What Is a Bastion Host | Jump Host | Bastion Host Explained

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

are you looking to learn about bastion hosts or jump posts if so this video is for you [Music] hi my name is michael gibbs and i'm the founder and ceo of go cloud careers we're an organization that's dedicated towards building the most high performance cloud computing careers personally i've been working in technology for over 25 years now and for the last two decades i've been helping people get their first tech job or get promoted in tech and i want to help you either get cloud hired or cloud promoted today we're going to talk about the bastion host and truthfully we created this video as much more of a public service announcement for cloud architects see recently we have seen a tremendous number of videos popping up on how to set up a bastion host but unfortunately a bastion host or jump host may be one of the biggest security mistakes we have seen in decades a bastion host is an invitation for hackers that basically says please hack me so in this video we'll begin by describing what is a bastion host what it does and how it works and why people mistakenly use it we'll then describe how easy it is to hack into a system with a bastion host and then we will show you the secure alternatives that organizations have used for decades to avoid the pitfalls of a bastion host now when we make this video we are not referring to a high security bastion host service such as those offered by microsoft azure but that is a pre-made kind of a service we are referring to the dangerous kind of homemade bastion host that you see in aws certification training videos or you see hobbyists do when they try to show you how to create back doors into your systems so what is a bastion host or a jump post to begin a bastion host is simply a computer with two network interfaces now you place the bash gene host on the public internet where it's remotely accessed by anyone that has an internet connection now bashing host also has a second network interface card that is actually plugged into the private network so here's what happens the user accesses this computer on the internet and they can back door into your network so why is this problem mud well for one thing we are placing a computer on the internet a regular ordinary computer on the internet and that regular ordinary computer that we place on the internet is used to access our private network be the back door that we put in there so let's think about what happens when you put a system on the internet if we place a system on the internet and it is not protected because we just put it out on the internet we're basically saying please hack me please hack me my doors are open and my house is filled with gold so how do we normally protect systems on the internet there's two things one is we only put special purpose systems on the internet which we'll talk about in a minute but also we never place systems that are unprotected we place our systems we find firewalls at minimum intrusion detection intrusion prevention systems at minimal access control lists at minimal in reality if we're going to lock down our systems we would never place a system on the public internet we'd make sure that it's in a special environment and we'll talk more about that later but it'll be a highly secure environment where we place our systems not on the public internet and because the public internet is where the bastion host is placed there's no protections to the bastion hose so pretty much anybody that wants to on the internet can hack into the backstreet host and get into your system how easy is this you may ask download kali linux or power power linux play with those tools for about five minutes and poof you're in that organization's private network and you did it like nothing with some freeware hacking tools that's how easy it is that's because it's not protected by firewalls ids ips systems but there's another factor that makes the bastion host so dangerous it is a regular computer we're placing on the internet regular computers are not hardened security devices regular computers are open to hacking that's the second part of the equation it's a regular computer i'm going to tell you this right now very few people have the sophistication to harden an operating symptom like this to make sure it's not hacked and truly to build a truly hardened operating system we're not talking about one or two people we're talking about a team of sophisticated security professionals at a company like a palo alto or a fortinet or a cisco or a checkpoint these teams will spend millions and millions and millions of dollars to lock down the operating systems that they're using if not billions so these are very specifically targeted systems we place on the internet so when we place you know network devices on the internet we'll talk more about that later which are often used for remote access these not only are behind firewalls and ids and ips systems but they're also hardened operating systems so we're not talking about anything that's in the same league as the bash gene hosts for remote accessing to your system now how do we manage our systems simply and securely we're going to give you two ways that you can do it now the two ways to manage your systems are the same ways that organizations have been managing their system securely for decades let's start with the simplest and most elegant way if you have your premises and you're connected to your cloud provider or multiple cloud providers you have either a direct connection or a vpn connection to the cloud provider that's your when so you've got a data center a direct connection through that direct connection you can administer your systems now why is this so special your users are behind the firewall we have the ability to limit which subnets and which ip addresses are even allowed to reach your systems we can set up qos on the lan link over and that way if we were being infected with a worm or a virus we could de-prioritize that traffic or rate limit or drop it so when it's over our land we're coming from a secure environment connecting to another secure environment and we've got control over what goes there so we can protect our systems with firewalls ids ips systems network access controls security groups and everything long before we even get to our system but what if what if you didn't have a direct connection or you didn't have a vpn then how would you manage your systems like a pro but you still would not be using any kind of a jump over bastion hose because it's too risky for the reasons we talked about why but here's how you do it first thing you want to do is this you place a firewall a next generation firewall at the perimeter of your network now when you place the firewall you're going to create a demilitarized zone and we're going to do this in the following manner the first thing we're going to do is we're going to create a subnet and in this summit we're going to place a vpn concentrator now a vpn concentrator is a special security device developed by security providers such as cisco or checkpoint or fortinet or palo alto and it's designed to do one thing allow vpn connections in via ipsec so what we will do is we will let create this special subnet it's called a demilitarized zone and we will allow ipsec only traffic only ipsec traffic into this demilitarized zone from the firewall or access control list etc will only allow ipsec why are we using the access controllers just in case the firewall fails as extra layers of security and then we're going to put our security hardened device that's rock solid that will only listen on the ipsec protocols and is hardened and locked down by a security firm that spent millions and millions of dollars locking system down and then here's what's going to happen when a user wants to remote access they're going to request a session from the vpn concentrator first the firewall will block all traffic except for ipsec so we're really protecting that vpn concentrator then the acls will protect the rest then the only thing even allowed into the subnet is ipsec is going to hit that vpn concentrator because the vpn concentrator uses ipsec it's going to determine the end points make sure the security algorithms are good provide data integrity checking and provide non-repudiation which means the person can't say after the fact they didn't do something they did so here the user they initiate that session as soon as that session guess what that vpn concentrator hits the im systems maybe it's a radius server maybe it's an active directory server and then that vpn server will authenticate the user and now that user will be placed behind the firewall now we can place these remote access users in a subnet and even limit what that subnet can reach but this is how we do high security remote access this is the way we've done it for years this is the way we strongly recommend you use it so don't create a bastion host protect your customers protect your clients design resilient and secure architectures manage your systems either your via your direct connection your vpn or set up a vpn concentrator in the secure way thank you so much for watching this video and i look forward to seeing you in another video our goal here is to help you get cloud hired or cloud promoted this is michael gibbs and i look forward to seeing you take care it was so nice having you join us for this video today let me tell you about some free services we do for the cloud community once per week we actually have a free question and answer session on live on youtube where you can come and ask us any questions you want about building your career related to cloud computing or networking we'll answer them in real time for you because we want to get you to your goals several more times per week we have guests from industry industry experts that i've known for decades that are movers and shakers that have changed the world that can give you information so you can build the best career i invite them periodically they are on my show if there's a chance to do some free training on our channel we'll do it live because we want you all to have the best skills for the best career so please subscribe and hit the bell i look forward to seeing you and i look forward to assisting you in your technology career thank you so much this is michael gibbs from go cloud architects

Info

Channel: Go Cloud Architects

Views: 11,452

Rating: undefined out of 5

Keywords: what is a bastion host, jump host, bastion host explained, vpn vs bastion host, how to use bastion host, cloud security fundamentals, cloud security architect training, cloud architect security training, cloud architect fundamentals, cloud architecture basics, cloud architecture aws, azure bastion host, cloud architect career, cloud architect career development, cloud architect job, cloud architect career training, cloud security training, dmz explained, vpn concentrator

Id: p_xTZwgAhg0

Channel Id: undefined

Length: 10min 23sec (623 seconds)

Published: Thu Mar 24 2022