Like many organizations these days, your company’s servers are probably hosted in the cloud. While cloud-hosted infrastructure can provide numerous operational benefits, it can also result in weakened security... unless you have a tool like a secure remote access VPN.
The number of attack vectors on a cloud system is practically too high to count; password lists get dumped, private SSH keys get checked in to GitHub, ex-employees reuse old credentials, employees fall victim to spear-phishing, and so on. One of the most critical first steps that an organization can take towards better security is putting its hosts in a VPN or behind a bastion host.
The Edge
Both a VPN and bastion host have their strengths and weaknesses, but the main value they provide is funneling all access through a single point. Using a single point of entry (or “edge”) to gain access to your production systems is an important security measure, as it limits potential points of ingress for hackers and other cyberattacks.
When new resources are spun up inside a VPN, they are automatically secured with proper configuration. Without a VPN, a compromised password or SSH key is enough to access your production resources. Remember: a system is only as secure as its weakest link, and a simple SSH key or static password is quite weak by itself.
Account Management
However, your VPN also needs its own credentialing system. It might be tempting to fall back to manual user management, but it’s best to tie the VPN to the employee datastore to ensure that no one outside the company can gain access.
When you onboard a new employee, they can instantly have access to the resources they need. More importantly, when you offboard an employee, they instantly lose access to your infrastructure. Manually managing the credentialing system adds a human factor, which, unfortunately, is a slow, high-effort, and error prone process.
Securing Identity
Another critical VPN feature, multi-factor authentication (MFA), shores up the holes left by integrated credentialing. If using a single account store keeps unwanted users out, then multi-factor authentication makes sure those users are who they say they are.
When a user tries to log in to the VPN, a separate message is sent to a previously authenticated device to approve the login attempt. If the user is who they say they are, they can approve the login attempt. As a result, MFA ensures that the person behind the keyboard is who they say they are.
Many systems use smartphone-based services like Duo, although third party devices like RSA keys and Yubikeys are also quite common. While passwords and SSH keys can be easily compromised, it is much harder to also gain access to a user’s physical device or phone. Additionally, these physical devices are unable to be stolen remotely, decreasing the attack vector by multiple orders of magnitude.
Implementation
While it’s great to talk about best practices, implementing them is another thing entirely. Like most operational practices, things often don’t get implemented until the pain point becomes too great to bear.
For many companies, setting up an OpenVPN server, even OpenVPN Access Server, takes longer than they would like to spend. The same is true for setting up a bastion host – its complexity simply doesn’t seem worth the effort. However, there is no “pain point” for security measures. Your system is either secure, or it isn’t, and the potential worst-case scenario certainly outweighs whatever annoyance dealing with a secure VPN system may cause.
Thankfully, Foxpass has just announced a free VPN that includes all these features and is simple to set up. It uses Foxpass to integrate with your organization’s employee directory and integrates with Duo for MFA. Just spin up the AMI and you’re ready to go! The VPN needs no custom software and integrates directly with your OS’s built-in VPN system, making it easy to set up and use.
Want to experience Foxpass for yourself? Check out the AMI here, build the image yourself from our Github repo, or click here to get started with a free trial:
