Linux Lab Project: Building a Linux Jump Box
-
@NashBrydges said in Linux Lab Project: Building a Linux Jump Box:
So, help me understand the use-case scenarios where a jump box is more beneficial than VPN to the environment.
VPNs expose systems to both direct attack as well as to an open range of attacks. A jump box need only expose a single protocol either way. A VPN is inherently only useful if LAN security is in place, the point of the jump box is to eliminate that need for that.
Of course a jump box has risks, nothing is riskless. But the degree of risk is very different. For example, there is no extent malware through through jump boxes today, but essentially all are a threat through VPNs.
-
@NashBrydges said in Linux Lab Project: Building a Linux Jump Box:
I've read other threads on this forum dating back to 2015 about building and using a jump box but I never truly understood why one would prefer this over VPN. The assumption at this point is that I'm missing some critical element that would explain why this over VPN.
Flip it around... if a jump box gives you access to what you need, and a VPN gives you that access plus a lot of access that you don't need, that's a larger attack surface. Unless the VPN is bringing benefits additional to the jump system, that alone is a negative.
What's the benefit to the VPN approach?
-
@NashBrydges said in Linux Lab Project: Building a Linux Jump Box:
Hmmmm, so is the use-case then to have 1 single very secured entry point and then not require sign-on for other systems? While that may make it easier to traverse the security layers, this would essentially remove one of those layers (the second system sign-on). Am I misunderstanding this?
Correct, that's one option. Or you could use it in additional to the other security layers for even more security. By having the jump box layer of security you can, for example, restrict all remote access to protocols like SSH or RDP to have to originate from a single source. That source can then be heavily locked down, monitored and controlled.
In this way, your exposure protocols can be much more limited and your ability to control access is much greater. You can shut off access to a single person, or even everyone, in a split second. You can audit every connection attempt that could have made it. You can see all actions in a central location.
-
So a Jump system can be about smoothing access to make it faster. Or it can be amount making access more secure. Or both.
It is, in many ways, about eliminating the free for all of access that is common with a VPN where you traditionally have many peers all able to access each other making access difficult to track and control.
Which is why large shops traditionally use a jump box even on a LAN. So even if you had a VPN, you might still have the jump box.
-
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
So a Jump system can be about smoothing access to make it faster. Or it can be amount making access more secure. Or both.
It is, in many ways, about eliminating the free for all of access that is common with a VPN where you traditionally have many peers all able to access each other making access difficult to track and control.
Which is why large shops traditionally use a jump box even on a LAN. So even if you had a VPN, you might still have the jump box.
I had started typing out an entirely different response with scenarios comparing VPN and jump box and wasn't until the end that I saw where the jump box approach may be much simpler. It avoids having to manipulate multiple systems to provide a similar level of control (if I understood this correctly) over accessibility. Manage a single jump box instead of VPN, firewall, entity/authentication management...etc.
-
@NashBrydges said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
So a Jump system can be about smoothing access to make it faster. Or it can be amount making access more secure. Or both.
It is, in many ways, about eliminating the free for all of access that is common with a VPN where you traditionally have many peers all able to access each other making access difficult to track and control.
Which is why large shops traditionally use a jump box even on a LAN. So even if you had a VPN, you might still have the jump box.
I had started typing out an entirely different response with scenarios comparing VPN and jump box and wasn't until the end that I saw where the jump box approach may be much simpler. It avoids having to manipulate multiple systems to provide a similar level of control (if I understood this correctly) over accessibility. Manage a single jump box instead of VPN, firewall, entity/authentication management...etc.
Correct. Now of course you can do some work with a VPN to make it kind of mimic a jump box. But it would be more work and still doesn't gap quite as well. VPNs have the advantage of allowing a direct connection. But that is part of what we are trying to avoid in many cases.
-
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
@NashBrydges said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
So a Jump system can be about smoothing access to make it faster. Or it can be amount making access more secure. Or both.
It is, in many ways, about eliminating the free for all of access that is common with a VPN where you traditionally have many peers all able to access each other making access difficult to track and control.
Which is why large shops traditionally use a jump box even on a LAN. So even if you had a VPN, you might still have the jump box.
I had started typing out an entirely different response with scenarios comparing VPN and jump box and wasn't until the end that I saw where the jump box approach may be much simpler. It avoids having to manipulate multiple systems to provide a similar level of control (if I understood this correctly) over accessibility. Manage a single jump box instead of VPN, firewall, entity/authentication management...etc.
Correct. Now of course you can do some work with a VPN to make it kind of mimic a jump box. But it would be more work and still doesn't gap quite as well. VPNs have the advantage of allowing a direct connection. But that is part of what we are trying to avoid in many cases.
Right. Thanks for taking the time to walk me through this.
-
Think of a Jump box much like a man trap in a building. Does it keep all threats out? Of course not. But a man trap revolving door never allows the inside and outside air pressures to be directly exposed. A VPN opens the floodgates between two networks allowing things just looking for a route to flood across. It grows the LAN.
-
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
Think of a Jump box much like a man trap in a building. Does it keep all threats out? Of course not. But a man trap revolving door never allows the inside and outside air pressures to be directly exposed. A VPN opens the floodgates between two networks allowing things just looking for a route to flood across. It grows the LAN.
Any drawbacks of jump box over VPN?
-
@NerdyDad said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
Think of a Jump box much like a man trap in a building. Does it keep all threats out? Of course not. But a man trap revolving door never allows the inside and outside air pressures to be directly exposed. A VPN opens the floodgates between two networks allowing things just looking for a route to flood across. It grows the LAN.
Any drawbacks of jump box over VPN?
Depends, if you WANT full access for other things, then yes. Like a VPN let's you map drives directly to your desktop. Those are things I normally seek to avoid. But, you can't deny that it is handy. A VPN is basically "less security", by moving you back to the LAN-based network security model. It's like the dark side, it's faster and easier, but ultimately it consumes you.
VPNs are fast and easy, no need to really secure things. And then ransomware pwns you.
-
VPNs are handy because you can do things like map a drive or run VoIP over them. But you can do all of those things in other ways too, if needed.
-
With a JumpBox instead of a VPN, you would still be able to administer systems remotely, as if you were in front of the console. But, you would not be able to download files or stream media with a jump box. Am I understanding this correctly?
-
@NerdyDad said in Linux Lab Project: Building a Linux Jump Box:
With a JumpBox instead of a VPN, you would still be able to administer systems remotely, as if you were in front of the console. But, you would not be able to download files or stream media with a jump box. Am I understanding this correctly?
That's correct. And that's an important part of the gapping.
-
Ideally, as an admin, you would not want to hear audio from a server, or copy a file from your desktop to a server.
-
I understand that theory is that you setup all your security on the jumpbox and don't worry as much about the other systems... but doesn't a jumpbox provide a single target for penetration? Can't someone who gains access to the jumpbox access every other system that user has access too? I understand that your using keys, and not passwords...
-
@aaronstuder said in Linux Lab Project: Building a Linux Jump Box:
I understand that theory is that you setup all your security on the jumpbox and don't worry as much about the other systems... but doesn't a jumpbox provide a single target for penetration? Can't someone who gains access to the jumpbox access every other system that user has access too? I understand that your using keys, and not passwords...
The general theory should not be Jump security instead of others. It should be in addition to.
-
@aaronstuder said in Linux Lab Project: Building a Linux Jump Box:
I understand that your using keys, and not passwords...
You can use both. Of course if you use the Jump box solely to easy access and not to enhance it, you carry the risk of the Jump box being compromised. But you can mitigate this by increasing the security of the Jump box, adding security between the Jump box and the other hosts or both.
-
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
Ideally, as an admin, you would not want to hear audio from a server, or copy a file from your desktop to a server.
As an admin, I upload new firmware to the /tftpboot folder all the time. Or I want to download, mass update, and re up config files. So if I cannot transfer files with SCP, how does this help me?
-
@JaredBusch said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
Ideally, as an admin, you would not want to hear audio from a server, or copy a file from your desktop to a server.
As an admin, I upload new firmware to the /tftpboot folder all the time. Or I want to download, mass update, and re up config files. So if I cannot transfer files with SCP, how does this help me?
You can use SCP, SCP is just an extension of the SSH protocol. The Jump box would be an SSH proxy. So you can do that trivially. Is it the recommend way to do this? Not normally, no. Do a lot of us do it because it is easy, yes. But ideally you want your file server to not be the jump box. You can easily make a non-jump file server for that task in another VM.
-
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
@JaredBusch said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
Ideally, as an admin, you would not want to hear audio from a server, or copy a file from your desktop to a server.
As an admin, I upload new firmware to the /tftpboot folder all the time. Or I want to download, mass update, and re up config files. So if I cannot transfer files with SCP, how does this help me?
You can use SCP, SCP is just an extension of the SSH protocol. The Jump box would be an SSH proxy. So you can do that trivially. Is it the recommend way to do this? Not normally, no. Do a lot of us do it because it is easy, yes. But ideally you want your file server to not be the jump box. You can easily make a non-jump file server for that task in another VM.
Who said anything about a file server? Each PBX is a unique system with nothing tying them together except me managing them.
Korora Desktop in Chicago -> Jump box -> Vultr node 1 (PBX A )
Korora Desktop in Chicago -> Jump box -> Vultr node 2 (PBX B )
Korora Desktop in Chicago -> Jump box -> Internal Node 1 (PBX C )
