Bastion Station Weary

By Sherry Wei
Founder and CTO, Aviatrix
July 23, 2016

If you use a bastion station to access instances in a VPC, you should be very weary of the private key management. The bastion station, itself an AWS or Azure instance, has a private key that cannot be changed once the instance is created. Moreover, this private key is shared by all users and any user who logs in into the bastion station has “sudo” power, that is, root privilege. If an employee leaves the company, the employee still has access to the bastion station! Changing the private key amounts to building a new bastion station and distributing the private key again. There needs to be a security perimeter at the user level to allow or deny access to your cloud resource at any given time, rather than relying on a private key. Furthermore, using a bastion station does not allow non-developers to access private applications in the cloud.

Deploying a VPN server instead of a bastion station is the first step to build a real security perimeter. It is a must have from security standpoint.

Most companies deploy a VPN server at the on-prem office where employees come to work. When employees are not in the office, they must first VPN into the office and then access the cloud. This does provide a security perimeter, but it is not optimal as the user traffic travels to the office and then to the cloud. In addition, traditional VPN server requires on-prem hardware, proprietary client software and outdated authentication methods. Furthermore, if you have a global workforce, employees everywhere must still connect to this on-prem VPN server first, resulting in multiple of hundreds of milliseconds of delay.

Therefore, deploying a VPN server in the cloud is the second step improvement that provides a security perimeter and gives users a unified access experience whether they are on-prem or off-prem. Deploying a VPN server has additional benefits of placing all your enterprise services in the private subnets, enabling non-tech employees to access cloud services securely.

However, a single VPN server is a single point of failure, it still does not address the latency issue for your employees located half a globe away. In addition, a VPN server alone in the cloud cannot let you employees have direct secure access to instances or services of VPC in other regions or other clouds.

Aviatrix provides the most comprehensive network solution for the cloud. Combining a policy driven, scale out and Geo aware VPN with encrypted peering and central management console, we provide a complete secure network solution in the cloud for all your admins, developers and employees.

To learn the complete list of capabilities, check out the datasheet.


Comments are closed for this post.