Saturday, November 18, 2017

[Labs] Centrify's SSH Gateway Explored - On Premises, AWS, Azure and GCP

This article illustrates the steps to set-up a lab to test the SSH Gateway capability of Infrastructure Service.  This capability provides secure access to on premises or IaaS (AWS, Azure or Google Cloud Platform) systems leveraging the Secure Shell protocol (SSH+File Transfer).

Background
Centrify Infrastructure Services provides a full-fledged secure shell and file transfer capability (SSH Gateway).  This "jumpbox"  supports all the core features of the platform including multi-factor authentication, workflow, real-time monitoring and session capture and replay.

Goals of this Lab
  • Identity Consolidation:
    • Leverage existing Organizational Directory Services.
    • Accomodate for user populations outside the organization (e.g. Federation, other Directories, etc).
  • Usability:  Provide secure access to systems running the SSH Service without visiting the Centrify portal.
  • Access Control:  Align with best practices for security access controls, like:
    • Identity Assurance via Multi-factor Authentication.
    • Adherence to the Least Privilege principle  (users shall only access systems and accounts that they have a business need to access).
  • Auditability:
    • Event tracking (who, what, when).
    • Allow the real-time proctoring of shell sessions as well as the session recording to be replayed later (e.g. PCI DSS 10.2.2).
  • Simplicity and multi-use:  Provide these capabilities with minimal infrastructure or to reuse components of Centrify Infrastructure Service (E.g. leverage other services like AD or LDAP Proxy, or RDP jumpbox services).

Requirements
  • A Centrify Infrastructure Services instance (SaaS or Customer Managed) - 17.10 and above.
  • A Centrify Connector running the SSH gateway in all the subnets required for SSH jumpbox access.
  • A handful of test systems running the SSH Service.
  • SSH and sFTP client software.
  • If testing "true MFA": An OATH OTP, configured RADIUS token or enrolled Mobile Authenticator.
  • Familiarity with Centrify Infrastructure Services.
    • Policy and Authentication Profiles.
    • A configured "Corporate IP Range." 
    • Familiarity with CPS Roles, Permissions and Sets.
  • Understanding of the communication paths for CPS (e.g. between connector and instance (HTTPS), between connector and SSH Servers (standard SSH port TCP 22).  Note that these ports are customizable.
  • Understading of Infrastructure Services Role-based Access Control.

Conceptual Diagram


This diagram showcases the major components, the location, firewall rules, and additional details depend on the environment.

Diagram for this Lab


High-level Implementation Steps
AWS
  • In this implementation, I'm using an AWS VPC as my "corporate HQ"  it has an AD domain, some systems (Windows and Linux) as well as a hosted AD domain.  This will allow me to have different user populations.
  • I am leveraging an existing Active Directory and DirectAudit infrastructure.
  • Launched a Windows 2012 R2 instance with a public IP address, Fthis instance is in a security group,  that allows inbound HTTPS and SSH from the internet to the instance, plus it can reach the rest of the systems internally, including AD (to allow for it to be joined).
  • For internet name resolution, I created a CNAME record in the rpdemo.net DNS domain for the cps record that resolves to the public DNS name for the EC2 instance above
  • Obtained a publicly rooted certificate, and exported it with the private key for Privilege Service to use.
  • Installed Privilege Service (on-premises) in single-master mode (no HA);
    Note:  The single-master configuration does not provide HA or allows for upgrades.  This is for testing purposes only.
  • Added a Centrify connector with the adproxy and SSH gateway services.
  • Configured Privilege Service to use my ISP's IP address as part of the corporate IP range.  This is to provide the assurance that only I can access it.
  • Configured 2 roles:  An Administrator, and a Least Access role.
  • Configured Workflow for the resources.
Microsoft Azure
  • Created inbound rules that allow the connector in AWS to reach the systems over RDP and SSH.
    Note: Depending on the services needed, an additional connector in Azure (or GCP) is needed.
  • Launched existing Windows and Linux systems.

Test Matrix (Success Criteria)
CategoryDescriptionResult
Identity ConsolidationUsers from Active Directory and Centrify Directory can access systems via Web Portal or SSH Gateway.Pass
Identity Assurance with MFAUsers must use an MFA or Step-up method to authenticate via Web portal or SSH Gateway.Pass
PolicyUsers can only access from a specific subnet.Pass
Least AccessUsers can only access the systems based on business need to know via Web Portal or SSH Gateway.Pass
Access RequestUsers must request temporary access to shared accounts.Pass
Monitoring (real time)SSH/RDP – Sessions can be monitored in real time.
SFTP – Active sessions can be tracked.
Pass
Advanced AuditingSessions can be reviewed after the fact (indexing, replay, etc.)Pass
Infrastructure Simplicity and ReuseThe same components can be used for other capabilities (e.g. RDP, etc).Pass

Test Videos
Identity Consolidation and  Assurance with MFA

Policy, Least Privilege and Access Request

Real-time Monitoring  + Session Capture and Replay

Infrastructure Simplicity and Reuse