SlideShare a Scribd company logo

DEFCON 28: 21 Jump Server: Going Bastionless in the Cloud

Colin Estep
Colin Estep

If you are a customer of AWS, Azure, or GCP, you may have deployed your own bastion hosts to provide RDP or SSH access to your virtual machines. While bastions help to protect your infrastructure, there are challenges that come along with them, such as managing the identities, obtaining logs, and preventing SSH multiplexing attacks.

Internet
1 of 34
Download to read offline
2020 © Netskope. All rights reserved. 21 Jump Server: Going Bastionless in the Cloud DEFCON 28 Cloud Village Presented By: Colin Estep
2020 © Netskope. All rights reserved. • Introduction • Overview of Bastion Hosts • Problems with Bastion Hosts • SSH Multiplexing Attack • Alternative Solutions – AWS – GCP – Azure Agenda 2
2020 © Netskope. All rights reserved. • Formerly Security @ Apple, Netflix • Startup experience in cloud security software • Currently Research @ Netskope Threat Labs 3 About Me
2020 © Netskope. All rights reserved. Bastion Hosts
2020 © Netskope. All rights reserved. What are Bastion Hosts? 5
2020 © Netskope. All rights reserved. • Limits exposure of servers to the Internet, which reduces the attack surface • Prevents brute force attacks on SSH for most of the infrastructure • Centralized access, which makes it a good place for Logging and Monitoring Benefits of Bastions 6
2020 © Netskope. All rights reserved. Out of our customers who expose compute instances to routable IP addresses: • AWS: 39% of the instances allow SSH ingress • GCP: 58% of the instances allow SSH ingress • Azure: 46% of the instances allow SSH ingress Why is this relevant? 7
2020 © Netskope. All rights reserved. Problems with Bastions
2020 © Netskope. All rights reserved. • Maintain the infrastructure yourself: patching and configuration • Could become expensive if you need lots of bastion hosts • Need to manage the access yourself (SSH certificates, MFA, etc.) • Vulnerable to the SSH Multiplexing Attack Problems with Bastions 9
2020 © Netskope. All rights reserved. The ability to reuse an outgoing TCP connection for more than one SSH session. If configured, your SSH client will save the connection to a file on the client’s file system, and can be invoked without any additional authentication, including MFA. What is SSH Multiplexing? 10 SSH Command: ssh -S ~/.ssh/%r@%h:%p server.example.org Config Snippet: Host server HostName server.example.org ControlPath ~/.ssh/%r@%h:%p ControlMaster auto ControlPersist 240m
2020 © Netskope. All rights reserved. Bastion Hosts SSH Multiplexing Attack* 11 Clients Attacker SSH Compromise Multiplexed SSHsession SSH Servers Attacker Sessions *Credit to NCC Group for their blog post!
2020 © Netskope. All rights reserved. Alternative Solutions
2020 © Netskope. All rights reserved. Common Attributes • The end user starts the connection over HTTPS • No need to have public IP addresses any of your compute instances • No need to expose the network ports to external IP addresses • Removes risk of the SSH multiplexing attack from the endpoint • Sessions logged by the cloud logging facilities 13
2020 © Netskope. All rights reserved. • AWS: Session Manager from AWS Systems Manager • GCP: OS Login and Identity-Aware Proxy (IAP) • Azure: Azure Bastion 14 Services we are going to cover
2020 © Netskope. All rights reserved. AWS Session Manager
2020 © Netskope. All rights reserved. AWS Session Manager • Part of AWS Systems Manager (SSM) • Relies on the Systems Manager Agent on each instance • Does not actually use SSH by default • Can provide full session logs 16
2020 © Netskope. All rights reserved. 17 Access via AWS Session Manager
2020 © Netskope. All rights reserved. SSM will log events around the beginning and ending of sessions. These events will include a number of interesting things, such as: ● AWS user ● In some cases, whether the user was authenticated with multi-factor authentication (MFA) ● Instance ID ● Requestor’s IP address ● Timestamp of the authorization ● Allowed or Denied 18 Default Audit Logs: CloudTrail
2020 © Netskope. All rights reserved. 19 Full Session Logging
2020 © Netskope. All rights reserved. GCP: OS Login and IAP
2020 © Netskope. All rights reserved. OS Login and IAP 21 • No agents to deploy • Very easy to set up (especially if you use GSuite) • Pair local user with Google IAM (in addition, LDAP and AD support) • Logs metadata of sessions for free • Easy to enable 2FA for SSH
2020 © Netskope. All rights reserved. 22 Project User Compute Engine Access: Internet-Aware Proxy and OS Login VPC Servers Compute Engine Multiple Instances IAP HTTPS TCP Tunnel SSH Auth SSH Traffic OS Login
2020 © Netskope. All rights reserved. When IAP authorizes a new session for a user, we’ll see events that contain the following: ● Primary email of the Google identity ● Destination IP address and port (could be an RFC 1918 address) ● Instance ID ● Requestor’s IP address ● Timestamp of the authorization ● Allowed or Denied 23 Default Audit Logs: Data Access Logs
2020 © Netskope. All rights reserved. 24 Logging Agent from GCP
2020 © Netskope. All rights reserved. Azure Bastion
2020 © Netskope. All rights reserved. • Connect over HTTPS to the Bastion, and connects to the servers via SSH / RDP • Still need to maintain SSH certificates • Expose the SSH port to internal traffic, so that the Bastion service can access it 26 Azure Bastion
2020 © Netskope. All rights reserved. Access with Azure Bastion 27
2020 © Netskope. All rights reserved. 28 Connecting via Bastion
2020 © Netskope. All rights reserved. 29 Azure Session Monitoring
2020 © Netskope. All rights reserved. Azure makes it easy to send the audit logs from the Bastion to any of the following: • Log Analytics • A Storage Account • An Event Hub However, there is no facility for setting up full session logs. 30 Azure Bastion Logs
2020 © Netskope. All rights reserved. 31 Azure Bastion Audit Logs
2020 © Netskope. All rights reserved. Summary
2020 © Netskope. All rights reserved. • Running your own bastion hosts may no longer be necessary • Be aware of SSH Multiplexing attacks • Cloud Providers and Vendors provide some great alternatives for management access (SSH / RDP) • Solutions from cloud providers may help with: – Compute Instance Management – Identity Management – Logging and Monitoring 33 Summary
2019 © Netskope Confidential. All rights reserved. Blog: Threat Labs Twitter: @colinestep LinkedIn: https://www.linkedin.com/in/colinestep/ Thank you!

Recommended

OSMC 2018 | SLA Monitoring mit Icinga & Prometheus by Moritz Tanzer
OSMC 2018 | SLA Monitoring mit Icinga & Prometheus by Moritz TanzerOSMC 2018 | SLA Monitoring mit Icinga & Prometheus by Moritz Tanzer
OSMC 2018 | SLA Monitoring mit Icinga & Prometheus by Moritz TanzerNETWAYS
 
What's new in NGINX Plus R19
What's new in NGINX Plus R19What's new in NGINX Plus R19
What's new in NGINX Plus R19NGINX, Inc.
 
An analysis of TLS handshake proxying
An analysis of TLS handshake proxyingAn analysis of TLS handshake proxying
An analysis of TLS handshake proxyingNick Sullivan
 
NGINX Plus R20 Webinar
NGINX Plus R20 WebinarNGINX Plus R20 Webinar
NGINX Plus R20 WebinarNGINX, Inc.
 
Using NGINX and NGINX Plus as a Kubernetes Ingress
Using NGINX and NGINX Plus as a Kubernetes IngressUsing NGINX and NGINX Plus as a Kubernetes Ingress
Using NGINX and NGINX Plus as a Kubernetes IngressKevin Jones
 
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEATLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEANGINX, Inc.
 
DockerCon Live 2020 - Securing Your Containerized Application with NGINX
DockerCon Live 2020 - Securing Your Containerized Application with NGINXDockerCon Live 2020 - Securing Your Containerized Application with NGINX
DockerCon Live 2020 - Securing Your Containerized Application with NGINXKevin Jones
 
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open SourceTLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open SourceNGINX, Inc.
 

Recommended

OSMC 2018 | SLA Monitoring mit Icinga & Prometheus by Moritz Tanzer
OSMC 2018 | SLA Monitoring mit Icinga & Prometheus by Moritz TanzerOSMC 2018 | SLA Monitoring mit Icinga & Prometheus by Moritz Tanzer
OSMC 2018 | SLA Monitoring mit Icinga & Prometheus by Moritz TanzerNETWAYS
 
What's new in NGINX Plus R19
What's new in NGINX Plus R19What's new in NGINX Plus R19
What's new in NGINX Plus R19NGINX, Inc.
 
An analysis of TLS handshake proxying
An analysis of TLS handshake proxyingAn analysis of TLS handshake proxying
An analysis of TLS handshake proxyingNick Sullivan
 
NGINX Plus R20 Webinar
NGINX Plus R20 WebinarNGINX Plus R20 Webinar
NGINX Plus R20 WebinarNGINX, Inc.
 
Using NGINX and NGINX Plus as a Kubernetes Ingress
Using NGINX and NGINX Plus as a Kubernetes IngressUsing NGINX and NGINX Plus as a Kubernetes Ingress
Using NGINX and NGINX Plus as a Kubernetes IngressKevin Jones
 
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEATLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEANGINX, Inc.
 
DockerCon Live 2020 - Securing Your Containerized Application with NGINX
DockerCon Live 2020 - Securing Your Containerized Application with NGINXDockerCon Live 2020 - Securing Your Containerized Application with NGINX
DockerCon Live 2020 - Securing Your Containerized Application with NGINXKevin Jones
 
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open SourceTLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open SourceNGINX, Inc.
 
Vault Secrets Via API for the REST of Us
Vault Secrets Via API for the REST of UsVault Secrets Via API for the REST of Us
Vault Secrets Via API for the REST of UsMitchell Pronschinske
 
Nginx Deep Dive Kubernetes Ingress
Nginx Deep Dive Kubernetes IngressNginx Deep Dive Kubernetes Ingress
Nginx Deep Dive Kubernetes IngressKnoldus Inc.
 
Virus Bulletin 2012
Virus Bulletin 2012Virus Bulletin 2012
Virus Bulletin 2012Cloudflare
 
The 3 Models in the NGINX Microservices Reference Architecture
The 3 Models in the NGINX Microservices Reference ArchitectureThe 3 Models in the NGINX Microservices Reference Architecture
The 3 Models in the NGINX Microservices Reference ArchitectureNGINX, Inc.
 
Reduce IT Spend with Software Load Balancing
Reduce IT Spend with Software Load BalancingReduce IT Spend with Software Load Balancing
Reduce IT Spend with Software Load BalancingNGINX, Inc.
 
NGINX Microservices Reference Architecture: What’s in Store for 2019 – EMEA
NGINX Microservices Reference Architecture: What’s in Store for 2019 – EMEANGINX Microservices Reference Architecture: What’s in Store for 2019 – EMEA
NGINX Microservices Reference Architecture: What’s in Store for 2019 – EMEANGINX, Inc.
 
OSMC 2018 | Integrating Check_MK agent into Thruk – Windows monitoring made e...
OSMC 2018 | Integrating Check_MK agent into Thruk – Windows monitoring made e...OSMC 2018 | Integrating Check_MK agent into Thruk – Windows monitoring made e...
OSMC 2018 | Integrating Check_MK agent into Thruk – Windows monitoring made e...NETWAYS
 
Bringing Elliptic Curve Cryptography into the Mainstream
Bringing Elliptic Curve Cryptography into the MainstreamBringing Elliptic Curve Cryptography into the Mainstream
Bringing Elliptic Curve Cryptography into the MainstreamNick Sullivan
 
NGINX ADC: Basics and Best Practices
NGINX ADC: Basics and Best PracticesNGINX ADC: Basics and Best Practices
NGINX ADC: Basics and Best PracticesNGINX, Inc.
 
Sullivan white boxcrypto-baythreat-2013
Sullivan white boxcrypto-baythreat-2013Sullivan white boxcrypto-baythreat-2013
Sullivan white boxcrypto-baythreat-2013Cloudflare
 
What's New in NGINX Plus R10?
What's New in NGINX Plus R10?What's New in NGINX Plus R10?
What's New in NGINX Plus R10?NGINX, Inc.
 
Running Secure Server Software on Insecure Hardware Without Parachute
Running Secure Server Software on Insecure Hardware Without ParachuteRunning Secure Server Software on Insecure Hardware Without Parachute
Running Secure Server Software on Insecure Hardware Without ParachuteCloudflare
 
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23Nick Sullivan
 
Sullivan handshake proxying-ieee-sp_2014
Sullivan handshake proxying-ieee-sp_2014Sullivan handshake proxying-ieee-sp_2014
Sullivan handshake proxying-ieee-sp_2014Cloudflare
 
MRA AMA Part 7: The Circuit Breaker Pattern
MRA AMA Part 7: The Circuit Breaker PatternMRA AMA Part 7: The Circuit Breaker Pattern
MRA AMA Part 7: The Circuit Breaker PatternNGINX, Inc.
 
MRA AMA Part 10: Kubernetes and the Microservices Reference Architecture
MRA AMA Part 10: Kubernetes and the Microservices Reference ArchitectureMRA AMA Part 10: Kubernetes and the Microservices Reference Architecture
MRA AMA Part 10: Kubernetes and the Microservices Reference ArchitectureNGINX, Inc.
 
What's New in Go Crypto - Gotham Go
What's New in Go Crypto - Gotham GoWhat's New in Go Crypto - Gotham Go
What's New in Go Crypto - Gotham GoNick Sullivan
 
What's new in NGINX Plus R9
What's new in NGINX Plus R9What's new in NGINX Plus R9
What's new in NGINX Plus R9NGINX, Inc.
 
NGINX Amplify: Monitoring NGINX with Advanced Filters and Custom Dashboards
NGINX Amplify: Monitoring NGINX with Advanced Filters and Custom DashboardsNGINX Amplify: Monitoring NGINX with Advanced Filters and Custom Dashboards
NGINX Amplify: Monitoring NGINX with Advanced Filters and Custom DashboardsNGINX, Inc.
 
NGINX Plus R20 Webinar EMEA
NGINX Plus R20 Webinar EMEANGINX Plus R20 Webinar EMEA
NGINX Plus R20 Webinar EMEANGINX, Inc.
 
Altinity Webinar: Introduction to Altinity.Cloud-Platform for Real-Time Data.pdf
Altinity Webinar: Introduction to Altinity.Cloud-Platform for Real-Time Data.pdfAltinity Webinar: Introduction to Altinity.Cloud-Platform for Real-Time Data.pdf
Altinity Webinar: Introduction to Altinity.Cloud-Platform for Real-Time Data.pdfAltinity Ltd
 
Microservices on a budget meetup
Microservices on a budget meetupMicroservices on a budget meetup
Microservices on a budget meetupMatthew Reynolds
 

More Related Content

What's hot

Vault Secrets Via API for the REST of Us
Vault Secrets Via API for the REST of UsVault Secrets Via API for the REST of Us
Vault Secrets Via API for the REST of UsMitchell Pronschinske
 
Nginx Deep Dive Kubernetes Ingress
Nginx Deep Dive Kubernetes IngressNginx Deep Dive Kubernetes Ingress
Nginx Deep Dive Kubernetes IngressKnoldus Inc.
 
Virus Bulletin 2012
Virus Bulletin 2012Virus Bulletin 2012
Virus Bulletin 2012Cloudflare
 
The 3 Models in the NGINX Microservices Reference Architecture
The 3 Models in the NGINX Microservices Reference ArchitectureThe 3 Models in the NGINX Microservices Reference Architecture
The 3 Models in the NGINX Microservices Reference ArchitectureNGINX, Inc.
 
Reduce IT Spend with Software Load Balancing
Reduce IT Spend with Software Load BalancingReduce IT Spend with Software Load Balancing
Reduce IT Spend with Software Load BalancingNGINX, Inc.
 
NGINX Microservices Reference Architecture: What’s in Store for 2019 – EMEA
NGINX Microservices Reference Architecture: What’s in Store for 2019 – EMEANGINX Microservices Reference Architecture: What’s in Store for 2019 – EMEA
NGINX Microservices Reference Architecture: What’s in Store for 2019 – EMEANGINX, Inc.
 
OSMC 2018 | Integrating Check_MK agent into Thruk – Windows monitoring made e...
OSMC 2018 | Integrating Check_MK agent into Thruk – Windows monitoring made e...OSMC 2018 | Integrating Check_MK agent into Thruk – Windows monitoring made e...
OSMC 2018 | Integrating Check_MK agent into Thruk – Windows monitoring made e...NETWAYS
 
Bringing Elliptic Curve Cryptography into the Mainstream
Bringing Elliptic Curve Cryptography into the MainstreamBringing Elliptic Curve Cryptography into the Mainstream
Bringing Elliptic Curve Cryptography into the MainstreamNick Sullivan
 
NGINX ADC: Basics and Best Practices
NGINX ADC: Basics and Best PracticesNGINX ADC: Basics and Best Practices
NGINX ADC: Basics and Best PracticesNGINX, Inc.
 
Sullivan white boxcrypto-baythreat-2013
Sullivan white boxcrypto-baythreat-2013Sullivan white boxcrypto-baythreat-2013
Sullivan white boxcrypto-baythreat-2013Cloudflare
 
What's New in NGINX Plus R10?
What's New in NGINX Plus R10?What's New in NGINX Plus R10?
What's New in NGINX Plus R10?NGINX, Inc.
 
Running Secure Server Software on Insecure Hardware Without Parachute
Running Secure Server Software on Insecure Hardware Without ParachuteRunning Secure Server Software on Insecure Hardware Without Parachute
Running Secure Server Software on Insecure Hardware Without ParachuteCloudflare
 
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23Nick Sullivan
 
Sullivan handshake proxying-ieee-sp_2014
Sullivan handshake proxying-ieee-sp_2014Sullivan handshake proxying-ieee-sp_2014
Sullivan handshake proxying-ieee-sp_2014Cloudflare
 
MRA AMA Part 7: The Circuit Breaker Pattern
MRA AMA Part 7: The Circuit Breaker PatternMRA AMA Part 7: The Circuit Breaker Pattern
MRA AMA Part 7: The Circuit Breaker PatternNGINX, Inc.
 
MRA AMA Part 10: Kubernetes and the Microservices Reference Architecture
MRA AMA Part 10: Kubernetes and the Microservices Reference ArchitectureMRA AMA Part 10: Kubernetes and the Microservices Reference Architecture
MRA AMA Part 10: Kubernetes and the Microservices Reference ArchitectureNGINX, Inc.
 
What's New in Go Crypto - Gotham Go
What's New in Go Crypto - Gotham GoWhat's New in Go Crypto - Gotham Go
What's New in Go Crypto - Gotham GoNick Sullivan
 
What's new in NGINX Plus R9
What's new in NGINX Plus R9What's new in NGINX Plus R9
What's new in NGINX Plus R9NGINX, Inc.
 
NGINX Amplify: Monitoring NGINX with Advanced Filters and Custom Dashboards
NGINX Amplify: Monitoring NGINX with Advanced Filters and Custom DashboardsNGINX Amplify: Monitoring NGINX with Advanced Filters and Custom Dashboards
NGINX Amplify: Monitoring NGINX with Advanced Filters and Custom DashboardsNGINX, Inc.
 
NGINX Plus R20 Webinar EMEA
NGINX Plus R20 Webinar EMEANGINX Plus R20 Webinar EMEA
NGINX Plus R20 Webinar EMEANGINX, Inc.
 

What's hot (20)

Vault Secrets Via API for the REST of Us
Vault Secrets Via API for the REST of UsVault Secrets Via API for the REST of Us
Vault Secrets Via API for the REST of Us
 
Nginx Deep Dive Kubernetes Ingress
Nginx Deep Dive Kubernetes IngressNginx Deep Dive Kubernetes Ingress
Nginx Deep Dive Kubernetes Ingress
 
Virus Bulletin 2012
Virus Bulletin 2012Virus Bulletin 2012
Virus Bulletin 2012
 
The 3 Models in the NGINX Microservices Reference Architecture
The 3 Models in the NGINX Microservices Reference ArchitectureThe 3 Models in the NGINX Microservices Reference Architecture
The 3 Models in the NGINX Microservices Reference Architecture
 
Reduce IT Spend with Software Load Balancing
Reduce IT Spend with Software Load BalancingReduce IT Spend with Software Load Balancing
Reduce IT Spend with Software Load Balancing
 
NGINX Microservices Reference Architecture: What’s in Store for 2019 – EMEA
NGINX Microservices Reference Architecture: What’s in Store for 2019 – EMEANGINX Microservices Reference Architecture: What’s in Store for 2019 – EMEA
NGINX Microservices Reference Architecture: What’s in Store for 2019 – EMEA
 
OSMC 2018 | Integrating Check_MK agent into Thruk – Windows monitoring made e...
OSMC 2018 | Integrating Check_MK agent into Thruk – Windows monitoring made e...OSMC 2018 | Integrating Check_MK agent into Thruk – Windows monitoring made e...
OSMC 2018 | Integrating Check_MK agent into Thruk – Windows monitoring made e...
 
Bringing Elliptic Curve Cryptography into the Mainstream
Bringing Elliptic Curve Cryptography into the MainstreamBringing Elliptic Curve Cryptography into the Mainstream
Bringing Elliptic Curve Cryptography into the Mainstream
 
NGINX ADC: Basics and Best Practices
NGINX ADC: Basics and Best PracticesNGINX ADC: Basics and Best Practices
NGINX ADC: Basics and Best Practices
 
Sullivan white boxcrypto-baythreat-2013
Sullivan white boxcrypto-baythreat-2013Sullivan white boxcrypto-baythreat-2013
Sullivan white boxcrypto-baythreat-2013
 
What's New in NGINX Plus R10?
What's New in NGINX Plus R10?What's New in NGINX Plus R10?
What's New in NGINX Plus R10?
 
Running Secure Server Software on Insecure Hardware Without Parachute
Running Secure Server Software on Insecure Hardware Without ParachuteRunning Secure Server Software on Insecure Hardware Without Parachute
Running Secure Server Software on Insecure Hardware Without Parachute
 
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
 
Sullivan handshake proxying-ieee-sp_2014
Sullivan handshake proxying-ieee-sp_2014Sullivan handshake proxying-ieee-sp_2014
Sullivan handshake proxying-ieee-sp_2014
 
MRA AMA Part 7: The Circuit Breaker Pattern
MRA AMA Part 7: The Circuit Breaker PatternMRA AMA Part 7: The Circuit Breaker Pattern
MRA AMA Part 7: The Circuit Breaker Pattern
 
MRA AMA Part 10: Kubernetes and the Microservices Reference Architecture
MRA AMA Part 10: Kubernetes and the Microservices Reference ArchitectureMRA AMA Part 10: Kubernetes and the Microservices Reference Architecture
MRA AMA Part 10: Kubernetes and the Microservices Reference Architecture
 
What's New in Go Crypto - Gotham Go
What's New in Go Crypto - Gotham GoWhat's New in Go Crypto - Gotham Go
What's New in Go Crypto - Gotham Go
 
What's new in NGINX Plus R9
What's new in NGINX Plus R9What's new in NGINX Plus R9
What's new in NGINX Plus R9
 
NGINX Amplify: Monitoring NGINX with Advanced Filters and Custom Dashboards
NGINX Amplify: Monitoring NGINX with Advanced Filters and Custom DashboardsNGINX Amplify: Monitoring NGINX with Advanced Filters and Custom Dashboards
NGINX Amplify: Monitoring NGINX with Advanced Filters and Custom Dashboards
 
NGINX Plus R20 Webinar EMEA
NGINX Plus R20 Webinar EMEANGINX Plus R20 Webinar EMEA
NGINX Plus R20 Webinar EMEA
 

Similar to DEFCON 28: 21 Jump Server: Going Bastionless in the Cloud

Altinity Webinar: Introduction to Altinity.Cloud-Platform for Real-Time Data.pdf
Altinity Webinar: Introduction to Altinity.Cloud-Platform for Real-Time Data.pdfAltinity Webinar: Introduction to Altinity.Cloud-Platform for Real-Time Data.pdf
Altinity Webinar: Introduction to Altinity.Cloud-Platform for Real-Time Data.pdfAltinity Ltd
 
Microservices on a budget meetup
Microservices on a budget meetupMicroservices on a budget meetup
Microservices on a budget meetupMatthew Reynolds
 
Kubernetes Ingress to Service Mesh (and beyond!)
Kubernetes Ingress to Service Mesh (and beyond!)Kubernetes Ingress to Service Mesh (and beyond!)
Kubernetes Ingress to Service Mesh (and beyond!)Christian Posta
 
Cloud-Native Application Debugging with Envoy and Service Mesh
Cloud-Native Application Debugging with Envoy and Service MeshCloud-Native Application Debugging with Envoy and Service Mesh
Cloud-Native Application Debugging with Envoy and Service MeshChristian Posta
 
Az 104 session 5: Azure networking
Az 104 session 5: Azure networkingAz 104 session 5: Azure networking
Az 104 session 5: Azure networkingAzureEzy1
 
InfluxDB Live Product Training
InfluxDB Live Product TrainingInfluxDB Live Product Training
InfluxDB Live Product TrainingInfluxData
 
Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014Miguel Zuniga
 
Rancher Rodéo France
Rancher Rodéo FranceRancher Rodéo France
Rancher Rodéo FranceSUSE
 
Gray Cover_ The dangers of cloudshells.pdf
Gray Cover_ The dangers of cloudshells.pdfGray Cover_ The dangers of cloudshells.pdf
Gray Cover_ The dangers of cloudshells.pdfColin Estep
 
Winning in the Dark: Defending Serverless Infrastructure
Winning in the Dark: Defending Serverless InfrastructureWinning in the Dark: Defending Serverless Infrastructure
Winning in the Dark: Defending Serverless InfrastructurePuma Security, LLC
 
Proto kubernetes onswitc_hengines_tue100418
Proto kubernetes onswitc_hengines_tue100418Proto kubernetes onswitc_hengines_tue100418
Proto kubernetes onswitc_hengines_tue100418inside-BigData.com
 
Cloud Foundry Day in Tokyo Lightning Talk - Cloud Foundry over the Proxy
Cloud Foundry Day in Tokyo Lightning Talk - Cloud Foundry over the ProxyCloud Foundry Day in Tokyo Lightning Talk - Cloud Foundry over the Proxy
Cloud Foundry Day in Tokyo Lightning Talk - Cloud Foundry over the ProxyMaki Toshio
 
JDO 2019: What you should be aware of before setting up kubernetes on premise...
JDO 2019: What you should be aware of before setting up kubernetes on premise...JDO 2019: What you should be aware of before setting up kubernetes on premise...
JDO 2019: What you should be aware of before setting up kubernetes on premise...PROIDEA
 
Cisco-Wireless-Guest-v10.pptx
Cisco-Wireless-Guest-v10.pptxCisco-Wireless-Guest-v10.pptx
Cisco-Wireless-Guest-v10.pptxAkashMalkood1
 
Introduction to WebRTC
Introduction to WebRTCIntroduction to WebRTC
Introduction to WebRTCArt Matsak
 
Az 104 session 6 azure networking part2
Az 104 session 6 azure networking part2Az 104 session 6 azure networking part2
Az 104 session 6 azure networking part2AzureEzy1
 
Secure your web app presentation
Secure your web app presentationSecure your web app presentation
Secure your web app presentationFrans Lytzen
 
Building Event-Driven Microservices using Kafka Streams (Stathis Souris, Thou...
Building Event-Driven Microservices using Kafka Streams (Stathis Souris, Thou...Building Event-Driven Microservices using Kafka Streams (Stathis Souris, Thou...
Building Event-Driven Microservices using Kafka Streams (Stathis Souris, Thou...London Microservices
 
How to Stream IoT MQTT Messages Into the Azure Event Hubs Service
How to Stream IoT MQTT Messages Into the Azure Event Hubs ServiceHow to Stream IoT MQTT Messages Into the Azure Event Hubs Service
How to Stream IoT MQTT Messages Into the Azure Event Hubs ServiceHiveMQ
 

Similar to DEFCON 28: 21 Jump Server: Going Bastionless in the Cloud (20)

Altinity Webinar: Introduction to Altinity.Cloud-Platform for Real-Time Data.pdf
Altinity Webinar: Introduction to Altinity.Cloud-Platform for Real-Time Data.pdfAltinity Webinar: Introduction to Altinity.Cloud-Platform for Real-Time Data.pdf
Altinity Webinar: Introduction to Altinity.Cloud-Platform for Real-Time Data.pdf
 
Microservices on a budget meetup
Microservices on a budget meetupMicroservices on a budget meetup
Microservices on a budget meetup
 
Kubernetes Ingress to Service Mesh (and beyond!)
Kubernetes Ingress to Service Mesh (and beyond!)Kubernetes Ingress to Service Mesh (and beyond!)
Kubernetes Ingress to Service Mesh (and beyond!)
 
Cloud-Native Application Debugging with Envoy and Service Mesh
Cloud-Native Application Debugging with Envoy and Service MeshCloud-Native Application Debugging with Envoy and Service Mesh
Cloud-Native Application Debugging with Envoy and Service Mesh
 
Az 104 session 5: Azure networking
Az 104 session 5: Azure networkingAz 104 session 5: Azure networking
Az 104 session 5: Azure networking
 
Was ist ein Service Mesh und wie funktioniert es?
Was ist ein Service Mesh und wie funktioniert es?Was ist ein Service Mesh und wie funktioniert es?
Was ist ein Service Mesh und wie funktioniert es?
 
InfluxDB Live Product Training
InfluxDB Live Product TrainingInfluxDB Live Product Training
InfluxDB Live Product Training
 
Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014
 
Rancher Rodéo France
Rancher Rodéo FranceRancher Rodéo France
Rancher Rodéo France
 
Gray Cover_ The dangers of cloudshells.pdf
Gray Cover_ The dangers of cloudshells.pdfGray Cover_ The dangers of cloudshells.pdf
Gray Cover_ The dangers of cloudshells.pdf
 
Winning in the Dark: Defending Serverless Infrastructure
Winning in the Dark: Defending Serverless InfrastructureWinning in the Dark: Defending Serverless Infrastructure
Winning in the Dark: Defending Serverless Infrastructure
 
Proto kubernetes onswitc_hengines_tue100418
Proto kubernetes onswitc_hengines_tue100418Proto kubernetes onswitc_hengines_tue100418
Proto kubernetes onswitc_hengines_tue100418
 
Cloud Foundry Day in Tokyo Lightning Talk - Cloud Foundry over the Proxy
Cloud Foundry Day in Tokyo Lightning Talk - Cloud Foundry over the ProxyCloud Foundry Day in Tokyo Lightning Talk - Cloud Foundry over the Proxy
Cloud Foundry Day in Tokyo Lightning Talk - Cloud Foundry over the Proxy
 
JDO 2019: What you should be aware of before setting up kubernetes on premise...
JDO 2019: What you should be aware of before setting up kubernetes on premise...JDO 2019: What you should be aware of before setting up kubernetes on premise...
JDO 2019: What you should be aware of before setting up kubernetes on premise...
 
Cisco-Wireless-Guest-v10.pptx
Cisco-Wireless-Guest-v10.pptxCisco-Wireless-Guest-v10.pptx
Cisco-Wireless-Guest-v10.pptx
 
Introduction to WebRTC
Introduction to WebRTCIntroduction to WebRTC
Introduction to WebRTC
 
Az 104 session 6 azure networking part2
Az 104 session 6 azure networking part2Az 104 session 6 azure networking part2
Az 104 session 6 azure networking part2
 
Secure your web app presentation
Secure your web app presentationSecure your web app presentation
Secure your web app presentation
 
Building Event-Driven Microservices using Kafka Streams (Stathis Souris, Thou...
Building Event-Driven Microservices using Kafka Streams (Stathis Souris, Thou...Building Event-Driven Microservices using Kafka Streams (Stathis Souris, Thou...
Building Event-Driven Microservices using Kafka Streams (Stathis Souris, Thou...
 
How to Stream IoT MQTT Messages Into the Azure Event Hubs Service
How to Stream IoT MQTT Messages Into the Azure Event Hubs ServiceHow to Stream IoT MQTT Messages Into the Azure Event Hubs Service
How to Stream IoT MQTT Messages Into the Azure Event Hubs Service
 

Recently uploaded

₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...Diya Sharma
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445ruhi
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Standkumarajju5765
 
Radiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsRadiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsstephieert
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Sheetaleventcompany
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceDelhi Call girls
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersDamian Radcliffe
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.soniya singh
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebJames Anderson
 
Call Girls in Mayur Vihar ✔️ 9711199171 ✔️ Delhi ✔️ Enjoy Call Girls With Our...
Call Girls in Mayur Vihar ✔️ 9711199171 ✔️ Delhi ✔️ Enjoy Call Girls With Our...Call Girls in Mayur Vihar ✔️ 9711199171 ✔️ Delhi ✔️ Enjoy Call Girls With Our...
Call Girls in Mayur Vihar ✔️ 9711199171 ✔️ Delhi ✔️ Enjoy Call Girls With Our...sonatiwari757
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...aditipandeya
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)Damian Radcliffe
 

Recently uploaded (20)

Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
 
Radiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsRadiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girls
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
 
Call Girls in Mayur Vihar ✔️ 9711199171 ✔️ Delhi ✔️ Enjoy Call Girls With Our...
Call Girls in Mayur Vihar ✔️ 9711199171 ✔️ Delhi ✔️ Enjoy Call Girls With Our...Call Girls in Mayur Vihar ✔️ 9711199171 ✔️ Delhi ✔️ Enjoy Call Girls With Our...
Call Girls in Mayur Vihar ✔️ 9711199171 ✔️ Delhi ✔️ Enjoy Call Girls With Our...
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
 
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 

DEFCON 28: 21 Jump Server: Going Bastionless in the Cloud

  • 1. 2020 © Netskope. All rights reserved. 21 Jump Server: Going Bastionless in the Cloud DEFCON 28 Cloud Village Presented By: Colin Estep
  • 2. 2020 © Netskope. All rights reserved. • Introduction • Overview of Bastion Hosts • Problems with Bastion Hosts • SSH Multiplexing Attack • Alternative Solutions – AWS – GCP – Azure Agenda 2
  • 3. 2020 © Netskope. All rights reserved. • Formerly Security @ Apple, Netflix • Startup experience in cloud security software • Currently Research @ Netskope Threat Labs 3 About Me
  • 4. 2020 © Netskope. All rights reserved. Bastion Hosts
  • 5. 2020 © Netskope. All rights reserved. What are Bastion Hosts? 5
  • 6. 2020 © Netskope. All rights reserved. • Limits exposure of servers to the Internet, which reduces the attack surface • Prevents brute force attacks on SSH for most of the infrastructure • Centralized access, which makes it a good place for Logging and Monitoring Benefits of Bastions 6
  • 7. 2020 © Netskope. All rights reserved. Out of our customers who expose compute instances to routable IP addresses: • AWS: 39% of the instances allow SSH ingress • GCP: 58% of the instances allow SSH ingress • Azure: 46% of the instances allow SSH ingress Why is this relevant? 7
  • 8. 2020 © Netskope. All rights reserved. Problems with Bastions
  • 9. 2020 © Netskope. All rights reserved. • Maintain the infrastructure yourself: patching and configuration • Could become expensive if you need lots of bastion hosts • Need to manage the access yourself (SSH certificates, MFA, etc.) • Vulnerable to the SSH Multiplexing Attack Problems with Bastions 9
  • 10. 2020 © Netskope. All rights reserved. The ability to reuse an outgoing TCP connection for more than one SSH session. If configured, your SSH client will save the connection to a file on the client’s file system, and can be invoked without any additional authentication, including MFA. What is SSH Multiplexing? 10 SSH Command: ssh -S ~/.ssh/%r@%h:%p server.example.org Config Snippet: Host server HostName server.example.org ControlPath ~/.ssh/%r@%h:%p ControlMaster auto ControlPersist 240m
  • 11. 2020 © Netskope. All rights reserved. Bastion Hosts SSH Multiplexing Attack* 11 Clients Attacker SSH Compromise Multiplexed SSHsession SSH Servers Attacker Sessions *Credit to NCC Group for their blog post!
  • 12. 2020 © Netskope. All rights reserved. Alternative Solutions
  • 13. 2020 © Netskope. All rights reserved. Common Attributes • The end user starts the connection over HTTPS • No need to have public IP addresses any of your compute instances • No need to expose the network ports to external IP addresses • Removes risk of the SSH multiplexing attack from the endpoint • Sessions logged by the cloud logging facilities 13
  • 14. 2020 © Netskope. All rights reserved. • AWS: Session Manager from AWS Systems Manager • GCP: OS Login and Identity-Aware Proxy (IAP) • Azure: Azure Bastion 14 Services we are going to cover
  • 15. 2020 © Netskope. All rights reserved. AWS Session Manager
  • 16. 2020 © Netskope. All rights reserved. AWS Session Manager • Part of AWS Systems Manager (SSM) • Relies on the Systems Manager Agent on each instance • Does not actually use SSH by default • Can provide full session logs 16
  • 17. 2020 © Netskope. All rights reserved. 17 Access via AWS Session Manager
  • 18. 2020 © Netskope. All rights reserved. SSM will log events around the beginning and ending of sessions. These events will include a number of interesting things, such as: ● AWS user ● In some cases, whether the user was authenticated with multi-factor authentication (MFA) ● Instance ID ● Requestor’s IP address ● Timestamp of the authorization ● Allowed or Denied 18 Default Audit Logs: CloudTrail
  • 19. 2020 © Netskope. All rights reserved. 19 Full Session Logging
  • 20. 2020 © Netskope. All rights reserved. GCP: OS Login and IAP
  • 21. 2020 © Netskope. All rights reserved. OS Login and IAP 21 • No agents to deploy • Very easy to set up (especially if you use GSuite) • Pair local user with Google IAM (in addition, LDAP and AD support) • Logs metadata of sessions for free • Easy to enable 2FA for SSH
  • 22. 2020 © Netskope. All rights reserved. 22 Project User Compute Engine Access: Internet-Aware Proxy and OS Login VPC Servers Compute Engine Multiple Instances IAP HTTPS TCP Tunnel SSH Auth SSH Traffic OS Login
  • 23. 2020 © Netskope. All rights reserved. When IAP authorizes a new session for a user, we’ll see events that contain the following: ● Primary email of the Google identity ● Destination IP address and port (could be an RFC 1918 address) ● Instance ID ● Requestor’s IP address ● Timestamp of the authorization ● Allowed or Denied 23 Default Audit Logs: Data Access Logs
  • 24. 2020 © Netskope. All rights reserved. 24 Logging Agent from GCP
  • 25. 2020 © Netskope. All rights reserved. Azure Bastion
  • 26. 2020 © Netskope. All rights reserved. • Connect over HTTPS to the Bastion, and connects to the servers via SSH / RDP • Still need to maintain SSH certificates • Expose the SSH port to internal traffic, so that the Bastion service can access it 26 Azure Bastion
  • 27. 2020 © Netskope. All rights reserved. Access with Azure Bastion 27
  • 28. 2020 © Netskope. All rights reserved. 28 Connecting via Bastion
  • 29. 2020 © Netskope. All rights reserved. 29 Azure Session Monitoring
  • 30. 2020 © Netskope. All rights reserved. Azure makes it easy to send the audit logs from the Bastion to any of the following: • Log Analytics • A Storage Account • An Event Hub However, there is no facility for setting up full session logs. 30 Azure Bastion Logs
  • 31. 2020 © Netskope. All rights reserved. 31 Azure Bastion Audit Logs
  • 32. 2020 © Netskope. All rights reserved. Summary
  • 33. 2020 © Netskope. All rights reserved. • Running your own bastion hosts may no longer be necessary • Be aware of SSH Multiplexing attacks • Cloud Providers and Vendors provide some great alternatives for management access (SSH / RDP) • Solutions from cloud providers may help with: – Compute Instance Management – Identity Management – Logging and Monitoring 33 Summary
  • 34. 2019 © Netskope Confidential. All rights reserved. Blog: Threat Labs Twitter: @colinestep LinkedIn: https://www.linkedin.com/in/colinestep/ Thank you!