If you are a customer of AWS, Azure, or GCP, you may have deployed your own bastion hosts to provide RDP or SSH access to your virtual machines. While bastions help to protect your infrastructure, there are challenges that come along with them, such as managing the identities, obtaining logs, and preventing SSH multiplexing attacks.

1. 2020 © Netskope. All rights reserved.
21 Jump Server:
Going Bastionless in the Cloud
DEFCON 28 Cloud Village
Presented By: Colin Estep

2. 2020 © Netskope. All rights reserved.
• Introduction
• Overview of Bastion Hosts
• Problems with Bastion Hosts
• SSH Multiplexing Attack
• Alternative Solutions
– AWS
– GCP
– Azure
Agenda
2

3. 2020 © Netskope. All rights reserved.
• Formerly Security @ Apple, Netflix
• Startup experience in cloud
security software
• Currently Research @ Netskope
Threat Labs
3
About Me

4. 2020 © Netskope. All rights reserved.
Bastion Hosts

5. 2020 © Netskope. All rights reserved.
What are Bastion Hosts?
5

6. 2020 © Netskope. All rights reserved.
• Limits exposure of servers to the Internet, which reduces the attack surface
• Prevents brute force attacks on SSH for most of the infrastructure
• Centralized access, which makes it a good place for Logging and Monitoring
Benefits of Bastions
6

7. 2020 © Netskope. All rights reserved.
Out of our customers who expose compute instances to routable IP addresses:
• AWS: 39% of the instances allow SSH ingress
• GCP: 58% of the instances allow SSH ingress
• Azure: 46% of the instances allow SSH ingress
Why is this relevant?
7

8. 2020 © Netskope. All rights reserved.
Problems with Bastions

9. 2020 © Netskope. All rights reserved.
• Maintain the infrastructure yourself: patching and configuration
• Could become expensive if you need lots of bastion hosts
• Need to manage the access yourself (SSH certificates, MFA, etc.)
• Vulnerable to the SSH Multiplexing Attack
Problems with Bastions
9

10. 2020 © Netskope. All rights reserved.
The ability to reuse an outgoing TCP connection for more than one SSH session.
If configured, your SSH client will save the connection to a file on the client’s file
system, and can be invoked without any additional authentication, including MFA.
What is SSH Multiplexing?
10
SSH Command:
ssh -S ~/.ssh/%r@%h:%p server.example.org
Config Snippet:
Host server
HostName server.example.org
ControlPath ~/.ssh/%r@%h:%p
ControlMaster auto
ControlPersist 240m

11. 2020 © Netskope. All rights reserved.
Bastion
Hosts
SSH Multiplexing Attack*
11
Clients
Attacker
SSH
Compromise
Multiplexed SSHsession
SSH
Servers
Attacker Sessions
*Credit to NCC Group for their blog post!

12. 2020 © Netskope. All rights reserved.
Alternative Solutions

13. 2020 © Netskope. All rights reserved.
Common Attributes
• The end user starts the connection over HTTPS
• No need to have public IP addresses any of your compute instances
• No need to expose the network ports to external IP addresses
• Removes risk of the SSH multiplexing attack from the endpoint
• Sessions logged by the cloud logging facilities
13

14. 2020 © Netskope. All rights reserved.
• AWS: Session Manager from AWS Systems Manager
• GCP: OS Login and Identity-Aware Proxy (IAP)
• Azure: Azure Bastion
14
Services we are going to cover

15. 2020 © Netskope. All rights reserved.
AWS Session Manager

16. 2020 © Netskope. All rights reserved.
AWS Session Manager
• Part of AWS Systems Manager (SSM)
• Relies on the Systems Manager Agent on each instance
• Does not actually use SSH by default
• Can provide full session logs
16

17. 2020 © Netskope. All rights reserved. 17
Access via AWS Session Manager

18. 2020 © Netskope. All rights reserved.
SSM will log events around the beginning and ending of sessions. These events
will include a number of interesting things, such as:
● AWS user
● In some cases, whether the user was authenticated with multi-factor authentication
(MFA)
● Instance ID
● Requestor’s IP address
● Timestamp of the authorization
● Allowed or Denied
18
Default Audit Logs: CloudTrail

19. 2020 © Netskope. All rights reserved. 19
Full Session Logging

20. 2020 © Netskope. All rights reserved.
GCP: OS Login and IAP

21. 2020 © Netskope. All rights reserved.
OS Login and IAP
21
• No agents to deploy
• Very easy to set up (especially if you use GSuite)
• Pair local user with Google IAM (in addition, LDAP and AD support)
• Logs metadata of sessions for free
• Easy to enable 2FA for SSH

22. 2020 © Netskope. All rights reserved. 22
Project
User
Compute Engine Access: Internet-Aware Proxy and OS Login
VPC
Servers
Compute Engine
Multiple Instances
IAP
HTTPS TCP Tunnel
SSH Auth
SSH Traffic
OS Login

23. 2020 © Netskope. All rights reserved.
When IAP authorizes a new session for a user, we’ll see events that contain the
following:
● Primary email of the Google identity
● Destination IP address and port (could be an RFC 1918 address)
● Instance ID
● Requestor’s IP address
● Timestamp of the authorization
● Allowed or Denied
23
Default Audit Logs: Data Access Logs

24. 2020 © Netskope. All rights reserved. 24
Logging Agent from GCP

25. 2020 © Netskope. All rights reserved.
Azure Bastion

26. 2020 © Netskope. All rights reserved.
• Connect over HTTPS to the Bastion, and connects to the servers via SSH /
RDP
• Still need to maintain SSH certificates
• Expose the SSH port to internal traffic, so that the Bastion service can
access it
26
Azure Bastion

27. 2020 © Netskope. All rights reserved.
Access with Azure Bastion
27

28. 2020 © Netskope. All rights reserved. 28
Connecting via Bastion

29. 2020 © Netskope. All rights reserved. 29
Azure Session Monitoring

30. 2020 © Netskope. All rights reserved.
Azure makes it easy to send the audit logs from the Bastion to any of the
following:
• Log Analytics
• A Storage Account
• An Event Hub
However, there is no facility for setting up full session logs.
30
Azure Bastion Logs

31. 2020 © Netskope. All rights reserved. 31
Azure Bastion Audit Logs

32. 2020 © Netskope. All rights reserved.
Summary

33. 2020 © Netskope. All rights reserved.
• Running your own bastion hosts may no longer be necessary
• Be aware of SSH Multiplexing attacks
• Cloud Providers and Vendors provide some great alternatives for
management access (SSH / RDP)
• Solutions from cloud providers may help with:
– Compute Instance Management
– Identity Management
– Logging and Monitoring
33
Summary

34. 2019 © Netskope Confidential. All rights reserved.
Blog: Threat Labs
Twitter: @colinestep
LinkedIn: https://www.linkedin.com/in/colinestep/
Thank you!