Free AI web copilot to create summaries, insights and extended knowledge, download it at here

2496

Abstract

may be ways for an attacker to intercept and view this data.Now let’s look at what I see when connected to an <a href="https://en.wikipedia.org/wiki/IPsec">IPSEC</a> VPN. All the packets pretty much look like this — because the data is flowing through an encrypted tunnel:<figure id="0983"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*x17oahLOi7GkWHAfkbKmiQ.png"><figcaption></figcaption></figure>In addition to limiting exposed data while using an insecure network, A VPN also allows network administrators to create firewall rules for your company systems, to allow traffic only from the VPN connections rather than the whole Internet. Why does this matter? Any time the network rules expose a host to the Internet, any open ports will be scanned and attacked. You can reduce the “attack surface” (what an attacker can attack) by limiting what you expose to the Internet to only what is required. I talked about this in a presentation on <a href="https://www.slideshare.net/TeriRadichel/security-for-complex-networks-on-aws-76985484">AWS network security</a> at our <a href="https://www.meetup.com/Seattle-AWS-Architects-Engineers/">AWS meetup</a> in Seattle. Here’s the most critical slide:<figure id="3c8b"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*dVdVvDPAKcGYU7kVnkcPVQ.png"><figcaption></figcaption></figure>If you don’t believe your systems are subject to attacks when exposed to the Internet, go into your AWS account right now. Start up an EC2 instance. Turn on <a href="https://aws.amazon.com/blogs/aws/vpc-flow-logs-log-and-view-network-traffic-flows/">VPC Flow Logs</a> and wait about 5 minutes. Then look at all the traffic that is trying to hit the system you just turned on in the VPC Flow Logs. Next, turn on SSH or RDP and open up the network to provide access to those services from the Internet. Turn on <a href="https://aws.amazon.com/guardduty/">Amazon GuardDuty</a>. Then wait to see how long it takes GuardDuty to report RDP or SSH brute force attacks. In most cases, it will be less than one day, if not less than one hour.What if we need to allow someone to administer a system running on AWS, Azure, or Google Cloud from varying remote locations but don’t want to expose SSH and RDP to the entire Internet? One option would be to provide VPN access, which allows the person to connect from anywhere on the Internet to the corporate network. Then only allow

Options

access to the Bastion host via RDP or SSH from the corporate network. The VPN will be another layer the attackers have to get through before they can get to RDP or SSH.<figure id="ada7"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*eVInToQWlAc69f7rkAZgvA.png"><figcaption></figcaption></figure>One concern with a VPN is the fact that traffic has to be back-hauled back to the corporate network however some creative cloud architecture solutions could get around this problem. Another issue is that you’ll still need to protect your VPN endpoint from attacks similar to those used while <a href="https://2ndsightlab.com/seattle_penetration_testing.html">cloud penetration testing</a> to simulate real-world attacks. You should implement two-factor authentication with your VPN solution and ensure you are using a secure VPN configuration.Follow for updates.Teri Radichel | © <a href="https://2ndsightlab.com/?source=post_page---------------------------">2nd Sight Lab</a> 2018<div id="8b5f"><pre>About Teri Radichel:

⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab</pre></div><div id="caae"><pre><span class="hljs-section">Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</span>
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation</pre></div><div id="3b5e"><pre>Follow <span class="hljs-keyword">for</span> more stories like <span class="hljs-keyword">this</span>:

❤️ Sign Up my Medium Email List ❤️ Twitter: @teriradichel ❤️ LinkedIn: https://www.linkedin.com/in/teriradichel ❤️ Mastodon: @teriradichel@infosec.exchange ❤️ Facebook: 2nd Sight Lab ❤️ YouTube: @2ndsightlab</pre></div><figure id="5610"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/0*H9Ew1KCl-29nZiPR.jpeg"><figcaption></figcaption></figure></article></body>

Why use a VPN for remote access in the cloud?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: Network Security

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Update: VPNs are under constant attack. If you use this option, you need to make sure your VPN is up to date at all times and monitor the traffic. I’m also exploring other options for developer network security. View the related network posts above.

Any time you are using public wifi, or in other words a network you don’t own and secure yourself that allows anyone to connect, it’s a good idea to use a VPN (virtual private network). A VPN provides an authenticated, encrypted connection that hides information in about the sites you are visiting from attackers. This protected connection makes it harder to intercept your connections, steal or read your data, or insert attacks into the traffic as it flows from your system to other sites.

To give you an idea what I’m talking about, let me first show some information retrieved by a sniffer when I navigate to Amazon.com in a web browser. When visiting this site, many different URLs are used to pull together the content you see when you visit the home page. One of the domain names is read.amazon.com. If I run a sniffer while visiting that web page, without a VPN, I can see the request to this domain name in plain text.

As an attacker there are many ways I can use this information, not to mention any other information sent clear text in payloads of other packets. On an insecure wireless network, anyone with a sniffer could see this traffic. Even on some of the newer, more secure networks, there may be ways for an attacker to intercept and view this data.

Now let’s look at what I see when connected to an IPSEC VPN. All the packets pretty much look like this — because the data is flowing through an encrypted tunnel:

In addition to limiting exposed data while using an insecure network, A VPN also allows network administrators to create firewall rules for your company systems, to allow traffic only from the VPN connections rather than the whole Internet. Why does this matter? Any time the network rules expose a host to the Internet, any open ports will be scanned and attacked. You can reduce the “attack surface” (what an attacker can attack) by limiting what you expose to the Internet to only what is required. I talked about this in a presentation on AWS network security at our AWS meetup in Seattle. Here’s the most critical slide:

If you don’t believe your systems are subject to attacks when exposed to the Internet, go into your AWS account right now. Start up an EC2 instance. Turn on VPC Flow Logs and wait about 5 minutes. Then look at all the traffic that is trying to hit the system you just turned on in the VPC Flow Logs. Next, turn on SSH or RDP and open up the network to provide access to those services from the Internet. Turn on Amazon GuardDuty. Then wait to see how long it takes GuardDuty to report RDP or SSH brute force attacks. In most cases, it will be less than one day, if not less than one hour.

What if we need to allow someone to administer a system running on AWS, Azure, or Google Cloud from varying remote locations but don’t want to expose SSH and RDP to the entire Internet? One option would be to provide VPN access, which allows the person to connect from anywhere on the Internet to the corporate network. Then only allow access to the Bastion host via RDP or SSH from the corporate network. The VPN will be another layer the attackers have to get through before they can get to RDP or SSH.

One concern with a VPN is the fact that traffic has to be back-hauled back to the corporate network however some creative cloud architecture solutions could get around this problem. Another issue is that you’ll still need to protect your VPN endpoint from attacks similar to those used while cloud penetration testing to simulate real-world attacks. You should implement two-factor authentication with your VPN solution and ensure you are using a secure VPN configuration.

Follow for updates.

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab