Amazon AWS Certified Security Specialty SCS-C01 Topic: Domain 3 – Infrastructure Security Part 1
December 19, 2022

1. Implementing Bastion Hosts

Hey everyone, and welcome back to the Knowledge Portal video series. And today we’ll be talking about the Bastard host, which is a very important topic when it comes to security compliance. Now that I am actually recording, I guess I’m recording this lecture for the second time primarily because I lost the recording file of my previous attempt. So anyways, I apologies for uploading this lecture quite late. So let’s get started. So let’s look into the network architecture that we have been designing until now. So what we have is that you have a VPC, and within the VPC, you have a public subnet and you have a private subnet. Now, within a public subnet, you have one EC2 instance. And within the private subnet, you have one more EC2 instance.

Now, you see, there is an internet gateway that is attached to the public subnet. You can look into the route table, and there is a NAND gateway that is attached to the private subnet. Now, the problem is that, since there is an internet gateway attached, you can connect to the EC2 instance that is running in the public subnet. So this is quite easy. However, what happens when you want to connect to the instance that is there in the private subnet? And this is where the challenge really comes into play. Now, if you want to see how exactly things work, let’s take a look. So I have two instances. One is my first example. Let me just hear my first instance and my third instance. Now, my first instance basically has the public IP.

So this is part of the public subnet. So let’s quickly verify whether the connection is present. I’ll try to do a telnet on port 22, and you see, I am able to connect to this instance perfectly from the internet. Now, there is one more instance. So this instance is basically in a private subnet. And since this has a private IP, if I try to connect, it will not be able to reach there. You see. There are now two options for connecting to the EC instance in a private subnet. The first is to use a VPN, and the second is to use a Bastion host.

And in today’s lecture we will be speaking about bastion hosts. So how exactly it really works is that you have your local computer here, you have one EC2 instance in the public subnet, and you have one EC1 instance in the private subnet. Now, one thing that we have already verified is that we are able to connect to the EC instance in the public subnet. So this is working. Furthermore, we know that EC-2 instances in a public subnet can communicate with EC instances in a private subnet. The reason is because they are part of the same network or same VPC, and communication will occur perfectly. So let’s just verify one thing before we move on, so let me go to my desktop where my private key is stored.

So I’ll use my private key to login to the EC2 instance in the public subnet. Meanwhile, let me just try to zoom in so that it will become much more clear. Perfect. So I’m logged in now from the EC. So I’m logged in over here. So this is the instance on the public subnet. Now we want to see if the instance in the public subnet and the instance in the private subnet are connected. So let’s quickly verify. So I’ll take the private IP of the other instance, and I’ll try to do a telnet on port 22. Perfect. You see, it is connected. So now we know that the connectivity is there between both instances. Perfect. So, what happens in the bastion host, or even what happens in VPN? First, the traffic reaches here. By this, I mean the EC to a public subnet instance, and then the traffic is forwarded to the EC to a private subnet instance.

So this is the basic idea. So this basically acts like a proxy or a jump host. So what happens is, in very simple terms, if we want to connect to the private instance, what we do is, since we have our private key on the local computer, what I can do is store or upload my private key to the bastion host, and from there, I can use my private key to log into the private instance. Now, this is a quite okay idea, but when you have a lot of users, that means that every user must upload their private keys to the jumpbox, which is not a very ideal solution. So what we basically do is make use of a term called SSH Agent Forwarding.

So what SSH agent forwarding allows us to do is use this as a proxy and connect to the private instance without storing the private key over here. The private key will be stored on the local computer. We don’t have to upload our private key over here. So let’s look into the magic of how it really works. So if I try to connect to the instance in the public subnet, let me do SSH, and you see that it is giving me permission denied because the private key that is needed to connect to this instance is on my local computer. So let’s start with SSH agent forwarding. Now, if you’re using mobile external, you must do the following: you must start the SSH agent. This is very important. If you’re running sentos, there is no need. It is generally started by default. So there are three commands. Just run these three commands.

These are quite small, so you can just remember them and copy and paste them. This should ideally give you the agent PID. So this basically tells you whether the SSH agent is running or not, and it will give you the agent PID. Also, now, after you run this, if you do SSH addL, you see that it says the agent has no identities. So what we basically need to do is add a new identity, which is basically the private key. So since my private key is stored, this is my private key. My private key is stored over here. What I’ll do I’ll do SSH add before that; give me the entire part. So I’ll put mobile home on my external desktop. kplabsPM Oops It should be a perfect small k. So now you see, it has added an identity of “Kplabson PM.” So just quickly verify which SSH adds the hyphen “L,” and you’ll see that I have an identity that is connected over here.

Perfect. Now we must log in to the server in the public subnet using this SSH agent identity. So let’s go back in order to do that. This is the basic command that we used earlier; just append a hyphen (-). So, in essence, it refers to agent forwarding. So now what will happen is that when I log into this server, let me just wait for a while. So now what has happened is that if I try to connect to the EC to create an instance in a private subnet, what will happen is that the agent will make use of my private key on my local computer to proceed with the authentication. So now if I do SSH, I will be able to log in directly.

As you can see, we did not upload any private keys to the public instance; everything, including the magic, was accomplished through the use of SSH agent forwarding. So this is a very important concept, and whenever you are implementing an architecture in your organization, there are only two things that you can use primarily: the VPN or the bastion host. So that was the basic idea behind BastionHost, which is based on agent forwarding. Now, a few important things to remember when you implement Bastain Host within your organisation are that the internet is quite interesting. So if you’re leaving port 22 open on your bastion host, it is very important to protect the server. So there are certain things that you have to do. You have to remove all the unnecessary packages from the bastion to minimise the attack surface area. Now, we know that the bastion host only needs SSH-related packages to do the job.

Now, other packages like the HTTPD package or any other package like Tenant, which are not really required, just remove them. Otherwise, if there is any vulnerability that comes with those packages, then it will create a lot of issues. So this is the first important thing. The second important thing is to implement proper server hardening on the bastion host. Now this bastion host will be in the public subnet with port 22 open. So you have to make sure that proper server hardening is in place. Finally, and most importantly, the private should never be kept in the bastion. We should always use SSH agent forwarding for Linux instances.

2. Introduction to Virtual Private Networks

Hey everyone, and welcome back. In today’s video, we will be discussing the virtual private network. Now, the virtual private network, which I also refer to as the VPN, basically allows us to route the traffic from your network to the destination through the VPN server. It is now comparable to the proxy. Caution: you will not be able to………………………………….. Internet. Your computer would now have a unique IP address if it is connected to the Internet. So your laptop or computer, when you connect to the destination server, will have full access to logs related to your connection details. Now in the case of a VPN server, what happens here is that let’s say that this is a VPN server, and this VPN server has an IP address of 54. 2030. 56. Now, when you send the traffic via the VPN to the destination server, it can go over the Internet. This destination server will not see your IP address here.

It will see the IP address of the VPN because it is the VPN that is routing all the traffic over here. Now there are a lot of advantages, and there are also a lot of use cases where the attacker uses VPN extensively for the attack. So let me quickly give you a demonstration of what exactly this might look like. So this is a “cyber ghost” VPN. This is pretty famous. Now, if you see this VPN server over here, as shown in the slide, you can select whether you want it from us, Europe, Singapore, or somewhere else. So if I can quickly show you, you can select various locations over here. So, if I click on more servers, you’ll see that there are many servers available, ranging from the United States to Vietnam, France, Germany, Australia, and so on. Now let’s do one thing. Let me just click on “connect” so I’ll be connected to the VPN server. So let’s quickly wait for a moment here. Great.

So I am connected to the VPN server residing in Canada. So now what happens? My laptop or computer is in India, and the VPN server is in Canada. Now if I browse the Internet, the destination server will assume that the connection is coming from Canada, and hence the details will be shown accordingly. So let’s try it out. Let’s put Google.com, and here, let’s put: what’s that? My IP. So, if you open up one of the websites here, you’ll see that the IP address on the 71 page is 71, and the country is Canada, and the region is Alberta. And this is how the VPN works at a high level overview. With the assistance of a VPN, one or more use cases can now be accomplished. One is that if you are connected to an insecure network, let’s say a public wireless hotspot, then it is better never to directly access it. In such cases, you should always connect to a VPN. The second reason why people typically use VPNs is to unblock certain blocked websites. So if I can quickly show you, there’s a website called Nine Gag TV. All right?

So now what is happening is that it is redirecting to ninegag.com. Nine Gag. I’m sure a lot of people might be using it. So, if you use the IndianISP to search for Nine Gag TV, you will notice that the website is specifically blocked. But since I am connecting to a VPN, that website is unblocked for me. The third use case is something that attackers use. Let’s say that they want to attack a server in a specific country. So what they do is make use of VPNs so that their IP address is not directly visible. Now, one thing I’ll quickly share—let’s say this is just an example. Let’s say that someone wants to attack a server that is located in the United States. So what I’ll do is select a VPN that belongs to an enemy country. Let’s say China. So the United States and China are generally not good friends. So, even if the US government wants to get information from you if you use a VPN server in China, the Chinese government may not. So this is what attackers generally do a lot of times. They generally choose the VPN server of a country that is an enemy of the target that they are trying to exploit into. Anyways, so this is just a high-level overview and some of the things that I wanted to share. This is more appropriate for the certifications related to security, anyway.

So, in terms of VPN use in corporate networks, this is a good VPN use. So how exactly it is used is, let’s say, that you have an EC2 instance in a private subnet, and this has a private IP. So private IP cannot be communicated directly over the internet. So it is a non-routable IP. So what you do is put a VPN server on the public subnet inside the VPN and then route your traffic from your computer to the VPN and from the VPN towards the private instances. So now, if you want to connect to a private instance, your traffic will be routed from the VPN to the private instance. And this is how the VPN is typically used in the AWS environment.

3. OpenVPN is Awesome

Hey everyone, and welcome back. In today’s video, we’ll be discussing how we can implement the VPN architecture that we were discussing in the earlier video. So in this type of architecture, you have your computer here, then you have a VPN server here, and then you have an instance in a private subnet. So this VPN server can be easily instanced directly. So let’s look at how we can do that. So the first thing we’ll do is go to the EC console, and there are a lot of software-based VPNs that are available. You also have hardware-based VPNs.

So we’ll be using the software-based VPN for our demo for simplicity. So, let’s click “Launch an instance,” navigate to the AWS marketplace, and search for “OpenVPN.” So OpenVPN is quite a famous product. So we’ll be using the “Bring your own license” one, which is under the free tire. I’ll click on “select.” So within this column, if you see the software charges, they are zero, and the charges that you see over here under the total column are basically the EC to instance charge. So let’s click on “continue.” So I’ll be using the T-2 Micro, which comes under the free tire. Now within here, I’ll basically have the subnetting settings enabled so that the public IP can be assigned to the VPN instances. I’ll click on storage. Storage is fine. I’ll select “Review and Launch SSD,” which appears to be a good option. Let’s click on “Launch.” I’ll acknowledge it and launch the instance after clicking on it. So the initial launch might take a little amount of time because when you launch AMI from the marketplace, it has to subscribe, so it might take a little amount of time.

As you can see, the initiating launch occurs after the subscription is successful. So this is our VPN instance. Let’s click here; I’ll just call it “public hyphen VPN.” So let’s quickly wait for a moment for the status checks to be two out of two. Great. So it has been a few minutes, and our instance state is running. The status check is still initializing, but we should be able to connect. So let’s try it out. I’ll copy up the public IP and let’s quickly do an NC on port 22. Great. So we are able to connect to the server on port 22. So let’s try to log in. I’ll specify the key. I’ll answer yes. Great. So it is basically asking for the licence agreement. Remember that if it’s an OpenVPN, the user will be an OpenVPN yes. I’ll say yes for the licence agreement, and these are basically the configuration details. I’ll just use it as the default one. I’ll put it under the UI port. I’ll leave it as is. So here, in terms of the licence key, you can just press Enter, and it is initialising your OpenVPN. Great. So this is the administrator’s UI. Let me just open this up. So, since the certificate is not configured, this is something that you will see, and it is asking you for the username and password. So for the password, what we need to do is go to the root, and we’ll change the password for the OpenVPN user. I’ll put in my password here.

 Great. So this is the password for the OpenVPNuser, and the username for the GUI authentication page is OpenVPN. So let’s try it out. I’ll put the OpenVPN user here, and I’ll configure a password here. So this is the same password that we did the reset for. So this is the licence agreement that you will have to accept. And this is how the console rail looks like.

Now, since we had not configured any licence keys, you can still connect to the Open VPN server. Now, they have certain restrictions, like the fact that you can connect a maximum of two connections, so those restrictions would be there. But anyway, if you need more users for your organisation, you can put it in a licence key. Anyway, this is how the console really looks like.Now, OpenVPN is a great solution. In fact, I have been using this for enterprises for more than four years, where we had more than 100 or 150 connected users, and it really works very well. So, this is a high-level overview of how you can configure the VPN. However, this practical is still incomplete because we have not yet tested the connectivity to the private instances. So let’s go ahead and do that in the next video.

4. OpenVPN – Part 02

Hey everyone, and welcome back. Now in the earlier video, we had configured our OpenVPN instance. So in today’s video, we will look into whether the connectivity works as expected in the architecture. So in order for us to do that, let’s launch one instance of type T-2 micro. So I’ll just do a review and launch, and I’ll just select my key area. Great. So let’s name this instance. Let’s assume that this is a private instance. All right. The next step is to establish a connection to this VPN server. Now, if you recall from the CyberGhostVPN video, we were connected to the CyberGhost VPN. So this is just the browser. This is not a connection to the VPN. So in order to connect to the VPN, you will typically need a VPN client. So in my case, I have OpenVPN connected. So this is how OpenVPN Connect looks like.

So I’ll just click here, and then I’ll click on connect. So this is where you will need to enter the IP address of your VPN server. In my case, I’ll put it as 54184, 7121, and I’ll click on “Continue.” So now you have to enter the username and password. Let’s use a default username and password. It is basically saying that the certificate is untrusted. We’ll just select yes. I’ll click on “yes” again. And now, if you see there is a green symbol over here, which is basically saying that it is connected, So in order to verify if things are working, let’s do one thing. Let’s try to connect to this ECTwo instance over the private IP. So even though it has a public IP, we will not use the public IP; let’s try to connect via the private IP. So from my CLI, I’ll quickly do ANCZB on the private IP on port 22. Great. So it says that the connection has been successful. So let’s quickly try to log in here, and you will see that it is working as expected. Great.

So this is how the VPN works at a very high level. Overview. I hope you understood the architecture on the VPN part. So first is the EC, for instance. On an EC2 instance, you can install a software VPN. It can be OpenVPN or another type. And then you have a VPN client. The VPN client connects to this VPN server, and then your traffic can be routed. Now along with that, I’ll also basically show you the link in case you want to download the OpenVPN Connect client. So if you look here, this is the OpenVPN client for Windows. And basically, if you click here, it will go ahead and install it for you. In my case, I already had it installed because I use it with some of my clients. So that’s about it for the VPN video. I hope this video has been informative for you, and I look forward to seeing you in the next video.

5. Overview of AWS VPN Tunnels

Hey everyone, and welcome back. In today’s video, we will be discussing the site-to-site terminal. Now, a site-to-site VPN tunnel allows two networking domains to communicate securely with each other over an untrusted network like the internet. Now, within the name itself, we have Site to Site. So basically, there are two sites that are available here. Now, this can be two different locations from which you want to securely communicate securely.

So it can be between an EC2 instance and the data center. It can be between the two different VPCs. It can be between AWS and Azure or any other location. Remember that a site-to-site terminal is also referred to as an “S 2 S” terminal. So in case you hear about “S2S,” it basically means site to site. Now, once the terminal is established, let’s assume that you have the EC to instance. So this acts as a VPN termination. And here you have the data center. So there is a VPN terminal that has been established over here. Now one of the challenges that an organization might typically face with a site-to-site VPN is the high availability. So basically, if you see over here, there is a single terminal endpoint on each of the sites. So you have the EC to instance, which acts as a VPN termination point. And if this EC2 instance goes down, then the entire terminal would break. When AWS did not have an interregional VPC peering service, site-to-site terminals were fairly common. In fact, let’s assume that you wanted to establish a tunnel between Singapore and Mumbai. VPC peering was not an option back then. Organizations used to rely heavily on SiteToSite VP internals.

Furthermore, many organizations nowadays are based on hybrid cloud or on on-premises and AWS. Access to the VP internal site is therefore critical in this scenario. So we were discussing the availability challenges of an EC2 instance if you’re using it for site-to-site, and if that EC2 instance goes down, then your entire VPN connection would break. So in order to overcome that, what organizations typically do is establish multiple terminals. So far, you can see that you only have one tunnel; this is an active tunnel. And then you have one more terminal. This is a passive terminal. So if one tunnel goes down, then you can switch over to the passive terminal for high availability. So here’s an example diagram. So this is a terminal established between Mumbai and North Virginia. Again, you can do this via VPC peering as well. But let’s assume that this is AWS. Azure can be found on the right side. Then you need to use a site-to-site VPN. Now, when it comes to the architecture of site-to-site VPN, there are certain key terminologies that you need to understand.

The first one is the virtual private gateway, and the second is the customer gateway. The customer gateway is nothing but the VPN termination endpoint on the customer side. So this can be a firewall, this can be a server that acts as an IPsec or VPN tunnel termination endpoint, et cetera. Now, on the AWS side, we make use of the Virtual Private Gateway. However, do remember that it is not mandatory to have a virtual private gateway. A virtual private gateway has its own advantages. Like we were discussing that year, if the EC2 instance goes down, then the entire VPN tunnel that we have established over here will also break. So now, in the virtual private gateway, this virtual private gateway is highly available. So in order to understand this, let’s use the example of this specific diagram. So your virtual private gateway has built-in high availability for a VPN connection. So basically, what happens is that this virtual private gateway has two endpoint IP addresses that are each located in a different availability zone. So you have the endpoint IP for one year. You have two years to use the end point IP address. So now what you do from your customer’s side is establish two VPN tunnels. EndpointIP One and EndpointIP Two would now have two VPN connections, which would work together to form a single VPN connection.

Now, do remember that even though you have a virtual private gateway, if you implement this in your organization, specifically if you are having multiple virtual private gateways and multiple VPN connections, there are a lot of instances where one of the endpoints goes down and then you have to switch to Endpoint IP Two. Now, the great thing here is that the high availability is managed by AWS. So we do not really have to worry about this. But you will get into situations where you will see that one of the tunnels is down. However, if you have set up your VPN connection properly, you do not really have to worry because high availability will be taken care of. So this can be understood with the diagram over here. So this is one of the screenshots that I took from a different video. So here you see the VPN connection. So this is a site-to-site terminal, and this terminal has two IP addresses over here. The first IP address is 18 two, one 6150, dot 193, and the second is 18 to 22 one, dot 76. So far, you can see that there is only one endpoint with the status “up,” and the other has the status “down.” Ideally, if you are implementing it, make sure that both of them are up. That basically means that from your customer’s location, you have two VPN tunnels that are established. So this was just for the representation of the two IP addresses associated with the endpoints for the virtual private gate.

Leave a Reply

How It Works

img
Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
img
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
img
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!