Azure Bastion

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
22 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
24
Video Transcription
00:00
>> Hey, everybody, and welcome back.
00:00
In this lecture, we're going to be talking about
00:00
something called Azure Bastions.
00:00
The learning objective is going to be to
00:00
introduce what Azure Bastions are.
00:00
We're going to be talking about Bastions
00:00
as a whole in case you're
00:00
not familiar with that type of tool.
00:00
We're going to understand the different features and
00:00
functionalities of Azure Bastions.
00:00
Before we dive into Azure Bastions,
00:00
I want to talk about what Bastions are.
00:00
Now, depending on where you are in the world,
00:00
you may call it a Bastion,
00:00
you may call it a jump box,
00:00
you may even call it something else.
00:00
But these are the two that I have heard,
00:00
and really what they are,
00:00
is just a simple virtual machine that we utilize
00:00
to access the private subnet or a private network.
00:00
But the actual Bastion itself
00:00
is being housed within a public network.
00:00
This is because we don't want
00:00
the information or the resources or the servers that
00:00
are being held and assigned within
00:00
the private subnet to be open to the public Internet.
00:00
We don't want any way for that to
00:00
happen so we use a middleman,
00:00
we use a vehicle called
00:00
a Bastion to access that private network.
00:00
The Bastion would be,
00:00
and what we call a DMZ,
00:00
or a demilitarized zone.
00:00
We can remote into that Bastion
00:00
or that virtual machine in order to remote
00:00
from that Bastion over into
00:00
maybe another virtual machine
00:00
>> within the private network.
00:00
>> That's really all it is,
00:00
is just a way to access
00:00
your privately held information
00:00
that you don't want public,
00:00
you don't want to exposed, but you do want to
00:00
still be able to tend to remotely
00:00
>> from wherever you are.
00:00
>> It's a secure way to do it.
00:00
You're minimizing the blast radius,
00:00
you're minimizing the threat vectors to only one way.
00:00
If anybody were to get into your private network,
00:00
you have a pretty good indication that it was
00:00
probably through the Bastion
00:00
and you can always come up with another Bastion,
00:00
but it's not very likely
00:00
because threat actors would have to really be
00:00
targeting your architecture in order to
00:00
identify the Bastion and then
00:00
have to break into the Bastion,
00:00
and then break into another form of
00:00
authentication from the Bastion
00:00
and to the private network.
00:00
Anyways, this is already sounding pretty complex,
00:00
what I'm trying to say is that having
00:00
a Bastion is a very good security control.
00:00
It's a good way to restrict
00:00
access into that private network.
00:00
It's also a great way to administer the maintenance
00:00
to these private resources securely.
00:00
Let's go ahead and fast
00:00
forward to what an Azure Bastion is.
00:00
We talked of Bastions as a whole that was
00:00
not a concept proprietary to Azure.
00:00
You can use Bastions
00:00
everywhere, and we've been using it.
00:00
We use it on premise,
00:00
we use it in the Cloud.
00:00
It's very common.
00:00
Azure Bastion is a managed service.
00:00
They basically create the virtual machine
00:00
and they make it really easy for you to
00:00
deploy the solution so that you
00:00
don't have to deal with all the maintenance.
00:00
They take care of all the maintenance for you.
00:00
You can just say, hey,
00:00
I want my Azure Bastion to sit in these subnets,
00:00
and I wanted to access
00:00
this other subnet which is private.
00:00
It's not going to be accessible to
00:00
the World Wide Web or to the Internet.
00:00
It makes it very simple to
00:00
just get the configurations out there.
00:00
You are paying a little bit more,
00:00
but the actual maintenance of the virtual machine,
00:00
the patching of the operating system, the software,
00:00
the hardening, all of
00:00
that service is already taken care for you.
00:00
It's all software defined, it's all virtualized.
00:00
That's the beauty of it.
00:00
If you're looking for something that is complex
00:00
and you have the budget for it,
00:00
it's not going to be that expensive,
00:00
but if you have the budget for it,
00:00
then it's a great option,
00:00
it's a great way to get the tool
00:00
running so that you can have a secure network.
00:00
Whenever you're communicating from
00:00
the Bastion over into your secured environments,
00:00
everything is going to be encrypted over TLS.
00:00
We want to make sure that we have
00:00
TLS at all times because
00:00
we don't want our data being sent over clear texts.
00:00
In this case, everything is encrypted and
00:00
so it's going to be protected as it goes,
00:00
and the cool thing about having
00:00
a managed solution is that they're going to be
00:00
following the best practices
00:00
for how we should be doing things in cybersecurity.
00:00
TLS has some deprecated versions
00:00
that are considered unsecure.
00:00
All encryption or cryptographic algorithms
00:00
do and so we have to continually advance
00:00
because as computers get stronger and faster
00:00
and they get better at
00:00
>> breaking cryptographic algorithms,
00:00
>> we have to improve our cryptographic algorithms.
00:00
Having managed services like an Azure Bastion or
00:00
other managed solutions by
00:00
Azure is helpful because they know these things.
00:00
They are keeping tabs on this and so you don't have to.
00:00
It's one less responsibility on your back,
00:00
which is the beauty of it.
00:00
Using a Bastion can be used
00:00
as secure endpoint to access your VMs.
00:00
It can be connected from anywhere in the world,
00:00
or at least anywhere where you can
00:00
access the Bastion using RDP and SSH.
00:00
Obviously, there might be
00:00
some restrictions depending on where you're at,
00:00
or if your office restricts that type of connectivity.
00:00
But for the most parts,
00:00
if you can surf over those two protocols,
00:00
then you are able to access the Bastion.
00:00
I put a picture up of a bridge because this
00:00
is the way that I view Azure Bastion.
00:00
It's basically a secured bridge
00:00
on accessing the secured environment.
00:00
If you're looking for a solution or a vehicle to
00:00
access an environment that you need to be
00:00
protected and not accessible to the Internet,
00:00
this is a great way to do that.
00:00
Part of the reasons why we want to do
00:00
that is to meet compliance requirements.
00:00
When I was working for
00:00
the federal government here in United States,
00:00
we used Bastions all the time because we don't want
00:00
certain network components or environments
00:00
being openly accessible to the Internet.
00:00
You can imagine why that is.
00:00
When you're dealing with sensitive information,
00:00
whether it be for the government or for corporations,
00:00
you're always going to have
00:00
threat actors that are going to try to sniff,
00:00
they want to try to find vulnerabilities.
00:00
If you have all your golden eggs locked
00:00
away and not accessible to the road at all,
00:00
they can't even see it,
00:00
that's the best option.
00:00
We don't want them to know that this room,
00:00
the secret room where all the golden eggs
00:00
are even exists in the building.
00:00
We're going to build all these barriers in
00:00
place and we're going to make it very
00:00
difficult for them to even know.
00:00
In this case, I like this picture
00:00
because there's a lot of foliage.
00:00
You have no idea what's behind that.
00:00
You're going to cross this bridge,
00:00
and from this perspective,
00:00
all you're seeing is a bunch of
00:00
leaves and tree, and that's it.
00:00
We have no idea if there's
00:00
a open room or
00:00
maybe a temple behind
00:00
>> there with all of these treasures.
00:00
>> We have no idea because we can only
00:00
see so much from this perspective.
00:00
That's the way that
00:00
we need to be thinking about Bastions.
00:00
It's a bridge and
00:00
we don't know what's on the other side of it.
00:00
Now, it's safe to assume that there's going to be
00:00
something secured on the other side,
00:00
but it's going to be extremely
00:00
difficult for people to break
00:00
into it and it's a good way to keep the bad actors out.
00:00
Enough of the analogy,
00:00
let's go ahead and get into a little bit
00:00
more on the technical details.
00:00
With a managed service,
00:00
there are going to be limitations because we have to be
00:00
respectful of the shared resources
00:00
that are going to be shared across
00:00
everybody that needs the same solutions.
00:00
This is typically being built
00:00
into two shared servers
00:00
that are stored within these warehouses.
00:00
This does put some limitations and
00:00
constraints on maybe some networking components,
00:00
and when we're dealing with Bastions, we do have that.
00:00
When we're dealing with RDP connections,
00:00
we're limited to 25 sessions concurrently,
00:00
and when we're dealing with SSH connections,
00:00
we are restricted to only 50 sessions concurrently.
00:00
That means 50 users could access
00:00
over SSH to one Bastion during one time.
00:00
All right, guys. This was a short one.
00:00
We just wanted to talk about what Bastions are.
00:00
This is another security control that you
00:00
can implement in a network environment.
00:00
Very helpful to know.
00:00
We want to talk about these things because when you're
00:00
administering network environments or
00:00
just you're architecting solutions,
00:00
you want to make sure you
00:00
>> have this in your back pocket.
00:00
>> One thing that I've noticed that a lot of
00:00
solution architects maybe also
00:00
familiar with are the various tools
00:00
that are available to them and really what they mean.
00:00
Maybe if you're not coming about this
00:00
from a security perspective,
00:00
but if you're just coming in as
00:00
an admin or general systems engineer,
00:00
you want to make sure you're familiar with
00:00
these various security tools because they are so cool.
00:00
They make your life easy and
00:00
they definitely save your rear end when it
00:00
comes to architecting these solutions and making sure
00:00
that your company's information stay safe.
00:00
That's all I got for you today.
00:00
Let's go ahead and hop into the next lecture.
Up Next
Azure Network Security Lab
2h
Azure VPN Gateway
3m