Wednesday, February 19, 2020

jump box


  • A jump box is a system set up with multi-factor authentication (MFA) usually placed in a network DMZ with very restricted access to the corporate network and no returning Internet access for any protocol. In other words, the jump box has only one path in via SSH ,and no other protocols are allowed outbound to the Internet or into the corporate network

Since the jump box resides in the DMZ or another network that can be accessed via the Internet, great care should be taken to ensure its security by applying patches and updates as soon as they are made available. Additionally, the jump box shouldn’t host any protocols except for SSHD. The jump box has a single purpose as an SSH gateway into the corporate network. The only exception is for MFA purposes. Some MFA solutions require Internet access or at least some method of communicating with an authentication service inside the network. Time-based solutions are more secure, but any MFA solution is more secure than simple passwords alone.
No accounts on the jump box system should be accessible without using MFA unless it is a console login. The most secure type of MFA is to require that each user have a physical token such as a hardware token, which is a device that generates random numbers or alphanumeric sequences.
Additional Security

To further secure your jump servers, you should follow these suggestions:

    Disable or remove unnecessary protocols, daemons, and services.
    Never store SSH private keys on the jump server.
    Configure internal hosts with /etc/hosts.allow and /etc/hosts.deny files to control access.
    Create at least one secondary /backup jump box in case of failure.
    Use a restrictive, host-based firewall for all Linux systems.
    Set up a service such as Fail2Ban to resist brute-force attacks.
    Install a minimal distribution option.
    Set up NAT forwarding to your jump box.
VMs as Jump Boxes
A quick Internet search for “jump box” yields quite a few results for deploying jump boxes for Amazon Web Service (AWS) environments.
An additional layer of security is to limit the amount of time the jump box is available for use.
Summary
A jump box’s sole purpose is provide an SSH gateway into your internal network for administrators, and it should be made as secure as possible.
http://www.linux-magazine.com/Online/Features/Jump-Box-Security

No comments:

Post a Comment