Now a lot of services use cloud data centers such as Amazon AWS, Microsoft Azure, etc. Let me try to describe how to balance simplicity and security access options to cloud data centers.
Local on-premises computers are protected by network firewalls.
For a local network, the firewall inspects all packets that come from the outside and decide should the packet enter the network or not. The local computers do not need to be protected against the majority of the threats because firewalls filter out ineligible traffic. Inside the network, communications are easier to control.
At the cloud, each individual server with a public IP address is associated with its own security policy. There is no dedicated network device that enforces inbound and outbound rules. These security policies could be reused. However, the balance between simplicity to access computers and security should be planned and enforced by the virtual network administrator.
Each cloud user should access the cloud computer remotely. In the cloud there are no local users with local physical devices. This situation increases the risk of threats. It also creates risks related to making virtual servers accessible from the outside when exposing them to the Internet.
How can users access cloud computer securely?
There are at a few ways.
- Direct access
- Jump server
- Session manager
1. Direct access
A simple method to login to the cloud-computer is to open a port in the server security policy. Amazon calls them AWS Security Groups (sg), Microsoft calls them Network Security Groups (NSG). Windows computers need RDP or VNC ports open for remote desktop access or PowerShell (WS-Management) port for PowerShell scripting. Unix computers require SSH port for the Shell or everything that goes through SSH (X-Windows, SQL, etc) or VNC for the desktop access.
It is possible to configure security policy so that it opens access to the port only for connections made from specified IP addresses. Unfortunately, the IP range limit list tends to grow in case users need to access cloud computers from different locations. This method transfers port protection to the server itself, so the computer can be exposed to all types of Internet attacks. Protocols like RDP or SSH are considered sufficiently secure, IP range limits the exposure so this method might work as a quick or temporary solution. It also helps to ensure that the traffic flows through SSL connection.
When using this method, it becomes tedious to monitor security groups when the number of groups is growing. For the large virtual networks, it also hard to close certain ports or remove certain IP ranges from multiple security groups. It makes sense to plan ahead and design several reusable security groups to control access from the central location. Also, there are third-party tools for mass management of security groups for multiple regions or even cloud tenants.
To explore the details about security groups, read the document “Security Groups for Your VPC” from Amazon AWS. Also, read the “Plan virtual networks” document from Microsoft Azure to learn more about Azure Network Security Groups configuration.
Pros and cons of the direct access method to cloud computers:
- Simple setup
- Simple access
- Hard to Manage for multiple servers
- Exposes ports of critical servers to the Internet
- Poor access audit and access lists
Both Amazon (AWS VPC Gateway) and Microsoft (Azure VPN Gateway) provide a service that allows configuring site-to-site (between on-premises network and cloud) or point-to-site (between on-premises computer and a cloud) VPN connection.
VPN connection setup typically requires either hardware or software solution for establishing a secure connection between cloud and on-premises networks.
The configuration requires some efforts but after setup, local and cloud networks join into a single addressable space hiding all computers from outside threats. In this case, all computers are open to the inside risks. In addition to that, cloud computers remain inaccessible from the outside location as much as servers at the local datacenter.
You can learn more about VPN connectivity options from Amazon VPC documentation and from Microsoft Azure documentation.
Pros and cons of the VPN access method:
- Easy to use from the local network
- Cloud computers can join the local domain
- Hard to setup. Often requires hardware or third-party software components
- Hard to access from outside of the network
- Exposes cloud computers to inside threats
- Poor access audit
3. Jump Server
Jump Server is a computer on a network used to access and manage devices in a separate security zone. In other words, is a gateway located in the cloud DMZ.
Introduction of Virtual Private Cloud (VPC – Amazon) and Virtual Network (Microsoft Azure) made possible to isolate multiple cloud computers in the private environment with its hidden IP space not exposed to the Internet. In this scenario, most of the computers in virtual network do not expose any services outside of the network.
Users access the system through a single portal. Computers inside the network connect to each other when needed. The classic example of such architecture is a WEB server connected to the Internet and accessing hidden local database. A Virtual Network gateway is located in a cloud virtual network and exposes remote server to the internet. Users can connect using RDP, SSH or VNC channels into the gateway; and from there they can remote connect to other computers on the local virtual network. A part of the network that contains such gateways is called DMZ. DMZ is exposed to external threats but does not contain sensitive information or important software that is hard to rebuild. Such gateways are called Jump Servers.
A remote-access gateway located in DMZ is moderately simple to setup. It provides a good level of security and protection to the computers inside the virtual network. These computers are completely shielded from outside threats by network firewall. Normally, gateways will not be able to provide very good access under high load. However, they serve a good entry point into the virtual network for occasional use. For the heavier load scenarios, we should setup many gateways to perform this function.
You can find more information about AWS Security in the “AWS Security Best Practices”, and find more information about Microsoft Azure DMZ configuration in the “Implement a DMZ between Azure and the Internet”.
Pros and cons of the Jump Server access method.
- Moderately simple to setup
- Good protection for cloud computers
- Single point of entry provides good access control
- Not well-scaled
4. Session manager
A session manager expands on the idea of a remote access gateway discussed above. The session manager is a specialized software deployed at the jump server that is installed on the cloud computer at DMZ. It accepts HTTPS traffic from the Internet and converts it to RDP, SSH or VNC protocols to establish connections to the computers in the virtual cloud network. The user of the system needs only regular browser to interact with remote computers without the need to install RDP, SSH or VNC client.
The session manager can support multiple sessions simultaneously. It can also maintain the list of computers in the virtual cloud network to open connections to. In addition to that, the session manager can keep identities (passwords and certificates) to these computers and connect to them without even exposing these identities to the end-user which simplifies system maintenance and security.
Session managers used to be hard to maintain. They also tend to be on-premises based software. However, with the advancement of technology, there appeared cloud-aware simple to setup and simple to use session managers that can provide secure access to cloud computers located in cloud virtual networks.
Pros and cons of the Session manager access method:
- Moderately simple to setup
- Provides secure access to the cloud computers
- Exposes only secure (https) connection to the outside
- Maintains the list of computers to connect to
- Optionally hides identities from the end-users
- Does not require client-side software to communicate with remote computers
- Scales well for a large number of users
- Single point of entry provides good audit and access control
- Requires third-party software
The article describes 4 different ways to securely access cloud data centers. The goal of the secured access is to maintain a balance between “simple to set up“, “simple to use” and “secure” network configuration whether it is two-node WEB site, or a complex extension of a corporate data center, or multi-thousand nodes research cluster.
Let’s make the world better connected and more secure – together.