What a mouthful, Auditable Internet Perimeter using bastion hosts! Sometime ago I published a technical recipe on securing Web based applications using open source tools. Here is then another recipe in almost completely auditing external users and their actions.
Although my claim is that too much security is a bad thing, there are situations where one has to be paranoid. Take for example the access of remote, even intercontinental sometimes, support engineers who get to work on your digital assets. How can one be sure that the unknown self proclaimed support engineers are not of the slacking kind, or even worse of the malicious kind? One must be able to review their work and act upon that knowledge.
First of all you will need a firewall. No really you do, although firewalling is not enough , it is a necessity of modern business. Let’s assume for starters that you configure your firewall for remote VPN access for your teleworkers and remote support engineers. When you give access to remote users, auditing firewall logs becomes as useful as counting grains of sand. It is time consuming and worthless. Configure then your firewall to allow access only to your bastion servers for the remote users.
I use two sets of bastion hosts, unix based on linux and Windows based on you guessed it, windows ™. On linux I do not use the stock SSH server but a hacked version of it. It saves to a file all the users’ terminal interaction and you can replay or text search the log. The patches are on my site for version 4.7p1. For previous versions of sshd look under kdvelectronics. Gotchas: to built sshd with my patches you first have to build the ssh client , then the server. Also remember to include the UsePrivilegeSeparation no directive in sshd.conf.
Let’s do windows now. First you will need a Windows based terminal server with enough licenses, you dig? Then grab and install Rautor by yours trully, lastly include the rautor executable in your AD Group Policy’s logon script. Presto screen dumper, keyboard logger, screen scraper in one shot with a playback application that works for Remote Desktop connections also! It is bit more difficult to locate / text search under the windows environment but at least you will have something to start with.
Now for the dessert. To properly maintain a secure perimeter one needs a unified password management system. Active Directory is very useful in that affair , couple it with winbindd on unix and all your remote and local users operate under a common access mechanism. Still not satisfied ? Still want the whole cake ? SSHD with my hacks can be compiled under cygwin in windows, so you can roll out a single bastion host under a single security policy, fully auditable and relatively secure.
Oh did I mention the cost? The Windows licenses plus consulting time. Somebody please do a bit of market research for an equivalent solution, if it exists, and let me know. Gracias a todos.