Resolving Problems with Jump Boxes and Network Security
Written by Chris Steffen on November 10, 2017
If you have worked in IT long enough, chances are that you have been part of or administered an environment where you (or members of the IT/development team) were required to implement and utilize a jump box to access protected resources.
A jump box is a system or device that acts as a bridge between two different networks, providing a method of controlled access from one network to another that contains more highly protected resources. Generally, jump boxes are highly regulated and monitored by a SOC (or similar technical oversight) and require elevated approval to be granted access. All traffic and actions by the jump box are logged and recorded to address regulatory compliance considerations.
While jump boxes may have ticked the check box for a regulatory audit to address separation of duties requirements, they have always presented three main problems:
Very inconvenient: Though arguably they were SUPPOSED to be inconvenient, waiting for approvals and authorizations has always been cumbersome.
Lateral movement: Once the jump box is open, the user has free reign to pretty much any and EVERYTHING on the protected network.
Manual process: Many times, jump boxes had to be manually opened by a person, usually a member of a NOC / SOC team based on an email authorization chain or trouble ticket.
There *IS* a better way!
Utilizing a Software-Defined Perimeter (SDP) solution such as Cyxtera AppGate SDP addresses these primary concerns:
All users have a light weight AppGate SDP client installed on their device (Windows, Mac, iPhone iOS or Android) connecting them to a protected AppGate SDP Controller, which grants the entitlements to the user for specifically authorized workloads. Adding additional entitlements is simple and can even be automatic: dynamic and contextual condition checking integrates with existing enterprise SIEM solutions to provide immediate security when changes occur – user location, time of day, device hygiene.
With AppGate SDP, users only gain access to resources for which they are specifically authorized to access. Unlike many VPN or jump box solutions, AppGate SDP controls the specific resources that a user can access on the protected network, eliminating lateral movement (going from resource to resource without additional authorization, or worse – accessing / manipulating resources or data for which they are NOT authorized, leading to a compliance nightmare).
AppGate SDP can be configured to automate the approval process, eliminating the “man-in-the-middle” authorization headache. AppGate SDP integrates with trouble ticketing systems to grant access to specific resources – and ONLY those resources – defined in the trouble ticket. Once the trouble ticket is resolved or closed, access to those resources can be immediately revoked.
There was certainly a time and place for jump boxes as part of an enterprise network. But advances in technology have made them cumbersome and obsolete. Updating your security and network infrastructure to use a Software-Defined Perimeter solution will solve jump box concerns, as well as address MANY more of your security and compliance considerations!