Like a lot of organizations these days, your company’s servers are probably hosted in the cloud. While cloud-hosted infrastructure can provide numerous operational benefits, it can also result in weakened security. The number of attack vectors on a cloud system is practically too high to count: password lists get dumped, private SSH keys get checked in to GitHub, ex-employees reuse old credentials, employees fall victim to spear-phishing, and so on. One of the most critical first steps that an organization can take towards better security is putting its hosts in a VPN or behind a bastion host.
The Edge
Both a VPN and bastion host have their strengths and weaknesses, but the main value they provide is funneling all access through a single point. Using a single point of entry (or “edge”) to gain access to your production systems is an important security measure. When new resources are spun up inside a VPN they are automatically secured with proper configuration. Without a VPN, a compromised password or SSH key is enough to access your production resources. Remember, a system is only as secure as its weakest link and a simple SSH key or static password is quite weak by itself.
Account Management
However, your VPN also needs its own credentialing system. It might be tempting to fall back to manual user management, but it’s best to tie the VPN to the employee datastore. That way you can ensure that no one outside the company can gain access. When you onboard a new employee, they can instantly have access to the resources they need. More importantly, when you offboard an employee, they instantly lose access to your infrastructure. Manually managing the credentialing system adds a human factor, which, unfortunately, is a slow, high-effort, and error prone process.
Securing Identity
Another critical VPN feature, two-factor authentication (2FA), shores up the holes left by integrated credentialing. If using a single account store keeps out unwanted users, then two-factor authentication makes sure those users are who they say they are. When a user tries to log in to the VPN, a separate message is sent to a previously authenticated device to approve the login attempt. If the user is who they say they are, they can approve the login attempt. 2FA ensures that the person behind the keyboard is who they say they are. Many systems use a smartphone based service like Duo. Third party devices like RSA keys and Yubikeys are also quite common. While passwords and SSH keys can be easily compromised, it is much harder to also gain access to a user’s physical device or phone. Additionally, these physical devices are unable to be stolen remotely, decreasing the attack vector by multiple orders of magnitude.
Implementation
While it’s great to talk about best practices, it’s another thing entirely to implement them. Like most operational practices, things don’t get implemented until they become too much of a pain point to bear. For many companies, setting up an OpenVPN server, even OpenVPN Access Server, takes longer than most would like to spend. The same is true for setting up a bastion host -- it's complexity that simply doesn’t seem worth the effort. However, for security measures there is no “pain point.” Your system is either secure or it isn’t, and the potential worst case scenario certainly outweighs whatever annoyance dealing with a secure VPN system causes.
Thankfully, Foxpass has just announced a free VPN that includes all of these features and is dead-simple to set up. It uses Foxpass to integrate with your organization’s employee directory and integrates with Duo for 2FA. Just spin up the AMI and you’re ready to go! The VPN needs no custom software, it integrates directly with your OS’s built in VPN system. Check out the AMI here or build the image yourself from our Github repo.
.png)
