Linux Lab Project: Building a Linux Jump Box
-
@scottalanmiller I noted that this example used the 1406 Minimal ISO. As we determined yesterday. this means the firewall is not running. Well unless installing
fail2bankicksfirewalldas a prereq. -
Does this thread in 2017 require any updates?
-
@FATeknollogee said in Linux Lab Project: Building a Linux Jump Box:
Does this thread in 2017 require any updates?
No. CentOS has not updated.
-
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
No. CentOS has not updated.
My question was more about the "Jump Box" & whether is an updated/better way to do this in 2017 (since any of the popular *nix o/s's can be used)
-
@FATeknollogee said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
No. CentOS has not updated.
My question was more about the "Jump Box" & whether is an updated/better way to do this in 2017 (since any of the popular *nix o/s's can be used)
Well State Systems are the "new" way to replace Jump Boxes. But that's a big leap (excuse the pun).
-
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
Well State Systems are the "new" way to replace Jump Boxes. But that's a big leap (excuse the pun).
Have you done this on your systems?
-
@FATeknollogee said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
Well State Systems are the "new" way to replace Jump Boxes. But that's a big leap (excuse the pun).
Have you done this on your systems?
Of course
-
@scottalanmiller This might deserve a new thread, but what type of system resources are taken by a typical agent? (specifically, a saltstack minion)
-
@fuznutz04 said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller This might deserve a new thread, but what type of system resources are taken by a typical agent? (specifically, a saltstack minion)
A few, it's not none. But that's Salt. It's heavy on the agent side and is always connected and has to manage the message bus. If you move to something like Ansible you can get that down to not just approaching zero, but to actual zero (when not applying state) because there doesn't have to be an agent. Salt will do agentless as well, but it defeats much of the benefits. If you want that, I'd go Ansible.
-
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
d is always connected and has to manage the message bus. If you move to something like Ansible you can get that down to not just ap
I usually have enough overhead for additional things like this. Just wanted to make sure that it's not a "crazy" amount of memory/CPU usage.
-
@fuznutz04 said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
d is always connected and has to manage the message bus. If you move to something like Ansible you can get that down to not just ap
I usually have enough overhead for additional things like this. Just wanted to make sure that it's not a "crazy" amount of memory/CPU usage.
Not crazy, but uses more than top.
-
@scottalanmiller Good to know. Thanks.
-
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
@fuznutz04 said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
d is always connected and has to manage the message bus. If you move to something like Ansible you can get that down to not just ap
I usually have enough overhead for additional things like this. Just wanted to make sure that it's not a "crazy" amount of memory/CPU usage.
Not crazy, but uses more than top.
Would that be more than top but less than glances?
-
So, help me understand the use-case scenarios where a jump box is more beneficial than VPN to the environment. I've read other threads on this forum dating back to 2015 about building and using a jump box but I never truly understood why one would prefer this over VPN. The assumption at this point is that I'm missing some critical element that would explain why this over VPN.
What are the scenarios where one would chose this setup?
-
@NashBrydges said in Linux Lab Project: Building a Linux Jump Box:
So, help me understand the use-case scenarios where a jump box is more beneficial than VPN to the environment. I've read other threads on this forum dating back to 2015 about building and using a jump box but I never truly understood why one would prefer this over VPN. The assumption at this point is that I'm missing some critical element that would explain why this over VPN.
What are the scenarios where one would chose this setup?
We use a Jump box for a number of reasons....
On PBX systems we can access the back in faster than using the GUI. And for some tasks it's really the only way. You update the kernel via SSH.
So in our case, @scottalanmiller has set up the security ring for the systems, I connect one box and jump to the others with little else. it's faster, more secure and easier to manage
Also, you can run the command (shutdown or other) ON the jump box and not sign into the other system.... saving steps
-
@gjacobse said in Linux Lab Project: Building a Linux Jump Box:
@NashBrydges said in Linux Lab Project: Building a Linux Jump Box:
So, help me understand the use-case scenarios where a jump box is more beneficial than VPN to the environment. I've read other threads on this forum dating back to 2015 about building and using a jump box but I never truly understood why one would prefer this over VPN. The assumption at this point is that I'm missing some critical element that would explain why this over VPN.
What are the scenarios where one would chose this setup?
We use a Jump box for a number of reasons....
On PBX systems we can access the back in faster than using the GUI. And for some tasks it's really the only way. You update the kernel via SSH.
So in our case, @scottalanmiller has set up the security ring for the systems, I connect one box and jump to the others with little else. it's faster, more secure and easier to manage
Also, you can run the command (shutdown or other) ON the jump box and not sign into the other system.... saving steps
Hmmmm, so is the use-case then to have 1 single very secured entry point and then not require sign-on for other systems? While that may make it easier to traverse the security layers, this would essentially remove one of those layers (the second system sign-on). Am I misunderstanding this?
-
@NashBrydges said in Linux Lab Project: Building a Linux Jump Box:
So, help me understand the use-case scenarios where a jump box is more beneficial than VPN to the environment.
VPNs expose systems to both direct attack as well as to an open range of attacks. A jump box need only expose a single protocol either way. A VPN is inherently only useful if LAN security is in place, the point of the jump box is to eliminate that need for that.
Of course a jump box has risks, nothing is riskless. But the degree of risk is very different. For example, there is no extent malware through through jump boxes today, but essentially all are a threat through VPNs.
-
@NashBrydges said in Linux Lab Project: Building a Linux Jump Box:
I've read other threads on this forum dating back to 2015 about building and using a jump box but I never truly understood why one would prefer this over VPN. The assumption at this point is that I'm missing some critical element that would explain why this over VPN.
Flip it around... if a jump box gives you access to what you need, and a VPN gives you that access plus a lot of access that you don't need, that's a larger attack surface. Unless the VPN is bringing benefits additional to the jump system, that alone is a negative.
What's the benefit to the VPN approach?
-
@NashBrydges said in Linux Lab Project: Building a Linux Jump Box:
Hmmmm, so is the use-case then to have 1 single very secured entry point and then not require sign-on for other systems? While that may make it easier to traverse the security layers, this would essentially remove one of those layers (the second system sign-on). Am I misunderstanding this?
Correct, that's one option. Or you could use it in additional to the other security layers for even more security. By having the jump box layer of security you can, for example, restrict all remote access to protocols like SSH or RDP to have to originate from a single source. That source can then be heavily locked down, monitored and controlled.
In this way, your exposure protocols can be much more limited and your ability to control access is much greater. You can shut off access to a single person, or even everyone, in a split second. You can audit every connection attempt that could have made it. You can see all actions in a central location.
-
So a Jump system can be about smoothing access to make it faster. Or it can be amount making access more secure. Or both.
It is, in many ways, about eliminating the free for all of access that is common with a VPN where you traditionally have many peers all able to access each other making access difficult to track and control.
Which is why large shops traditionally use a jump box even on a LAN. So even if you had a VPN, you might still have the jump box.
