Linux Lab Project: Building a Linux Jump Box
-
@NashBrydges said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
So a Jump system can be about smoothing access to make it faster. Or it can be amount making access more secure. Or both.
It is, in many ways, about eliminating the free for all of access that is common with a VPN where you traditionally have many peers all able to access each other making access difficult to track and control.
Which is why large shops traditionally use a jump box even on a LAN. So even if you had a VPN, you might still have the jump box.
I had started typing out an entirely different response with scenarios comparing VPN and jump box and wasn't until the end that I saw where the jump box approach may be much simpler. It avoids having to manipulate multiple systems to provide a similar level of control (if I understood this correctly) over accessibility. Manage a single jump box instead of VPN, firewall, entity/authentication management...etc.
Correct. Now of course you can do some work with a VPN to make it kind of mimic a jump box. But it would be more work and still doesn't gap quite as well. VPNs have the advantage of allowing a direct connection. But that is part of what we are trying to avoid in many cases.
-
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
@NashBrydges said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
So a Jump system can be about smoothing access to make it faster. Or it can be amount making access more secure. Or both.
It is, in many ways, about eliminating the free for all of access that is common with a VPN where you traditionally have many peers all able to access each other making access difficult to track and control.
Which is why large shops traditionally use a jump box even on a LAN. So even if you had a VPN, you might still have the jump box.
I had started typing out an entirely different response with scenarios comparing VPN and jump box and wasn't until the end that I saw where the jump box approach may be much simpler. It avoids having to manipulate multiple systems to provide a similar level of control (if I understood this correctly) over accessibility. Manage a single jump box instead of VPN, firewall, entity/authentication management...etc.
Correct. Now of course you can do some work with a VPN to make it kind of mimic a jump box. But it would be more work and still doesn't gap quite as well. VPNs have the advantage of allowing a direct connection. But that is part of what we are trying to avoid in many cases.
Right. Thanks for taking the time to walk me through this.
-
Think of a Jump box much like a man trap in a building. Does it keep all threats out? Of course not. But a man trap revolving door never allows the inside and outside air pressures to be directly exposed. A VPN opens the floodgates between two networks allowing things just looking for a route to flood across. It grows the LAN.
-
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
Think of a Jump box much like a man trap in a building. Does it keep all threats out? Of course not. But a man trap revolving door never allows the inside and outside air pressures to be directly exposed. A VPN opens the floodgates between two networks allowing things just looking for a route to flood across. It grows the LAN.
Any drawbacks of jump box over VPN?
-
@NerdyDad said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
Think of a Jump box much like a man trap in a building. Does it keep all threats out? Of course not. But a man trap revolving door never allows the inside and outside air pressures to be directly exposed. A VPN opens the floodgates between two networks allowing things just looking for a route to flood across. It grows the LAN.
Any drawbacks of jump box over VPN?
Depends, if you WANT full access for other things, then yes. Like a VPN let's you map drives directly to your desktop. Those are things I normally seek to avoid. But, you can't deny that it is handy. A VPN is basically "less security", by moving you back to the LAN-based network security model. It's like the dark side, it's faster and easier, but ultimately it consumes you.
VPNs are fast and easy, no need to really secure things. And then ransomware pwns you.
-
VPNs are handy because you can do things like map a drive or run VoIP over them. But you can do all of those things in other ways too, if needed.
-
With a JumpBox instead of a VPN, you would still be able to administer systems remotely, as if you were in front of the console. But, you would not be able to download files or stream media with a jump box. Am I understanding this correctly?
-
@NerdyDad said in Linux Lab Project: Building a Linux Jump Box:
With a JumpBox instead of a VPN, you would still be able to administer systems remotely, as if you were in front of the console. But, you would not be able to download files or stream media with a jump box. Am I understanding this correctly?
That's correct. And that's an important part of the gapping.
-
Ideally, as an admin, you would not want to hear audio from a server, or copy a file from your desktop to a server.
-
I understand that theory is that you setup all your security on the jumpbox and don't worry as much about the other systems... but doesn't a jumpbox provide a single target for penetration? Can't someone who gains access to the jumpbox access every other system that user has access too? I understand that your using keys, and not passwords...
-
@aaronstuder said in Linux Lab Project: Building a Linux Jump Box:
I understand that theory is that you setup all your security on the jumpbox and don't worry as much about the other systems... but doesn't a jumpbox provide a single target for penetration? Can't someone who gains access to the jumpbox access every other system that user has access too? I understand that your using keys, and not passwords...
The general theory should not be Jump security instead of others. It should be in addition to.
-
@aaronstuder said in Linux Lab Project: Building a Linux Jump Box:
I understand that your using keys, and not passwords...
You can use both. Of course if you use the Jump box solely to easy access and not to enhance it, you carry the risk of the Jump box being compromised. But you can mitigate this by increasing the security of the Jump box, adding security between the Jump box and the other hosts or both.
-
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
Ideally, as an admin, you would not want to hear audio from a server, or copy a file from your desktop to a server.
As an admin, I upload new firmware to the /tftpboot folder all the time. Or I want to download, mass update, and re up config files. So if I cannot transfer files with SCP, how does this help me?
-
@JaredBusch said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
Ideally, as an admin, you would not want to hear audio from a server, or copy a file from your desktop to a server.
As an admin, I upload new firmware to the /tftpboot folder all the time. Or I want to download, mass update, and re up config files. So if I cannot transfer files with SCP, how does this help me?
You can use SCP, SCP is just an extension of the SSH protocol. The Jump box would be an SSH proxy. So you can do that trivially. Is it the recommend way to do this? Not normally, no. Do a lot of us do it because it is easy, yes. But ideally you want your file server to not be the jump box. You can easily make a non-jump file server for that task in another VM.
-
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
@JaredBusch said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
Ideally, as an admin, you would not want to hear audio from a server, or copy a file from your desktop to a server.
As an admin, I upload new firmware to the /tftpboot folder all the time. Or I want to download, mass update, and re up config files. So if I cannot transfer files with SCP, how does this help me?
You can use SCP, SCP is just an extension of the SSH protocol. The Jump box would be an SSH proxy. So you can do that trivially. Is it the recommend way to do this? Not normally, no. Do a lot of us do it because it is easy, yes. But ideally you want your file server to not be the jump box. You can easily make a non-jump file server for that task in another VM.
Who said anything about a file server? Each PBX is a unique system with nothing tying them together except me managing them.
Korora Desktop in Chicago -> Jump box -> Vultr node 1 (PBX A )
Korora Desktop in Chicago -> Jump box -> Vultr node 2 (PBX B )
Korora Desktop in Chicago -> Jump box -> Internal Node 1 (PBX C ) -
@JaredBusch said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
@JaredBusch said in Linux Lab Project: Building a Linux Jump Box:
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
Ideally, as an admin, you would not want to hear audio from a server, or copy a file from your desktop to a server.
As an admin, I upload new firmware to the /tftpboot folder all the time. Or I want to download, mass update, and re up config files. So if I cannot transfer files with SCP, how does this help me?
You can use SCP, SCP is just an extension of the SSH protocol. The Jump box would be an SSH proxy. So you can do that trivially. Is it the recommend way to do this? Not normally, no. Do a lot of us do it because it is easy, yes. But ideally you want your file server to not be the jump box. You can easily make a non-jump file server for that task in another VM.
Who said anything about a file server? Each PBX is a unique system with nothing tying them together except me managing them.
Korora Desktop in Chicago -> Jump box -> Vultr node 1 (PBX A )
Korora Desktop in Chicago -> Jump box -> Vultr node 2 (PBX B )
Korora Desktop in Chicago -> Jump box -> Internal Node 1 (PBX C )Oh, I misunderstood. You are uploading to the TFTP folder of the individual servers, not a central one on your jump box that you are using the jump box to push out. TFTP is a file server, but you have many of them that your jump is sending to, not one that they all pull from.
-
How would a jump box used when access a Windows environment? Would I need to setup a jump box with a desktop environment like xfce or windows manager like i3. And then use something like Remmina to remote into a Windows Admin box to manage Servers and such.
-
@black3dynamite said in Linux Lab Project: Building a Linux Jump Box:
How would a jump box used when access a Windows environment? Would I need to setup a jump box with a desktop environment like xfce or windows manager like i3. And then use something like Remmina to remote into a Windows Admin box to manage Servers and such.
You could setup SSH tunneling and just do secure RDP sessions over SSH. No desktop environment required on your jumpbox.
http://www.linuxjournal.com/content/ssh-tunneling-poor-techies-vpn
-
@RamblingBiped said in Linux Lab Project: Building a Linux Jump Box:
@black3dynamite said in Linux Lab Project: Building a Linux Jump Box:
How would a jump box used when access a Windows environment? Would I need to setup a jump box with a desktop environment like xfce or windows manager like i3. And then use something like Remmina to remote into a Windows Admin box to manage Servers and such.
You could setup SSH tunneling and just do secure RDP sessions over SSH. No desktop environment required on your jumpbox.
Thanks. That setup is a lot straight forward and less of a headache to manage.
-
@scottalanmiller said in Linux Lab Project: Building a Linux Jump Box:
Correct, that's one option. Or you could use it in additional to the other security layers for even more security. By having the jump box layer of security you can, for example, restrict all remote access to protocols like SSH or RDP to have to originate from a single source.
Would the jumpbox also be a single point of failure though?
