Intro to Bastion Hosts
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
19 hours 19 minutes
Difficulty
Intermediate
CEU/CPE
20
Video Transcription
00:00
>> Hey, everybody, and welcome to this lecture where we're
00:00
going to talk about an introduction to bastion hosts,
00:00
which are very helpful
00:00
depending on where you are in the world,
00:00
you may call these jump boxes.
00:00
Just be cognizant of that learning
00:00
objectives to describe what bastion hosts are.
00:00
I want you guys to get familiar with this
00:00
in case you are not.
00:00
If you're new to this,
00:00
then hopefully you'll find
00:00
some value in this lecture here.
00:00
What is the bastion hosts?
00:00
Bastion hosts are these servers that we can
00:00
utilize to access what
00:00
is being protected and our private subnets.
00:00
Bastion hosts something that sits inside
00:00
your public subnet as you can see right here.
00:00
Ideally, the user wants to access this private EC2s,
00:00
but they're gonna do so via
00:00
a bastion host because we do not
00:00
want internet access to these EC2 instances.
00:00
Let's say they hold some very confidential information
00:00
or they're being regulated with some type of
00:00
regulation that prevents the data being
00:00
held on this or the data that's being
00:00
accessed via this EC2 instance.
00:00
We don't want essentially these two
00:00
to be accessible to the Internet because of hacking,
00:00
because of maintenance, any type
00:00
of concerns that deal with that in relation to that.
00:00
The best way to securely deal with
00:00
this is to use the Bastion Host 1,
00:00
common, let me go back to that.
00:00
One common use case of this is to say this EC2
00:00
instances is using outdated version of software.
00:00
We can't patch it because
00:00
the dependencies require that it uses
00:00
that very specific version
00:00
even though it's outdated and that's bad practice.
00:00
Sometimes in real life,
00:00
you can't always patch everything just
00:00
because it's unrealistic to do so at that point in time.
00:00
Because it could be
00:00
a huge long process and there's lots of
00:00
working pieces that have to be updated along
00:00
with updating that specific server.
00:00
One way that you can bypass that temporarily is by
00:00
cutting off all Internet access to
00:00
that EC2 instance or to that server,
00:00
and to use bastion hosts to access it remotely.
00:00
That's how we can do that.
00:00
Instead of connecting with private EC2 instance here,
00:00
they're going to connect with the bastion host here.
00:00
Then they're going to use this to SSH into
00:00
the private EC2 instance and then
00:00
they can do what they need to do from there.
00:00
That's the idea behind bastion host.
00:00
It's just really a box you can jump to,
00:00
to jump to another box.
00:00
This is going to have all the security that we need.
00:00
They can be restricted.
00:00
We're going to be using defense in depth.
00:00
We're going to make sure that there's not
00:00
any services that are redundant.
00:00
We're going to harden this EC2 instance.
00:00
We're going to provide identity access management,
00:00
we're going to use MFA,
00:00
all that good stuff here,
00:00
that hackers can't jump
00:00
into this and then jump into this.
00:00
But it also doubles
00:00
secures these because these aren't public at all.
00:00
In order for us, the good guys to
00:00
access the resource we need,
00:00
we have to authenticate
00:00
and make sure that we're obviously grants
00:00
for the authorization in order to access
00:00
the bastion hosts and then do
00:00
the same thing again through the EC2 instance,
00:00
which may sound tedious and redundant,
00:00
but I can promise you,
00:00
you will have no regrets if you do that.
00:00
The bastion hosts are going to sit and the public subnet
00:00
only the bastion subnet is connected
00:00
to the private subnet, as you can see.
00:00
We're going to keep our security group
00:00
for the bastion host secured.
00:00
I said we're going to harden that bad boy up.
00:00
Make sure that there's no services
00:00
that shouldn't be running on the server,
00:00
make sure that the security group has
00:00
restrictive ports to allow and disallow.
00:00
Stuff like that. If we're going to SSH
00:00
to the bastion hosts and that's
00:00
the only thing we're going to allow.
00:00
If we're going to SSH from
00:00
an office location that we're going to only
00:00
allow SSH access to the office IP address.
00:00
If you're a remote employee and you have the ability
00:00
to use a VPN to your office, do that.
00:00
That's another great option to leverage in order
00:00
to secure access to your public subnet there.
00:00
That is bastion hosts.
00:00
To summarize, bastion host can be used
00:00
to securely access private AWS resources.
00:00
In this lecture, we also discussed how that works.
00:00
Hopefully, you understand what bastion hosts are.
00:00
If you have any questions, feel free to reach out.
00:00
If not, I'll see you in the next lecture.
Up Next
Similar Content
