A layered approach to network security is always the best. In this video, you’ll learn about jump servers, hardware security modules (HSM), and sensors and collectors.
One of the challenges we have when we’re administering our network and our servers is to be able to provide administration of those devices in a way that is secure. To be able to do this, we will often take advantage of a jump server. A jump server allows us to access usually internal devices through a private connection that we’re making to a single device on the inside. This is usually a very secure device, one that we’ve hardened so that no one would be able to gain access to that device except authorized users like ourselves.
We would then perform an SSH or VPN tunnel to that device, and from there, we’re able to jump to the other devices on the inside of the network. This means that if we need to provide administration to this application server, this web server, or this database server, we would first connect to the jump server, and from there, we would then jump to these different servers to administer those systems.
From a security perspective, we have to be very careful about the system that we are configuring as this jump server. Since this jump server effectively has access to all of these devices on the inside of the network, we want to be sure that no one unauthorized gains access to the jump server. This is an important consideration when configuring this jump server, because we want to be sure that a compromise would limit someone’s access to this internal network.
If you’re working in a very large environment with many web servers and devices that need cryptographic keys, then you’re probably using a hardware security module or an HSM. This is a device that is specifically designed to help you manage and control these large number of keys and certificates in your environment. This is a device that is usually installed in clusters with redundancy. There’s very often multiple power supplies on these devices, because you always want to be sure that you can access your HSM.
These devices are more than just a simple server. Usually, inside they have specialized hardware that’s designed for cryptography. This might be a card that’s added to the system after the fact, or it may be purpose built to have this cryptographic functionality as part of the HSM. This HSM can provide secure storage. This would be a perfect place to keep your private keys that you would use for your web servers, and many environments will have this configured as a cryptographic accelerator, so that they are performing their encryption and decryption on this device, and then simply using in the clear communication to the server. This would keep the overhead of the encryption process away from the server and focus it on the device that has built in hardware that’s designed specifically for encryption and decryption.
If you are managing one of these large networks, then you’ve certainly installed some sensors and collectors into your network. There needs to be some way to take all of the important statistics that are being gathered by all of the devices on your network and centralize them into one point. This would be devices such as switches, routers, servers, firewalls, and other devices that have logs and statistics that can help you manage these devices better.
The sensor usually goes on the device itself. So you would have a sensor that’s part of your intrusion prevention system. There might be logs inside of your firewall, or authentication server, your web server may have logs, and all of these sensors are gathering information and providing them to the collector. The collector is usually a console or series of consoles on your network. The collector is usually receiving all of the sensor data, it’s passing through the data, and then presenting a representation of that data on the screen. This collector could be proprietary, so it may be specifically created for one specific product such as a firewall. And that means that it would only be able to provide information that is specific to that firewall.
Or you may be using a more generic collector that can gather information across multiple different devices. A good example of this is a SIEM. It is a security information and event management tool that is able to collect log files from switches, routers, servers, and almost anything else in your environment. It then consolidates those log files, compares them with each other, and then provides the output that’s able to give you a broader perspective of exactly what’s going on your network across many, many different devices.