We all know about the amazing things we can build in cloud environments – I bang on about it often enough! But what’s the best way to administrate your environment once it exists? What is safe to leave open to the Internet and what should be shrouded in a cyber-stealth cloak? Today we’re going to look at securing access to your cloud resources.
Nowhere to Hide
There are a fixed number of IP addresses available on the Internet, and that number of addresses can’t increase. (We’re only talking about IPv4 to keep things simple.) That number is 3.7 billion. And the thing about computers is that they’re really good at repeating a task over and over again – they love that stuff! You ask a computer to go and check 3.7 billion IP addresses to see if anyone answers, and they’re having the best afternoon ever!
And that’s our problem – if you have anything on the Internet, it will be found, and it will be scanned for any vulnerabilities. If you’re interested, you can check out the results of such scans at Shodan‘s website.
The Risks
Why wouldn’t you just give everything a public IP address and connect on it? It’s good enough for web servers, right?
Well, webservers are usually surrounded by all kinds of peripheral security technology, like web application firewalls and intrusion detection systems. This allows the web server to listen to any requests which do get past those extra safeguards, and server out the content as required. But other services aren’t like that.
Imagine you have a database engine exposed to the internet. As we have learned, scans will find it, and it will appear on Shodan. Attackers will know that it is indeed a database server, and will imediately start to try to log in. Remember what we said about computers loving repetative tasks? Well what coould be more fun for a computer than guessing usernames and passowrds all day long? Eventually, they will get lucky.
Vulnerable Software
But it isn’t just publically accessible services which are scanned and indexed, it’s vulnerabilities too. When a new software patch is released, it often exposes a problem which has now been fixed. But between the time of a patch being released, and your systems actually installing it, we have the perfect storm of a vulnerable system and the bad guys have knowledge of how to exploit it.
For this reason, we need to hide as much of our cloud infrastructure away from the public Internet as possible.
How to Hide
Now we know we want to hide as much as possible away from the big bad Internet, how do we do it and still have a functional system? There are a couple of ways we will talk about here:
VPN
We have talked about VPNs here before, so go and check that out for a more in depth explination of what it is and how it works. But basically, you create a secret tunnel between your cloud resources and you, over the Internet. Others on the web cannot see inside your tunnel, and you can interract with your cloud resources as if you were sat inside AWS’ datacentre.
I like to think of myself cross-legged on the floor. It’s my happy place.
Bastion Host
Bastion hosts are used on smaller environments, since they’re typically a bit cheaper than a VPN. A bastion host is a resource which is exposed to the internet, and can communicate with the rest of your cloud resources. You still have all the problems we talked about earlier, in that your bastion host will certainly be detected, but it is just one thing for you to secure now.
You might set up security groups or firewall rules to only allow connections from your office to the bastion host. Strong SSH keys will be used for for authentication and encrypted data transfer. There would also be lots of monitoring on that bastion host to make sure you know if it ever does come under attack. You might even switch it off when you’re not using it!
Options
As with all things cloud, there are a few different ways to aproach the same problem. It all depends on how your team works, what data you are trying to protect, and how much moeny you have.
We hope we have given you some ideas though, and if you need to speak about your specific environment, just get in touch!
