AWS Networking

Bastion Host and Jump Box

Bastion hosts and jump boxes serve as critical components in network security, particularly for managing access to private networks from untrusted environments. Here’s a detailed explanation of both concepts:

Bastion Host

A bastion host is a dedicated server designed to withstand attacks and provide secure access to a private network from an untrusted one, such as the Internet. It is strategically positioned at the network’s perimeter, typically outside a firewall or within a demilitarized zone (DMZ) [1][5]. This setup ensures that the internal network remains shielded while offering a controlled entry point for remote access.

Key Features of Bastion Hosts

• Hardened Security: Bastion hosts are configured with minimal services to reduce vulnerabilities. They often run only essential applications, such as SSH (Secure Shell) or RDP (Remote Desktop Protocol), and are fortified against common cyber threats [3][5].
• Access Control: Access to a bastion host is tightly controlled, often requiring multi-factor authentication (MFA). This ensures that only authorized users can connect [5].
• Logging and Monitoring: All activities on the bastion host are logged, allowing security teams to monitor for suspicious behavior and respond to potential threats promptly [4][5].

Use Cases

Bastion hosts are commonly used for:
– Remote administration of servers.
– Secure access to cloud infrastructure.
– Providing remote support.
– Managing secure connections to internal systems from remote locations [3][4].

Jump Box

The term jump box is often used interchangeably with bastion host, though it can imply a slightly different focus. A jump box also serves as an intermediary between an external network and a private network, facilitating secure connections.

Key Characteristics of Jump Boxes

• Proxy Functionality: A jump box acts as a proxy server, allowing clients to connect securely to other instances within a private subnet. It effectively bridges the gap between public and private networks [6].
• Enhanced Security: Like bastion hosts, jump boxes are typically hardened and configured to minimize attack surfaces. They serve as the only point of entry into more sensitive areas of the network [2][6].

Use Cases

Jump boxes are particularly useful in scenarios where:
– Direct access to internal resources from the Internet is not permitted.
– Secure SSH connections are required without exposing internal systems directly.

Conclusion

Both bastion hosts and jump boxes play essential roles in enhancing network security by controlling access and minimizing exposure to threats. They act as gatekeepers, ensuring that only authorized users can reach sensitive resources while maintaining robust monitoring and logging capabilities for security oversight.

Citations:
[1] https://en.wikipedia.org/wiki/Bastion_host
[2] https://nordlayer.com/blog/bastion-host/
[3] https://www.pomerium.com/glossary/bastion-host
[4] https://www.goodaccess.com/blog/what-is-a-bastion-host
[5] https://maddevs.io/glossary/bastion-host/
[6] https://www.geeksforgeeks.org/what-is-aws-bastion-host/

Enabling internet access to private subnets

• Overview
  
• To enable internet access for private subnets, we create a NAT Gateway in public subnet with public ip address (elastic ip address).
• Route table of the private subnet is configured to forward the traffic to NAT Gateway on 0.0.0.0/0
• NAT Gateway is a chargable resource
• For creation steps watch classroom recording

Azure Networking

• Virtual network in Azure by default gets inbound and outbound connectivity to internet.
• If a virtual machine has public ip created it can be accessed from internet, if the vm doesnot have public ip address it cannot be accessed.

Creating a virtual network

• Overview
  
• Create a network with two subnets (refer classroom video for screen shots)
  
  
• Create a vm with public ip in Web subnet
  
• Create a vm without public ip in App subnet
  

Filtering network traffic

• When we run resources in the network, we would restrict network access and open only what is necessary
• To filter network traffic at this level, we can use
  • direction:
    • incoming/ingress
    • outgoing/egress
  • ipaddress:
    • source ip for incoming/ingress
    • destination ip for outgoing/egress
  • protocol:
    • tcp
    • udp
    • icmp
  • port: every system has ports from 0 to 65535 Refer Here or google well known ports

AWS

• AWS has two components for filtering network traffic
  • Network ACL (NACL)
  • Security Group
• NACL acts at subnet level whereas Security group acts at network interface level
• Both NACL and Security group have incoming and outgoing rules
• Every vpc by default creates a default NACL which has a rule to allow all incoming and allow all outgoing. This NACL by default is associated with all subnets
  

Security Group

• Security group has only allow rules.
• If you have not written the rule i.e. it will be denied
• While writing rules we can use
  • ip address
  • port
  • protocol
• Lab stuff: (Watch classroom recording)
  • enabling icmp
• We can use multiple security groups for one network interface

Network ACL

• Works at subnet level
• NACL has both allow and deny rules
• So to make this work there is priority for every rule
• We have two types of rules
  • incoming rules
  • outgoing rules
• In AWS every rule has a number, lower the number higher the priority
• Ensure there are numbers left for future usage
  • Never start at 1
  • if you multiple rules leave some numbers between them

Azure

• Azure has Network security group (NSG) which can be applied both at network interface level and subnet level.
• NSG has both allow and deny rules and also priority
• We have two types of rules
  • incoming rules
  • outgoing rules
• Every rule has a number, lower the number higher the priority
• Ensure there are numbers left for future usage
  • Never start at 100
  • if you multiple rules leave some numbers between them
• Refer Here for official docs