We all know that customer infrastructure should not be publicly accessible to the Internet… But at the same time, Any operator who is an authenticated operator are regulated operator, should be able to access that infrastructure.
Today. The customers who have their target resources in Cloud, There are certain the customers are forced to use certain access networking patterns because of the absence of a native accessors !!! So either customers go for in a private subnet or they launched a jump box in the public subnet…
Then they have to muck with the security rules, routing rules, and stuff like that. And also they have to add the public SSH keys onto that jump box for the operators to jump to that Jump Box into their target resources.
The disadvantages of these excess networking patterns is that,
- The connections that are established are persistent, which definitely decrease your security posture because back surface is open for a long period of time.
- The operational overhead to harden these jump boxes, patching them periodically, and also at the same time, taking care of availability for your operators to get into your mission critical workloads. All of that overhead is on the customers.
- Also, such architectures work if you have a couple of resources here and there. But as your organization scales up, these architectures become very difficult to maintain. And there is always a risk of a security loophole. Security should be easy.
- This jump boxes, they are running 24×7 so definitely customers have to pay a cost for, for running these jump boxes.
- There is no auditability. So you don’t know as a customer who got into which target resource.
- Even with the best efforts that the customers put in, this whole architecture is not controlled through IAM. So whoever has, whichever operator has that, SSH keys onto the Jump Box, again forever access your target resources. So the overall story of the life-cycle management of who can access your target resources. It’s very difficult to maintain.
Oracle Cloud Infrastructure Bastion Service
So to solve these issues, Oracle have created the fully managed service which is the OCI Bastion service, which will help you in improving the security posture of your resources in OCI by providing secure as well as an ephemeral access to your private target resources. But then you will receive the services free of cost. This is a very core infrastructure security blood. You don’t have to choose between cost and security.
The access to the target resources via OCI Bastions is time-bound which definitely helps in increasing your overall security posture. And also the access is governed by the OCI IAM policies so only the users who have the right IAM policies can access your target resources. And once they leave the organization, all you have to do is you have to just remove those users from your groups in from your IAM groups and you’re done. You don’t have to do anything beyond that.
You can also restrict the incoming SSH connections to certain IPv4 address ranges, the administrative actions, like who/when created/deleted/updated/fetched bastion and session are recorded in OCI event and audit service and also in the Cloud Guard.
The end-users on their on-premises laptops or desktops or workstations can basically use any open SSH client, they can access the Bastion Service as a pass through to get into their target resources.
OCI Bastion product is built on top of OpenSSH/SSH so whatever is possible to OpenSSH is possible to this service.
Types of target resources which are going to be supported by OCI Bastion would be:
Private target compute host running either native OCI images or customer Linux Images and Windows OS.
Autonomous transaction processing, Autonomous data warehouse, MySQL DB, OKE instances. We also support communities.
You can manage the bastion and sessions that are created via the service. So basically what that means is, at any point of time, if you feel if you see that assertion has gone malicious, or let’s say you see that you are under attack. You can simply delete the sessions. You can pick out those malicious users. You can delete the whole bastion and to protect your particular target resources. So you have all of those capabilities.
Once the session is created, customers can use the session metadata to tunnel into the target resources via bastion from their on-premises terminals.
You can use OCI bastion to access your private target resources in OCI irrespective of whether the target resources has the Oracle Cloud Agent installed or not.
The session type depends on the target host.
Managed SSH sessions can only be created for a target host that is a Compute instance configured to run both the Oracle Cloud Agent and an OpenSSH server.
SSH port forwarding sessions do not require a running Oracle Cloud Agent or OpenSSH server on the target host, and can be used with resources like Autonomous Transaction Processing databases.
High Level Architecture
HOW TO USE OCI BASTION?
Go to the Identity & Security and choose the Bastion
Create Compute Resource
Create Bastion Resource
Create Managed SSH Session
Create Session Port Forwarding
Access Window Server using Session Port Frwd
Thank you for visiting this blog.
Disclaimer : The views expressed on this blog are my own and do not reflect the views of the companies I work, The opinions give by visitors on this site are there own opinions.