Bunker Up: Remote Work with a Bastion Host

17.03.2020 15:10

The COVID-19 pandemic is underway. By now, most of your workforce is either working remotely or transitioning to it. Let’s assume that you’re in the second camp. If you’re looking into how to best transition to a remote work environment, you’ve probably already considered two options:

1. Exposing internal systems directly on the internet.

2. Employing a VPN (Virtual Private Network) solution.

Option 1: Open Exposure

Exposing your internal systems to the open internet is probably the easiest solution you can implement. But there aren’t many companies in the world that can do it without serious security risks. Minutes after deployment, your internal company systems would be exposed to automated penetration attempts. How serious could such threats be? We don’t have to look far into the past to find out.

CVE-2019-0708 is a vulnerability discovered in May last year. This specific bug allowed attackers to accomplish remote code execution on machines with RDS (Remote Desktop Services) by sending them a crafted RDP message. If a similar bug were discovered today… 

Scratch that. It was.

CVE-2020-0796 dubbed SMBGhost is a vulnerability in SMBv3 (a file sharing, network browsing, printing services and interprocess communication protocol in Microsoft Windows) which allows remote code execution. And it was wormable, meaning an attack could be automated in such a way that one compromised machine could perform a lateral attack on other machines both within their internal networks as well as out on the public internet. Just like a spreading virus. SMBGhost was patched a few days ago, but it requires users to update their Windows OS. Are you sure all your systems are patched? If not, you’re still vulnerable.

Option 2: VPN

Decided against option 1? Smart–it’s risky. Deploying a solid VPN solution is safer, but not without its flaws. Most of all, VPNs require preparation. You will need to:

  • Establish a dedicated server (or fleet depending on your workforce) handling authentication and establishing client connections.
  • Establish a certificate authority that all of your employees will trust. This will ensure that the person connecting is not some random intruder off the internet with stolen credentials.
  • Provision client certificates to all your employees in a secure way.
  • Have all employees configure a VPN client on their personal and work machines. (This point is especially important, considering the sheer variety of machines and operating systems found in the average home.)
  • Handle certificate revocations, if someone misplaces or loses theirs.
  • Provision new DNS and routing configurations so all those VPN clients can access required internal infrastructure.

With all these considerations, you can forget about rapid deployment. But perhaps  the biggest drawback of a VPN is having no segmentation between clients, or between clients and internal resources. Adding someone to your VPN is equivalent to having them join your innermost corporate network without any way of enforcing company policy over installed software, segmentation, virus protection or general best practices of hardware and software maintenance. The moment an employee connects to your virtual private network it is as if his machine is locally present within your corporate network. It can freely communicate both with other employee machines connected to the VPN and with all internal servers and machines present on site. Having someone join your VPN is like allowing them into your living room, with no control over whether they take off their shoes, sit in your favorite spot on the couch, pick their nose and flick their boogers at the dog.

Why is this bad? Recall CVE-2020-0796. Are all your internal systems patched? Are all your employees’ private machines patched? By adding employee devices you are extending your chain of trust–one employee lagging in updates becomes a risk to your whole company.

Is your network ready for such a change? Many internally-deployed solutions that your business uses (email, message boards, planning software) grant elevated access for all machines inside the internal network, treating them as if they were on-site. In fact, they are unable to distinguish VPN-connected users from employees actually on-site.

Computer networks are like human networks. You wouldn’t sit all your employees together in an open office space if they’re supposed to be quarantined. Likewise, remote worker machines must be separated from each other, or else a virus can quickly spread to all unpatched machines across your entire network. It just takes one infected machine.  Monitoring your network is also crucial. Like epidemiologists tracking the spread of a virus, you’ll want a way to trace an attack if your network is compromised, which is non-trivial with such topology.

What else can we do? Bunker up.

By far the easiest, fastest to deploy solution is to create a bastion host: one or more machines that act as a gatekeeper to your most sensitive internal systems. Fudo PAM is famous for its one-day deployment, and it supports working in bastion mode.

Here’s how it works:

Your workers have accounts provisioned on the bastion host. Your system administrators then decide which users get access to which specific resources. An employee doesn’t even need actual credentials for a target machine–post-authentication the connection is established by the bastion host using authentication methods outside employee access. For example, say you hire someone to temporarily run your Twitter account. You wouldn’t want to give that person your password right away, but that person still needs a way to log in. You could set up a Fudo account he or she could log into with a username and password, proving that it actually is them, but still preventing them from knowing your real credentials. Fudo is the only entity in this connection that knows your real Twitter password. The same can be done for critical business services–limiting the number of people able to access a system directly by using a proxy.

The setup is also quick on the client side. No configuration or installation is required. Your workers access a single portal page which lists all the services and resources they can access. With the press of a button they can launch a remote desktop session, secure shell connection or any other service you configure, including HTTP sessions to intranet websites.

Fudo’s bastion mode allows you all the other benefits of a full-blown PAM solution, as well. If someone leaves their machine unlocked and a bystander attempts to utilize the exposed machine to gain elevated access, the machine learning component of the system will flag such activity as deviating from the regular behavior of that specific user. This gives you a chance to protect even against credential misuse.

In similar fashion, if an employee’s machine is compromised, forensic evidence recorded by the PAM can be used to review what exactly happened, what data was accessed, and locate the source of the intrusion. 

Finally, bastion hosts allow you to achieve full separation. Employees do not all join the same network, so a compromised machine from one employee will not impact the work of others. Plus, since everyone only has access to specific, limited resources, any attack on one machine is severely limited in its potential to move to others.

Most of all, the bastion host separates your servers from the internet. Even if a flaw is found in a forwarded protocol like RDP, attackers will not be able to exploit it against your servers. They are talking with your PAM, the middle man between your vulnerable system and the attacker. The middle man is not vulnerable to attack, as it’s running an operating system and implementation that an attacker exploiting the flaw in the wild wouldn’t expect. 

Having a bastion host is equivalent to social distancing during a pandemic. It is the only simple, effective solution to fighting off a virus spread, and it’s necessary to any modern, secure remote architecture.

About the autor:

Adam Wołk is a senior software developer at Fudo Security working on the product backend and database. Prior to that he spent 4 years developing an IoT system for professional golfers and 7 years implementing a central banking system used by large European institutions. His main areas of expertise and interest are database engineering, distributed systems, information security and gaming.