With compliance becoming an ever-increasing priority and hybrid infrastructures becoming the norm, many traditional IT practices must evolve or die. Perhaps a widely used practice that hasn’t kept up with the evolution of compliance requirements in increasingly hybrid environments is the jump server, often called the jump box.
The original theory for jump boxes made a lot of sense. Set up a jump box as a bastion host inside of your environment that everybody logs into and then you can “jump” to any of the other boxes or servers. The jump box would be a heavily fortified gatekeeper, ensuring that only the correct users could pass it. Audit controls would be placed on the jump box to track all user activity. For those that wanted to level up, multi-factor authentication could be installed at the jump box to make it harder for an attacker to leverage stolen credentials.
The audit and compliance worlds gravitated heavily towards jump boxes because they were a central control point that offered security and simplicity to traditional infrastructure environments. They were easy to audit and architecturally gave auditors a “choke point” to focus in on and check compliance. In fact, many of the most stringent compliance standards, such as PCI, encouraged the use of jump boxes through their vision of network segmentation to limit or reduce the size of the environment to be audited.
For an enterprise with an internal or outsourced data center, a jump server would be reasonably effective. With control over the network, the physical hardware, and the facility, a jump box is a natural way to control access. However, when you look at the growing popularity of hybrid ecosystems, where organizations mix in the cloud, third party contractors, and many third party services/connections, a jump box starts to become harder to implement and significantly less effective. And, in the increasingly popular world of DevOps, having a one-off solution that generally needs to be manually controlled and updated is heading in the opposite direction of consistency and automation.
Let’s take a look at some of the key limitations of a jump box:
A jump box becomes a significant target for intruders, and with the level of sophistication they have access to today, it is highly likely that a jump box – even one that is rigorously secured – will be compromised. Once that happens, the attacker has the kingdom.
With traffic routing controls already reasonably complicated in a cloud, a jump box adds increased complexity to cloud infrastructure. New servers that you spin up manually or dynamically need to follow the strict guidelines to ensure that there isn’t a back door to the network bypassing the jump box.
One access policy
Generally, due to complexity, a jump box creates one access policy for all administrators, giving them full access to all of the servers behind the jump box. With more third-party contractors in use at organizations and specialization of servers, this one-size-fits-all access policy can become a significant risk factor.
Growing adoption of the DevOps model creates IT pros who are focused on what’s fast, agile, and automated. A jump box is none of these – in fact, just the opposite. By design, it is meant to have personnel go there, be validated, and then go do their jobs. It’s a hierarchical vantage point in a networked world.
Keeping with the theme of DevOps, a jump box also becomes a choke point as increasing numbers of users require more performance from that system. Since a jump box is effectively a lone server anyway, the scalability of that system will be through trial and error rather than through systematic measurement and response.
With a jump box, a new level of indirection is added, which complicates forensics in the event of a breach, and–depending upon the set up–may make it difficult or impossible to figure out which user did what on the machines connected to the jump box.
Jump boxes made a lot of sense in a different era with a different type of infrastructure, but today with the cloud, elastic systems, and a completely different type of architecture, it is hardly worth the effort to make a jump box the core access solution for your critical infrastructure–in fact, it may be downright dangerous.
In today’s world, each server is an atomic unit with a clear purpose and mission. Cloud servers are spun up in scale through automated systems based on load or demand. These servers could be at any number of providers, in any number of regions and in any number of different flavors. Providing user access to these servers–often numbering in the hundreds or thousands–via a jump box just doesn’t make sense any longer.
Forward thinking organizations are giving only the appropriate users access to the servers that they need to accomplish their jobs. Access management can be automated through cloud-based user management services, common directory offerings, or even in simplistic ways via configuration automation tools that push settings to servers. Admins don’t need to worry about setting routes for servers through the jump box or managing an additional network setup.
With very little additional effort, each server’s access can be tightly managed to allow only the appropriate users while still managing compliance and audit information. This has been a critical innovation, as a jump box’s primary value was traditionally a central location for audit and compliance data. But, in fact, some auditors and compliance officers are realizing that jump boxes may not actually be the best way to secure infrastructures and meet regulations. SaaS-based user management services provide this audit and compliance data for all of the servers and users they manage whether the servers are at a single cloud or multiple clouds. Two other key limitations of jump boxes–performance and scalability–are rendered moot because each interaction is direct rather than through the jump box. Users login directly to each server and do their jobs. No middleman to slow them down.
Another alternative to the jump box is creating an LDAP or Active Directory (AD) infrastructure. These systems have been designed to manage user access and control, but to do that through a centralized directory, not a centralized choke point. LDAP is a path for organizations hosted in the cloud and utilizing a great deal of Linux. For organizations that are controlling compliance or managing their on-premises Windows infrastructure, AD can be an option. Both LDAP and AD can provide detailed logging for auditors and both of these effectively avoid many of the key limitations of a jump server, offering better scalability, reduced overhead, and variable access policies.
Many organizations are also turning to configuration automation tools such as Chef, Puppet, or Ansible as a potential way of pushing user access controls to their servers. This is especially powerful for cloud deployments where admins can take advantage of auto scaling techniques. While this approach doesn’t necessarily increase security or provide auditing control, it does ease management. In most cases, this approach will have a harder time meeting compliance requirements, but it will reduce administrative work and solve the network choke point issue.
To complete the security picture, and really replace a jump box, you really need a VPN in front of your protected network resources. Without it, you turn one exposed bastion host into many exposed bastion hosts, increasing your attack surface. The benefit here is that a VPN, integrated into your firewall, provides another layer of protection on top of your already secured hosts, and it provides for a much better user experience where users have their full toolsets available for use in the protected environment. The VPN must be configured to allow only remote SSH or remote desktop connections through it. Otherwise, a compromised VPN client host would have unfettered access to your protected network resources.
Rick Dakin, CEO of Coalfire Systems, a leading compliance and audit firm, has commented in numerous presentations for industry executives that, “Remote access with administrative privileges is a routine issue with both compliance assessments as well as the cause for many breaches. It is surprising that so little attention has been paid to this increasingly significant risk. Based upon the findings from the Edward Snowden investigation, remote administrative access is now a front burner issue. We are seeing a huge push to solve this problem and some very forward thinking solution providers, like JumpCloud, who are now offering an easy and inexpensive path to a real solution.”
If you are using a jump box today, seriously think through whether it is still the right architecture for you. With far less complex alternatives that have increased performance and better security, the jump box may be like your landline desk phone!