Accend Networks San Francisco Bay Area Full Service IT Consulting Company

Author: Lino Almojela

Categories
Blogs

Bastion Host

Bastion Host

Bastion Host: Secure Remote Access to Your Private Instances.

Bastion Host

Introduction

In the rapidly evolving landscape of cloud computing, security remains paramount. When managing an EC2 fleet within an Amazon Web Services (AWS) Virtual Private Cloud (VPC), ensuring secure remote access is supreme. This is where the AWS Bastion Host comes into play, providing a secure and controlled gateway to your instances. In this blog, we will explore the AWS Bastion Host, its benefits, and how to set it up.

What is an AWS Bastion Host?

An AWS Bastion Host, also known as a jump box, is a server specifically designed to allow secure SSH access to your instances within a VPC. It acts as an intermediary, providing a single point of access to instances that do not have public IP addresses, thereby enhancing the security of your VPC by limiting exposure to the internet.

Best Practices for Managing AWS Bastion Hosts

  • Update and Patch Regularly
  • Limit Access via IAM Roles
  • Rotate SSH Key Pairs Regularly
  • Implement Multi-Factor Authentication (MFA)

we will leverage the default VPC which already has a public subnet, route table correctly configured and an internet gateway attached additionally, we will create a private subnet with a route table which we will use to launch our private instance. We will then connect to the private instance by jumping from our instance in the public subnet to the private subnet. Let’s proceed as follows.

Log in to the management console with a user with admin privileges then in the search box, type VPC then select VPC under services.

We will use the default VPC subnet CIDR to create a private subnet in the default VPC. So, copy the default VPC subnet to your clipboard (this is to enable you know default VPC subnet CIDR range). Then click Create Subnet.

In the create subnet console fill in the required details. For VPC, select default then scroll down.

Subnet name call it Private-subnet-1a. AZ select the availability zone of your choice, will select us-east-1a. For IPV4 CIDR make sure it’s within the CIDR range of the default VPC, since we are launching this subnet in the default VPC. Those are the only settings we need. Click Create Subnet.

We have successfully created our private subnet leveraging the default VPC.

Under subnets, we can see our private subnet.

Next, we will create a private route table and associate it with our subnet. In the left UI of VPC select route table then click create route table.

In the create route table UI, name your route table, VPC select default then click create route table.

The route table has been successfully created and we can see its only routing traffic locally within the VPC.

Move to the subnet association tab then click edit subnet associations.

Available subnets will be listed, select private-subnet-1a then click save associations.

We have now created a private route table and associated it with our private subnet. Next, we will launch two EC2 instances. One in the public subnet which will be our Bastion Host, and one in the private subnet which will be our Production server. We will use the Bastion Host to jump into our Production server.

Log into the EC2 console by typing EC2 in the search box then select EC2 under services.

In the EC2 UI, select instances then click Launch Instances.

For name, call this instance Bastion Host. For application OS select the QuickStart tab then choose Amazon Linux. Scroll down.

For AMI move within the free-tier, instance type also select t2. micro which is also free-tier eligible, select your key-pair then scroll down.

Expand the networking tab, then select the default VPC with a public subnet of your choice. Then scroll down.

Under firewall select create new security group and make sure you select SSH on port 22. For source traffic for this demo, we will leave it open to anywhere but as a best practice always limit it to your IP address. Scroll down.

Review and click launch instance.

Successfully launched. We will now launch our production server in the private subnet. Click launch instances a gain.

Call it the production server additionally, let’s repeat the same process of launching Instances. For OS select Amazon Linux. Scroll down.

For AMI move within the free tier, instance type a gain and select t2. micro. select your key-pair then scroll down.

Expand the networking tab, select the default VPC, and for the subnet select the private subnet you launched. Scroll down.

Select Create Security Group and make sure port 22 is open.

Review then click launch instance.

Successfully launched the instance.

Now SSH into the Bastion host. By using the command seen below, replace the IP address with your Instance IP address.

Using an editor of your choice, paste your key pair into the Bastion Host. Then give it enough permission.

 

Then type this command to SSH into your private instance and that’s it we can see we are in our private EC2 instance and can confirm this by its private IP address.

 

This brings us to the end of this blog. Clean up.

If you have any questions concerning this article or have an AWS project that requires our assistance, please reach out to us by leaving a comment below or email us at sales@accendnetworks.com.

Thank you!

Categories
Blogs

AWS CloudHSM

Cloud HSM

AWS Hardware Security Module: Securing Your Keys in the Cloud

Cloud HSM

Introduction

As organizations increasingly move their operations to the cloud environment, the need for robust security measures becomes equally important. One critical aspect of this cloud security measure is the management and protection of cryptographic keys. This is where the AWS Hardware Security Module or AWS CloudHSM comes in handy. This article explores what CloudHSM is, its use case, and a demo of how to create one.

What is CloudHSM?

AWS CloudHSM is a cryptographic service for creating and maintaining AWS hardware security modules (HSMs) in your AWS environment. HSMs are computing devices that process cryptographic operations and provide secure storage for cryptographic keys. You can use AWS CloudHSM to offload SSL/TLS processing for web servers, protect private keys linked to an issuing certificate authority (CA), or enable Transparent Data Encryption (TDE) for Oracle databases.

When we have the KMS, AWS manages the software for encryption and the encryption keys. But with cloud HSM, AWS only provides us with the encryption hardware. The HSM device is tamper resistant and has FIPS 140-2 Level 3 compliance. CloudHSM supports both symmetric and Asymmetric encryption.

Using AWS CloudHSM you must use CloudHSM client software since there is no API call for this service.

Key Features of Cloud HSM

Hardware-based Security: Keys are stored in hardware, which is inherently more secure than software-based storage.

High Availability and Scalability: Cloud HSM services are typically offered with high availability and can scale to meet the demands of enterprise workloads.

Compliance: Cloud Hardware Security Module is often compliant with industry standards such as FIPS 140-2 Level 3, ensuring they meet regulatory requirements for data protection.

Integration: Cloud HSMs can integrate with various cloud services and on-premises applications, enabling seamless cryptographic operations across different environments.

CloudHSM Backups

Backups are stored in Amazon Simple Storage Service (Amazon S3) within the same Region as the cluster. You can view backups available for your cluster from the CloudHSM console. Backups can only be restored to a genuine HSM running in the AWS Cloud. The restored HSM retains all the configurations and policies you put in place on the original HSM.

Creating a backup CloudHSM triggers backups in the following scenarios:

  • CloudHSM automatically backs up your HSM clusters periodically.
  • When adding an HSM to a cluster, CloudHSM takes a backup from an active HSM in that cluster and restores it to the newly provisioned HSM.
  • When deleting an HSM from a cluster, CloudHSM takes a backup of the HSM before deleting it.

A backup is a unified encrypted object combining certificates, users, keys, and policies. It is created and encrypted as a single, tightly bound object. The individual components are not separable from each other. The key used to encrypt the backup is derived using a combination of persistent and ephemeral secret keys.

Backups are encrypted and decrypted within your HSM only, and can only be restored to a genuine HSM running within the AWS Cloud.

Let’s dive into the practical.

Login to the AWS Management Console then type CloudHSM in the search box then select it under services.

In the CloudHSM dashboard, click Create cluster.

In the create cluster dashboard, click the drop-down button and select your VPC, I will move with the default VPC.

For subnet, you can only select one subnet per AZ, because I selected default VPC, I will move with the default subnet.

We will create a new cluster, so select the radio button on Create a new cluster then click next.

Enter the backup retention period then click next.

We will tag our HSM.

Review page.

For confirmation, make sure to tick the check box, then hit on the Create cluster.

Wait until it gets created complete. And move the status to an uninitialized state.

Select the cluster from the actions drop-down button then select initialize.

We will now create an IAM user, cloudhsmuser with full access.

Take note of the password and download the .csv file

Create HSM in the cluster, select the Availability Zone, and hit on Create.

Wait until the process gets completed.

Download all 4 certificates then hit next.

Configure the HSM user on the EC2 machine using Mobastream.

Make sure Cluster is Active. As per the below screen, the Cluster is in an active state.

That’s it. Thumps up.

Conclusion

AWS Hardware Security Module or Cloud HSM provides a powerful solution for secure key management in the cloud. By leveraging hardware-based security, it offers enhanced protection for cryptographic keys, helping organizations meet stringent compliance requirements and protect sensitive data.

This brings us to the end of this blog.  Thanks for reading, and stay tuned for more. Make sure you clean resources.

If you have any questions concerning this article or have an AWS project that requires our assistance, please reach out to us by leaving a comment below or email us at sales@accendnetworks.com.


Thank you!

Categories
Blogs

Cisco Umbrella

Cisco Umbrella

Cisco Umbrella

Cisco Umbrella

In today’s fast-paced digital world, the need for robust security measures is more critical than ever. Cisco Umbrella, a cloud-delivered security service, is one of the leading solutions in providing secure internet access and controlling cloud app usage from your network, branch offices, and roaming users. This article delves into the configuration of Cisco Umbrella, ensuring your organization remains protected against cyber threats.

Understanding Cisco Umbrella

Cisco Umbrella offers a range of security functionalities, including secure web gateways, DNS-layer security, firewall, and cloud access security broker (CASB) capabilities. It blocks malware, phishing, and command-and-control callbacks over any port or protocol, preventing potential attacks before they even occur.

Components of Cisco Umbrella

Before diving into policy configuration, it’s crucial to understand the key components of Cisco Umbrella:

  1. DNS Security: Umbrella uses the Domain Name System (DNS) to block malicious domains before a connection is ever established.
  2. Secure Web Gateway (SWG): Provides deeper inspection of web traffic to prevent malware from being downloaded or data from being exfiltrated.
  3. Cloud-Delivered Firewall: Manages and enforces application, URL, and IP-based policies to restrict inappropriate access.
  4. Cloud Access Security Broker (CASB): Offers visibility and control over the use of sanctioned and unsanctioned cloud services.
  5. API Integrations: Integrates with other security solutions to provide comprehensive protection.

Configuring Cisco Umbrella Policies

Configuring policies in Cisco Umbrella involves setting rules that dictate how traffic is handled. These policies help in controlling access to malicious sites, enforcing acceptable use policies, and securing sensitive data. Here’s a step-by-step guide to configuring these policies:

  1. Accessing the Umbrella Dashboard:
    • Log in to your Cisco Umbrella account.
    • Navigate to the Dashboard, where you can manage and configure your policies.
  2. Creating Policy Sets:
    • Go to the Policies section and select Policy Components.
    • Click on Create New Policy Set. Name your policy set to reflect its purpose, such as “Corporate Office” or “Remote Workers.”
  3. Defining Policy Rules:
    • Within the policy set, you can define specific rules based on your organization’s needs.
    • Security Settings: Enable DNS-layer security to block malicious domains and prevent malware, phishing, and command-and-control callbacks.
    • Content Filtering: Use content categories to block access to inappropriate or non-work-related websites. For example, you can restrict access to social media, gambling, or adult content.
    • Application Settings: Control access to cloud applications using the CASB feature. You can define which applications are allowed, monitored, or blocked.
  4. Setting Up SafeSearch and YouTube Restrictions:
    • Under the Content Filtering section, enable SafeSearch to ensure inappropriate content is filtered out from search engine results.
    • Enable YouTube Restricted Mode to prevent users from viewing adult or inappropriate content on YouTube.
  5. Configuring Firewall Policies:
    • Navigate to the Firewall section.
    • Create rules to control traffic based on IP addresses, ports, and protocols. This helps in blocking unwanted or potentially harmful traffic.
  6. Applying the Policy:
    • Once the policy set is configured, apply it to specific networks, user groups, or devices.
    • Use the Identity Management section to assign policies to different user identities, such as Active Directory users, network devices, or roaming clients.
  7. Monitoring and Reporting:
    • Cisco Umbrella provides comprehensive reporting tools. Regularly monitor these reports to understand the effectiveness of your policies and to make necessary adjustments.
    • Use the Reports section to view details on blocked requests, security threats, and overall internet activity within your organization.
    • Monitoring can also be found right at the main Dashboard screen, see below for an example:security-category-graph

Best Practices for Policy Configuration

  • Regularly Update Policies: Cyber threats evolve, and so should your policies. Regularly review and update your policies to address new risks and vulnerabilities.
  • User Education: Educate users about the importance of these policies and the role they play in maintaining organizational security.
  • Leverage Integrations: Integrate Cisco Umbrella with other security tools for a more comprehensive defense strategy.
  • Test Policies: Before applying new policies organization-wide, test them in a controlled environment to ensure they don’t disrupt business operations.

Conclusion

Configuring Cisco Umbrella is essential for maintaining a secure and resilient IT environment. By understanding the various components and carefully setting up policies, organizations can effectively protect against a wide range of cyber threats. Regular monitoring and updates ensure that these protections remain robust in the face of evolving challenges, providing peace of mind and a secure digital experience for all users.

If you have any questions concerning this article or would like for us to assist you with your Cisco Umbrella installation and configuration, please reach out to us by emailing us at sales@accendnetworks.com or call us at 415-408-6111 and we can have an initial discovery call to discuss your requirements.

Categories
Blogs

AWS CodeCommit: Streamlining Source Control in the Cloud.

aws-code-commit

What is AWS CodeCommit? Streamlining Source Control in the Cloud.

aws-code-commit

In the era of cloud computing, source control is a pivotal aspect of the workflow, ensuring that code changes are managed efficiently, collaborative efforts are streamlined, and the integrity of the codebase is maintained. Amazon Web Services (AWS) offers a robust solution for source control in the cloud with AWS CodeCommit. This article delves into the features, benefits, and use cases of AWS CodeCommit. We will also go ahead and create a code commit repository and clone the repo to our local machine, add files, commit and push them to our AWS code repository.

What is AWS CodeCommit?

AWS CodeCommit is a version control service hosted by Amazon Web Services that allows developers to store and manage their source code, binaries, and other assets in the AWS cloud.  Additionally, it is designed to work seamlessly with existing Git tools, making it easy for developers to integrate it into their current workflows.

Key Features of AWS CodeCommit.

Fully Managed Service: AWS CodeCommit takes care of the backend infrastructure, so developers can focus on writing code. There are no servers to manage.

Scalability: CodeCommit can handle repositories of any size, with the ability to scale up as your project grows.

High Availability and Durability: your repositories are always accessible and your data is protected against loss.

Security: CodeCommit integrates with AWS Identity and Access Management (IAM) to provide robust access control. You can use IAM policies to define who can access your repositories and what actions they can perform.

code-commit-security

Integration with AWS Services: CodeCommit integrates seamlessly with other AWS services such as AWS CodeBuild, AWS CodeDeploy, and AWS CodePipeline. This allows you to create a complete CI/CD pipeline using AWS tools, enhancing your development and deployment workflows.

integration-aws

Standard Git Interface: CodeCommit supports the standard Git interface, so developers can use their preferred Git client, command-line tools.

Getting Started with AWS CodeCommit

Prerequisite.

Make sure you have full permission to Codecommit, or you can log in as an administrative user additionally, you should have git installed and configured on your machine.

 

Create a Repository

Log in to your AWS management console, in the search box, type Codecommit then select codecommit under services.

repository

In the code commit UI on the left-hand side, select repositories then click Create Repository.

create-repository

In the create repository dashboard, under repository settings, name your repo, will call mine demo-commit-repo.

Codecommit is encrypted by default using KMS, but you can also choose your custom keys. We will leave it at AWS-managed keys with KMS.

Leave all other settings as default then click Create Repository.

create-respository

Success, we are greeted with connection steps. We can see HTTPS, SSH, HTTPS(GRC).

demo-code-commit

If you don’t see SSH then it means you are connected as the root user.

We will for now use HTTPS git credentials for Codemmit to connect to our git repository.

So let us log in to the I AM console.

 

services

Select users. Click your username, move to the security tab then scroll all the way down to HTTPS for git credentials.

 

git-credentials

Click on generate and your codecommit credentials will be generated. Click the download button.

git-download

Go back to the codecommit repository select your repo then click the drop-down button of the clone URL then select clone HTTPS.

In this case, it will copy the HTTPS-type URL.

repo-copied

Use your preferred Git client to clone the repository to your local machine. This allows you to start adding code and making changes.

Go back to your terminal and type in git clone and paste in the cloned URL. When you press enter, you will be prompted for your username and password. Paste them in then press enter.

git-command

We have cloned our remote repo into our local machine.

git-command

With the repository cloned, you can push your changes to CodeCommit.

We will now copy a few files into our directory, commit these files, and push them to our remote repo.

Using linux command make sure you are in the repo directory then add copy files to your repo.

git-command

Using git add the files and then commit the changes as shown in the picture bellow.

ubuntu-command-line
ubuntu-command-line

Once the changes are commited, you can then push them to the remote repo by using the below command.

ubuntu-command-line

Now let’s go and check codecommit, and yes indeed the new files have been pushed to the codecommit repository.

code-commit-repo

If you click on the commits on the left side of the repo UI, you can see the commit history.

code-commit-repo

This brings us to the end of this blog. AWS CodeCommit offers a powerful, secure, and scalable solution for source control in the cloud.

Thanks for reading, and stay tuned for more.

If you have any questions concerning this article or have an AWS project that requires our assistance, please reach out to us by leaving a comment below or email us at sales@accendnetworks.com.

 

Thank you!

Categories
Case Studies

Chartwell School Vulnerability Assessment


Case Study
Chartwell School
Vulnerability Assessment

The Challenge

  • Chartwell School never had a Vulnerability
    Assessment done for their environment and
    needed one by an experienced Network Security
    consultant.
  • Client : Chartwell School
  • Location : Seaside, California

Our Solution

  • Provided testing IWA, NIST, CIS, and product “best practices” guides for solutions being assessed and reviewed during engagement
  • Performed a passive testing of external/public-facing systems and services, internal, wireless networks, network, systems, and applications.
  • Performed cybersecurity assessment and reviewed a minimal set of policies to establish controls
  • Security Policy and process review against
    CSF/CIS categories such as the following:
    • Acceptable use policy, Incident Response,
      and Recovery
  • Reviewed configurations of system security
    policies
  • Assessed the risks relating to program
    implementation issues identified in
    vulnerability assessment and program
    findings
  • Reviewed the overall recovery capability and
    model of critical data

The Results

  • Presented the report and findings to authorized representatives of Chartwell School
  • Recommended corrective actions, services, and products to address the identified issues above
  • Documented findings in a written report detailing the findings of the assessment
  • Report included specific information for
    each task above, along with
    recommendations for remediation and/or
    mitigation of any identified security or
    network issues (Gap Analysis)
Contact Us
Download Case Study

Services Covered

  • Vulnerability Assessment
  • Security Gap Analyst against IWA, NIST, and CIS Framework
  • Passive testing of external/public-facing systems and services