Network and server security are vital for the health of any business, and managing Secure Shell (SSH) keys and server access is one of the most important first steps an organization can take to improve their security. Here at Foxpass, we help you centrally manage server access (and much more) through our networked identity service that connects your directory to your cloud infrastructure.
As is true for any infrastructure setup, the decision to use a cloud identity service like Foxpass comes with both benefits and drawbacks.
When it’s working well, a network identity service allows you to streamline access control, improving both ease of use and security. The directory acts as a single source of truth, eliminating any gaps in your authentication mechanisms.
However, downtime can be the biggest drawback to this type of solution. When your directory goes down, so does the access to all the systems you’ve integrated it with. In that case, having a single source of truth becomes a liability, as you’re forced to choose between keeping your system secure and waiting for service to be restored or keeping it usable and switching to a less secure method of authentication.
Fortunately, there are ways to mitigate the damage of downtime and maintain security and usability simultaneously. Here are some steps you can take to maintain access to your infrastructure in any scenario:
Linux
What happens if you need access to a Linux host when unexpected downtime strikes? A good, generalized failsafe to maintain Linux host access in the event of an outage is to have a local sudo user on all your hosts.
First, you’ll want to use a configuration management tool (such as Puppet, Chef, or Ansible) to manage the admins on the hosts. Then, store the password protected SSH key for that admin in a vault (i.e. KMS, 1Password, etc.). Ideally, you’ll want to have audit controls on that key access so you can see who retrieved it and when.
Additionally, Foxpass offers a local cache that you can run on a separate server. The cache syncs with our main database periodically, so in the event of any downtime, your servers will use the local cache to maintain uninterrupted service.
Wi-Fi®/RADIUS
If you can’t contact our RADIUS endpoint, it helps to have an SSID configured with WPA2 (shared password) ready to enable. If you’re using a Mobile Device Management (MDM) solution where you can remotely configure the machines, you can store the network password automatically without any end-user involvement.
We’re working on adding RADIUS support to our local cache, as well. Contact us at help@foxpass.com to learn more.
VPN
Right now, the only way to keep a VPN functioning in the event of a service disruption to the directory is to have a backup directory or other system running as a second authentication method.
As your VPN is one of your most important security tools, it’s worth considering how much protection you’re willing to sacrifice to make it more useable!
Putting it All Together
Testing is an overlooked aspect of these backup measures. Running tests help you prepare for potential outages, as failure to prepare could delay your system’s recovery substantially. It’s advised to set up a recurring task every 3-4 months to make sure that your backup systems are still functioning correctly.
If you’re using the Foxpass cache, you can check the “Cache” page on the console to see the last time a sync ran and if it succeeded. You can also point a host directly to your cache (bypassing the main Foxpass endpoints) to double check that the authentication mechanism is working.
At the end of the day, there will always be a narrow balance to strike between usability and security. While a networked directory can make your systems easier to access and more secure, it also exposes your systems to an extra potential cause of downtime.
It’s important to have contingency plans to keep your infrastructure ready for any event. Proper preparation can make all the difference between a quick recovery and extensive outages.
Stay safe!
- Foxpass Team
Wi-Fi is a trademark of Wi-Fi Alliance®
