Скачать или смотреть 21 Jump Server: Going Bastionless in the Cloud - Colin Estep (DEF CON Cloud Village)

Slides: https://www.slideshare.net/cestep/def...
Related Blog: https://www.netskope.com/blog/leaving...

Speaker: Colin Estep is currently a threat researcher at Netskope focused on AWS and GCP. Colin was previously the CSO at Sift Security (acquired by Netskope), where he helped move the product towards breach detection for IaaS. He was a senior engineer on the security teams at Netflix and Apple before joining Sift. He was also a FBI Agent specializing in Cyber crime, where he spent a fair amount of time coordinating with other countries to locate and arrest malware authors and botnet operators.

Twitter:   / colinestep  

Abstract: If you are a customer of AWS, Azure, or GCP, you may have deployed your own bastion hosts to provide RDP or SSH access to your virtual machines. While bastions help to protect your infrastructure, there are challenges that come along with them, such as managing the identities, obtaining logs, and preventing SSH multiplexing attacks.

In this talk, we will briefly review bastion hosts and some of their shortcomings, as well as the SSH multiplexing attack. The SSH multiplexing attack uses a feature of SSH to pivot from a compromised laptop to your bastion hosts. From there, the attacker could use this feature to compromise other users and gain access to your virtual machines hosted in the cloud.

Finally, we’ll show you services that provide access to your virtual machines in all three major cloud providers that eliminate the need for bastion hosts. Some providers have more than one alternative. However, this presentation will not present all of the alternatives. It is focused on the services that generally take the following approach:

Users authenticate to the access service with their Identity and Access Management (IAM) credentials for the cloud provider.
Once authenticated, the cloud service creates an encrypted tunnel with port forwarding, which runs SSH or RDP for the user.

The benefits of this approach include:
Public IP addresses are not required in order to access the virtual machines.
It eliminates the possibility of compromising an entire organization with SSH multiplexing attacks.
In some cases, disabling a user’s IAM credentials also removes SSH or RDP access.
Cloud audit logs will capture metadata for RDP or SSH sessions, and in some cases, full session logs are easy to collect through the provider’s service.
We’ll cover Session Manager in AWS, OS Login and Identity-Aware Proxy (IAP) in GCP, and the Bastion Service in Azure. You’ll see how the services work, how they help with identity management, and where to find the SSH sessions in logs.
If you are migrating to any of these platforms, this could save you from having to go through the pain of deploying your own solutions!


--

Cloud village is an open space to meet folks interested in offensive and defensive aspects of cloud security. The village is home to various activities like talks, workshops, CTFs and discussions targeted around cloud services.

If you are a professional who is looking to gain knowledge on securely maintaining the cloud stack and loves to be around like-minded security folks who share the similar zeal towards the community, Cloud Village is the perfect place for you.

Website: https://cloud-village.org/
Twitter:   / cloudvillage_dc