1 00:00:00,000 --> 00:00:01,108 Jumpbox. 2 00:00:01,108 --> 00:00:02,620 In the last lesson, 3 00:00:02,620 --> 00:00:04,330 I introduced the concept of zones 4 00:00:04,330 --> 00:00:06,550 and started talking about DMZs. 5 00:00:06,550 --> 00:00:07,383 In this lesson, 6 00:00:07,383 --> 00:00:08,890 I want to dig a little bit further into that, 7 00:00:08,890 --> 00:00:10,840 and then talk about how we can manage them. 8 00:00:10,840 --> 00:00:12,430 So, the first thing I had mentioned was 9 00:00:12,430 --> 00:00:14,590 if you have an Internet-facing Host. 10 00:00:14,590 --> 00:00:16,010 Now, I didn't really go into what that was. 11 00:00:16,010 --> 00:00:17,540 So, let me take a step here and go ahead 12 00:00:17,540 --> 00:00:18,890 and define it for you. 13 00:00:18,890 --> 00:00:20,630 When I'm talking about something that's Internet-facing, 14 00:00:20,630 --> 00:00:21,940 like an Internet-facing Host 15 00:00:21,940 --> 00:00:23,480 or an Internet-facing Server, 16 00:00:23,480 --> 00:00:25,580 I'm talking about a host or server that accepts 17 00:00:25,580 --> 00:00:27,530 inbound connections from the Internet. 18 00:00:27,530 --> 00:00:29,369 So, if I have a web server in my DMZ, 19 00:00:29,369 --> 00:00:31,920 that is an Internet-facing Host. 20 00:00:31,920 --> 00:00:32,840 So, you can see here again, 21 00:00:32,840 --> 00:00:33,760 if I bring up my diagram, 22 00:00:33,760 --> 00:00:34,790 I have my inside zone, 23 00:00:34,790 --> 00:00:36,750 my DMZ, and my outside zone. 24 00:00:36,750 --> 00:00:37,583 In that DMZ, 25 00:00:37,583 --> 00:00:39,540 I have two Internet-Facing Hosts. 26 00:00:39,540 --> 00:00:42,060 I have an Email server and a Web server. 27 00:00:42,060 --> 00:00:43,850 Now, only the Email and Web servers that are 28 00:00:43,850 --> 00:00:45,200 in the DMZ are going to be able 29 00:00:45,200 --> 00:00:47,350 to get traffic from the outside, 30 00:00:47,350 --> 00:00:49,390 even though they haven't requested it. 31 00:00:49,390 --> 00:00:51,570 So, if you want to connect to my web server, 32 00:00:51,570 --> 00:00:53,430 you're going to go to diontraining.com 33 00:00:53,430 --> 00:00:55,400 and it's going to go through my DMZ 34 00:00:55,400 --> 00:00:56,370 into my web server 35 00:00:56,370 --> 00:00:58,430 and then give you back your response. 36 00:00:58,430 --> 00:00:59,400 Now, if you wanted to get 37 00:00:59,400 --> 00:01:01,810 to PC two or PC three in my inside network, 38 00:01:01,810 --> 00:01:02,910 you couldn't do that, 39 00:01:02,910 --> 00:01:04,230 because the firewall would block you. 40 00:01:04,230 --> 00:01:06,200 Those are not Internet-Facing. 41 00:01:06,200 --> 00:01:07,780 They have access to the Internet, 42 00:01:07,780 --> 00:01:09,220 but they are not facing the Internet, 43 00:01:09,220 --> 00:01:10,290 meaning they are not open 44 00:01:10,290 --> 00:01:11,780 and waiting for a connection. 45 00:01:11,780 --> 00:01:13,080 That's the difference when you're dealing with 46 00:01:13,080 --> 00:01:14,570 Internet-facing hosts. 47 00:01:14,570 --> 00:01:15,403 Now, anytime you have 48 00:01:15,403 --> 00:01:16,236 Internet-facing hosts, 49 00:01:16,236 --> 00:01:17,090 you want to place them into 50 00:01:17,090 --> 00:01:19,660 some place secure like your DMZ. 51 00:01:19,660 --> 00:01:22,270 Now, your DMZ is actually a segment that is isolated 52 00:01:22,270 --> 00:01:24,050 from the rest of the private network 53 00:01:24,050 --> 00:01:25,490 by one or more firewalls. 54 00:01:25,490 --> 00:01:27,690 And it's set up to accept connections from the Internet 55 00:01:27,690 --> 00:01:29,410 over designated ports. 56 00:01:29,410 --> 00:01:31,210 Now, the reason we do this is we want to keep 57 00:01:31,210 --> 00:01:32,800 all those forward facing servers 58 00:01:32,800 --> 00:01:34,500 out of our internal network. 59 00:01:34,500 --> 00:01:35,740 We don't want people from the Internet 60 00:01:35,740 --> 00:01:36,840 touching our internal network, 61 00:01:36,840 --> 00:01:38,650 we only want them in our DMZ. 62 00:01:38,650 --> 00:01:40,010 And that's why we have this DMZ. 63 00:01:40,010 --> 00:01:40,990 It's this place that is kind of 64 00:01:40,990 --> 00:01:42,550 this semi-trusted zone. 65 00:01:42,550 --> 00:01:43,383 And we know that anything 66 00:01:43,383 --> 00:01:44,550 that's behind the DMZ, 67 00:01:44,550 --> 00:01:47,020 such as my inside zone, is actually invisible 68 00:01:47,020 --> 00:01:48,310 to the outside network. 69 00:01:48,310 --> 00:01:50,040 So, if you started scanning my network 70 00:01:50,040 --> 00:01:51,080 from the outside, 71 00:01:51,080 --> 00:01:53,120 you're not going to see all those PCs inside 72 00:01:53,120 --> 00:01:54,230 of the inside zone. 73 00:01:54,230 --> 00:01:56,200 Instead, you're only going to see the web server 74 00:01:56,200 --> 00:01:57,260 and the email server 75 00:01:57,260 --> 00:01:58,630 cause those are forward-facing 76 00:01:58,630 --> 00:02:00,250 and they are Internet-facing. 77 00:02:00,250 --> 00:02:01,510 Now, the next thing we need to talk about 78 00:02:01,510 --> 00:02:03,350 in terms of the DMZ is what kind 79 00:02:03,350 --> 00:02:05,450 of stuff should you put in the DMZ. 80 00:02:05,450 --> 00:02:07,050 You can see here that I have my Email 81 00:02:07,050 --> 00:02:08,700 and my Web server in the DMZ. 82 00:02:08,700 --> 00:02:09,533 But any other kind 83 00:02:09,533 --> 00:02:10,650 of communication servers, 84 00:02:10,650 --> 00:02:12,650 proxy servers, or remote access servers 85 00:02:12,650 --> 00:02:14,490 should also be in the DMZ. 86 00:02:14,490 --> 00:02:16,810 Anything that somebody from the Internet needs access to, 87 00:02:16,810 --> 00:02:18,630 should be placed in your DMZ. 88 00:02:18,630 --> 00:02:20,750 This is essentially anything that provides public services 89 00:02:20,750 --> 00:02:22,980 or even extranet capabilities. 90 00:02:22,980 --> 00:02:25,050 Any of your hosts that are in the DMZ, 91 00:02:25,050 --> 00:02:26,340 we don't fully trust those, 92 00:02:26,340 --> 00:02:27,860 even though there are devices. 93 00:02:27,860 --> 00:02:29,420 So, we want to make sure that we harden them 94 00:02:29,420 --> 00:02:30,450 as best as we can. 95 00:02:30,450 --> 00:02:32,030 And we have to remember that those devices, 96 00:02:32,030 --> 00:02:33,300 because they're forward facing, 97 00:02:33,300 --> 00:02:34,930 they could be touched by an attacker, 98 00:02:34,930 --> 00:02:36,710 they could be compromised by an attacker. 99 00:02:36,710 --> 00:02:38,250 So, that's why they're not fully trusted 100 00:02:38,250 --> 00:02:39,380 to our internal network. 101 00:02:39,380 --> 00:02:40,410 And that's why 102 00:02:40,410 --> 00:02:42,110 we actually have it go through the firewall, 103 00:02:42,110 --> 00:02:44,530 anything that's going from the DMZ to the inside 104 00:02:44,530 --> 00:02:46,880 and from the inside back to the DMZ. 105 00:02:46,880 --> 00:02:49,530 That's another good place to put intrusion detection systems 106 00:02:49,530 --> 00:02:51,000 to make sure that you're catching anything 107 00:02:51,000 --> 00:02:53,180 that may be going from your DMZ 108 00:02:53,180 --> 00:02:54,770 because a common technique for the attacker 109 00:02:54,770 --> 00:02:56,790 is to compromise something in the DMZ 110 00:02:56,790 --> 00:02:59,300 and then use that to pivot into your network. 111 00:02:59,300 --> 00:03:01,320 So, you want to protect yourself against that. 112 00:03:01,320 --> 00:03:03,450 Now, any kind of hosts you put in the DMZ 113 00:03:03,450 --> 00:03:06,320 should really be what we consider a Bastion Host. 114 00:03:06,320 --> 00:03:07,670 This is a host or server 115 00:03:07,670 --> 00:03:09,000 that we put into the DMZ, 116 00:03:09,000 --> 00:03:11,028 which is not configured with any services 117 00:03:11,028 --> 00:03:13,040 that run on the local network. 118 00:03:13,040 --> 00:03:15,240 So, I don't want to run something like Active Directory 119 00:03:15,240 --> 00:03:16,470 inside the DMZ. 120 00:03:16,470 --> 00:03:18,368 That's an internal network service. 121 00:03:18,368 --> 00:03:20,520 Instead, I only want to run things that should be 122 00:03:20,520 --> 00:03:21,353 in the Internet, 123 00:03:21,353 --> 00:03:22,186 things like email, 124 00:03:22,186 --> 00:03:23,480 things like web, 125 00:03:23,480 --> 00:03:24,870 things like remote access. 126 00:03:24,870 --> 00:03:27,640 Those things can be hardened and put into the DMZ 127 00:03:27,640 --> 00:03:28,473 because we know 128 00:03:28,473 --> 00:03:30,470 that they're going to be more vulnerable to attack. 129 00:03:30,470 --> 00:03:32,250 Now when we want to configure our devices 130 00:03:32,250 --> 00:03:33,730 inside the DMZ, 131 00:03:33,730 --> 00:03:34,710 what are we going to do? 132 00:03:34,710 --> 00:03:37,500 Well, we're going to use something known as a jumpbox. 133 00:03:37,500 --> 00:03:39,500 Now, a jumpbox is a hardened server 134 00:03:39,500 --> 00:03:41,130 that provides access to other hosts 135 00:03:41,130 --> 00:03:42,670 within the DMZ. 136 00:03:42,670 --> 00:03:44,700 So essentially, we have this one server 137 00:03:44,700 --> 00:03:46,830 and it is what can talk to the DMZ 138 00:03:46,830 --> 00:03:48,980 and we can figure all the access control 139 00:03:48,980 --> 00:03:50,620 to make sure that only the jumpbox 140 00:03:50,620 --> 00:03:52,290 can communicate from the internal network 141 00:03:52,290 --> 00:03:53,570 to the DMZ. 142 00:03:53,570 --> 00:03:54,630 Now, because of that, 143 00:03:54,630 --> 00:03:56,700 that jumpbox has to be heavily hardened, 144 00:03:56,700 --> 00:03:57,980 it needs to be protected. 145 00:03:57,980 --> 00:03:59,160 And what ends up happening is 146 00:03:59,160 --> 00:04:01,190 the administrator will connect to the jumpbox, 147 00:04:01,190 --> 00:04:02,980 and then the jumpbox will connect to the host 148 00:04:02,980 --> 00:04:04,030 in the DMZ. 149 00:04:04,030 --> 00:04:05,568 So, we call it a jumpbox cause we're almost 150 00:04:05,568 --> 00:04:06,601 pivoting off of it. 151 00:04:06,601 --> 00:04:07,840 We're going to connect from me 152 00:04:07,840 --> 00:04:09,260 to the jumpbox and the jumpbox 153 00:04:09,260 --> 00:04:10,830 to the server I want to configure. 154 00:04:10,830 --> 00:04:12,730 And that's why we call it a jumpbox. 155 00:04:12,730 --> 00:04:14,770 Now, this jumpbox can be a physical PC 156 00:04:14,770 --> 00:04:16,160 or it can be a virtual machine, 157 00:04:16,160 --> 00:04:17,430 either one is fine. 158 00:04:17,430 --> 00:04:19,080 A lot of people use virtual machines 159 00:04:19,080 --> 00:04:20,374 as a jumpbox because 160 00:04:20,374 --> 00:04:22,730 you can have it hardened and secured, 161 00:04:22,730 --> 00:04:24,130 you can use it for the time you need, 162 00:04:24,130 --> 00:04:26,220 and then destroy it and rebuild a new one 163 00:04:26,220 --> 00:04:28,190 because it's very quick to rebuild an image 164 00:04:28,190 --> 00:04:29,160 from a virtual machine 165 00:04:29,160 --> 00:04:31,120 if you already have a known good image. 166 00:04:31,120 --> 00:04:33,190 And so a lot of people will do it that way. 167 00:04:33,190 --> 00:04:35,400 Now, the jumpbox and the management workstation 168 00:04:35,400 --> 00:04:37,260 that you're using to connect to that jumpbox 169 00:04:37,260 --> 00:04:39,750 should have only the minimum required software 170 00:04:39,750 --> 00:04:40,890 to perform their job 171 00:04:40,890 --> 00:04:42,670 and they should be well-hardened. 172 00:04:42,670 --> 00:04:45,440 Again, this is the one box that has the permissions 173 00:04:45,440 --> 00:04:47,740 to go through the firewall and touch the DMZ 174 00:04:47,740 --> 00:04:49,220 from your internal network. 175 00:04:49,220 --> 00:04:52,120 So, you want to make sure it is well-protected. 176 00:04:52,120 --> 00:04:53,090 This is why you want to make sure 177 00:04:53,090 --> 00:04:54,100 that management workstation 178 00:04:54,100 --> 00:04:56,060 and the jumpbox are fully hardened 179 00:04:56,060 --> 00:04:58,300 and they have the least amount of software on them 180 00:04:58,300 --> 00:04:59,600 to make sure they are fully hardened 181 00:04:59,600 --> 00:05:00,623 and fully secured.