presence of intelligent behavior in machines. As the decades progressed, AI evolved significantly. The 1980s focused on machine learning, teaching computers to learn from data, leading to the development of models that could improve their performance based on their experiences. The 1990s and 2000s saw further advances in algorithms and computational power, which allowed for more sophisticated data analysis techniques, including data mining. By the 2010s, the proliferation of big data and the refinement of deep learning techniques enabled AI to become mainstream. Notable milestones included the success of Google's AlphaGo and advancements in autonomous vehicles by companies like Tesla and Waymo. A major theme of the presentation is the application of generative AI, which has been used for tasks such as natural language text generation, translation, and question answering. Generative AI uses large datasets to train models that can then produce new, coherent pieces of text or other media. The presentation also discusses the ethical implications and the need for regulation in AI, highlighting issues such as privacy, bias, and the potential for misuse. These concerns have prompted calls for comprehensive regulations to ensure the safe and equitable use of AI technologies. Artificial intelligence has also played a significant role in healthcare, particularly highlighted during the COVID-19 pandemic, where it was used in drug discovery, vaccine development, and analyzing the spread of the virus. The capabilities of AI in healthcare are vast, ranging from medical diagnostics to personalized medicine, demonstrating the technology's potential to revolutionize fields beyond just technical or consumer applications. In conclusion, AI continues to be a rapidly evolving field with significant implications for various aspects of society. The development from theoretical concepts to real-world applications illustrates both the potential benefits and the challenges that come with integrating advanced technologies into everyday life. The ongoing discussion about AI ethics and regulation underscores the importance of managing these technologies responsibly to maximize their their benefits while minimizing potential harms.

Artificial Intelligence: Facts and Myths

Joaquim Jorge

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Histor y of HAM Radio presentation slide

vu2urc

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

Discord is a free app offering voice, video, and text chat functionalities, primarily catering to the gaming community. It serves as a hub for users to create and join servers tailored to their interests. Discord’s ecosystem comprises servers, each functioning as a distinct online community with its own channels dedicated to specific topics or activities. Users can engage in text-based discussions, voice calls, or video chats within these channels. Understanding Discord Servers Discord servers are virtual spaces where users congregate to interact, share content, and build communities. Servers may revolve around gaming, hobbies, interests, or fandoms, providing a platform for like-minded individuals to connect. Communication Features Discord offers a range of communication tools, including text channels for messaging, voice channels for real-time audio conversations, and video channels for face-to-face interactions. These features facilitate seamless communication and collaboration. What Does NSFW Mean? The acronym NSFW stands for “Not Safe For Work,” indicating content that may be inappropriate for professional or public settings. NSFW Content NSFW content encompasses material that is sexually explicit, violent, or otherwise graphic in nature. It often includes nudity, profanity, or depictions of sensitive topics.

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

UK Journal

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

With more memory available, system performance of three Dell devices increased, which can translate to a better user experience Conclusion When your system has plenty of RAM to meet your needs, you can efficiently access the applications and data you need to finish projects and to-do lists without sacrificing time and focus. Our test results show that with more memory available, three Dell PCs delivered better performance and took less time to complete the Procyon Office Productivity benchmark. These advantages translate to users being able to complete workflows more quickly and multitask more easily. Whether you need the mobility of the Latitude 5440, the creative capabilities of the Precision 3470, or the high performance of the OptiPlex Tower Plus 7010, configuring your system with more RAM can help keep processes running smoothly, enabling you to do more without compromising performance.

Boost PC performance: How more available memory can improve productivity

Principled Technologies

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Handwritten Text Recognition for manuscripts and early printed texts

Maria Levchenko

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

Enterprise Knowledge’s Urmi Majumder, Principal Data Architecture Consultant, and Fernando Aguilar Islas, Senior Data Science Consultant, presented "Driving Behavioral Change for Information Management through Data-Driven Green Strategy" on March 27, 2024 at Enterprise Data World (EDW) in Orlando, Florida. In this presentation, Urmi and Fernando discussed a case study describing how the information management division in a large supply chain organization drove user behavior change through awareness of the carbon footprint of their duplicated and near-duplicated content, identified via advanced data analytics. Check out their presentation to gain valuable perspectives on utilizing data-driven strategies to influence positive behavioral shifts and support sustainability initiatives within your organization. In this session, participants gained answers to the following questions: - What is a Green Information Management (IM) Strategy, and why should you have one? - How can Artificial Intelligence (AI) and Machine Learning (ML) support your Green IM Strategy through content deduplication? - How can an organization use insights into their data to influence employee behavior for IM? - How can you reap additional benefits from content reduction that go beyond Green IM?

Driving Behavioral Change for Information Management through Data-Driven Gree...

Enterprise Knowledge

GenCyber Cyber Security Day Presentation

Michael W. Hawkins

Created by Mozilla Research in 2012 and now part of Linux Foundation Europe, the Servo project is an experimental rendering engine written in Rust. It combines memory safety and concurrency to create an independent, modular, and embeddable rendering engine that adheres to web standards. Stewardship of Servo moved from Mozilla Research to the Linux Foundation in 2020, where its mission remains unchanged. After some slow years, in 2023 there has been renewed activity on the project, with a roadmap now focused on improving the engine’s CSS 2 conformance, exploring Android support, and making Servo a practical embeddable rendering engine. In this presentation, Rakhi Sharma reviews the status of the project, our recent developments in 2023, our collaboration with Tauri to make Servo an easy-to-use embeddable rendering engine, and our plans for the future to make Servo an alternative web rendering engine for the embedded devices industry. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://ossna2024.sched.com/event/1aBNF/a-year-of-servo-reboot-where-are-we-now-rakhi-sharma-igalia

A Year of the Servo Reboot: Where Are We Now?

Igalia

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

A Domino Admins Adventures (Engage 2024)

Gabriella Davis

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Rafal Los

Advantages of Hiring UIUX Design Service Providers for Your Business

Pixlogix Infotech

Dernier (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors

🐬 The future of MySQL is Postgres 🐘

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Artificial Intelligence: Facts and Myths

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

Histor y of HAM Radio presentation slide

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

AWS Community Day CPH - Three problems of Terraform

Boost PC performance: How more available memory can improve productivity

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Handwritten Text Recognition for manuscripts and early printed texts

Apidays New York 2024 - The value of a flexible API Management solution for O...

Driving Behavioral Change for Information Management through Data-Driven Gree...

GenCyber Cyber Security Day Presentation

A Year of the Servo Reboot: Where Are We Now?

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

A Domino Admins Adventures (Engage 2024)

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Advantages of Hiring UIUX Design Service Providers for Your Business

The Bastion Server That Isn't There ... Joshua Kite

1. The Bastion Server That Isn’t There - Providing scalable secure access as a stateless service with Terraform on AWS Joshua Kite

2. About me: Joshua Kite - See my website for links, contact, etc: www.joshuakite.co.uk Site Reliability Engineer @ DAZN ‘The Netflix of sport’

3. A Word of thanks I would like to thank the people who have helped to make this idea a reality and supported this presentation: Mike Bristow, Senior Engineer at NeuLion Piotr Jaromin, Software Engineer; Marco Crivellaro System Architect; Rick Burgess SRE Manager; Simon Coutts Head of Development at DAZN

4. What is the problem that we are solving?

5. New Bastion server New Bastion server is like:

6. <PIcture> ‘no face’ before and after Old Bastion server is like:

7. So what solutions are already out there?

8. Bastions on steroids

9. Gravitational Teleport http://gravitational.com/teleport

10. Aker https://github.com/aker-gateway/Aker

11. Pritunl Zero https://zero.pritunl.com/

12. Third party IAM solutions Some install as a standalone binary, e.g. https://keymaker.readthedocs.io/en/latest/ (Python) Some are intended as a script to install a dedicate server on EC2, e.g. https://github.com/widdix/aws-ec2- ssh (Python; Bash)

13.

14. What are our limitations?

15. “Take CVS as an example of what not to do; if in doubt, make the exact opposite decision.” - Linus on the Git design philosophy

16. Ikebana (生け花, "living flowers")

17.

18.

19.

20.

21.

22.

23. So what do we aim for (apart from the above)?

24. So what is our solution?

25. But how do we control our instances?

26. But what are users logging in with?

27. Deployment

28.

29. That’s great for RDS But my services are on ECS, not EC2!

30. But I use AWS organisations!

31. So what does this look like to my user? To reach bastion: ssh-add ~/.ssh/billybob.rsa ssh billybob@yourbastionservice.com To reach ecs host: ssh -J billybob@yourbastionservice.com billybob@yourecshost

32.

33.

34.

35. Version history

36. What does the code look like? You can use the community module directly or review on Github ● registry.terraform.io/modules/joshuamkite/ssh-bastion-service/aws ● github.com:joshuamkite/terraform-aws-ssh-bastion-service.git

37. Code Features ● What it doesn’t do is almost as important as what it does do.

38. Demo

39. reflections Since the bastion service host is not running anything interesting besides the dockerised service it doesn’t really matter if our users can see metadata and we aren’t overly worried about a guest escape Unlike a traditional bastion server our users are protected from ssh socket stealing identity impersonation Ssh host key is a conscious choice Pull requests are welcome!

40. Yes DAZN is hiring!

41. Thanks! Questions? Joshua Kite www.joshuakite.co.uk

The Bastion Server That Isn't There ... Joshua Kite

Recommandé

Recommandé

Contenu connexe

Plus de Michael Man

Plus de Michael Man (15)

Dernier

Dernier (20)

The Bastion Server That Isn't There ... Joshua Kite