Jump server

Last updated October 11, 2023

A jump server, jump host or jump box is a system on a network used to access and manage devices in a separate security zone. A jump server is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. The most common example is managing a host in a DMZ from trusted networks or computers.

Background

In the 1990s when co-location facilities became more common there was a need to provide access between dissimilar security zones. The jump server concept emerged to meet this need. The jump server would span the two networks and typically be used in conjunction with a proxy service such as SOCKS to provide access from an administrative desktop to the managed device. As SSH-based tunneling became common, jump servers became the de facto method of access.

Implementation

Jump servers are often placed between a secure zone and a DMZ to provide transparent management of devices on the DMZ once a management session has been established. The jump server acts as a single audit point for traffic and also a single place where user accounts can be managed. A prospective administrator must log into the jump server in order to gain access to the DMZ assets and all access can be logged for later audit.

Unix

A typical configuration is a hardened Unix (or Unix-like) machine configured with SSH and a local firewall. An administrator connects to a target machine in the DMZ by making an SSH connection from the administrator's personal computer to the jump server and then using SSH forwarding to access the target machine.

Using SSH port forwarding or an SSH-based tunnel to the target host allows the use of insecure protocols to manage servers without creating special firewall rules or exposing the traffic on the inside network.

Windows

A typical configuration is a Windows server running Remote Desktop Services that administrators connect to, this isolates the secure infrastructure from the configuration of the administrator's workstation.^[1] It is also possible to enable OpenSSH server on Windows 10 (build 1809 and later) and Windows Server editions 2019 & 2022.^[2]

Security risks

A jump server is a potential risk in a network's design.^[3] There are several ways of improving the security of the jump server, including:

Properly subnetting / segmenting the network,^[4] and securing VLANs using a firewall^[5] or router.
Using higher security authentication, such as multi-factor authentication.^[5]
Keeping the operating system and software on the jump server up to date.^[6]
Using ACLs to restrict access.^[7]
Not allowing outbound access to the rest of the internet from the jump server.^[8]
Restricting which programs can be run on the jump server.^[9]
Enabling strong logging for monitoring and alerting of suspicious activity.^[6]

With the high level of risk that a jump server can represent, a VPN may be a suitable and higher security replacement.^[10]

In 2015, a compromised jump server allowed attackers access to over 21.5 million records in one of the largest breaches of government data in the history of the United States.^[11]

Related Research Articles

The Secure Shell Protocol (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution.

Network address translation (NAT) is a method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. The technique was originally used to bypass the need to assign a new address to every host when a network was moved, or when the upstream Internet service provider was replaced, but could not route the network's address space. It has become a popular and essential tool in conserving global address space in the face of IPv4 address exhaustion. One Internet-routable IP address of a NAT gateway can be used for an entire private network.

A virtual private network (VPN) is a mechanism for creating a secure connection between a computing device and a computer network, or between two networks, using an insecure communication medium such as the public Internet.

In computer security, a DMZ or demilitarized zone is a physical or logical subnetwork that contains and exposes an organization's external-facing services to an untrusted, usually larger, network such as the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN): an external network node can access only what is exposed in the DMZ, while the rest of the organization's network is protected behind a firewall. The DMZ functions as a small, isolated network positioned between the Internet and the private network.

SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. SOCKS5 optionally provides authentication so only authorized users may access a server. Practically, a SOCKS server proxies TCP connections to an arbitrary IP address, and provides a means for UDP packets to be forwarded.

<span class="mw-page-title-main">Port forwarding</span> Computer networking feature

In computer networking, port forwarding or port mapping is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall. This technique is most commonly used to make services on a host residing on a protected or masqueraded (internal) network available to hosts on the opposite side of the gateway, by remapping the destination IP address and port number of the communication to an internal host.

In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A variant called single packet authorization (SPA) exists, where only a single "knock" is needed, consisting of an encrypted packet.

<span class="mw-page-title-main">Application firewall</span> Layer 7/application layer network security system

An application firewall is a form of firewall that controls input/output or system calls of an application or service. It operates by monitoring and blocking communications based on a configured policy, generally with predefined rule sets to choose from. The application firewall can control communications up to the application layer of the OSI model, which is the highest operating layer, and where it gets its name. The two primary categories of application firewalls are network-based and host-based.

A bastion host is a special-purpose computer on a network specifically designed and configured to withstand attacks, so named by analogy to the bastion, a military fortification. The computer generally hosts a single application or process, for example, a proxy server or load balancer, and all other services are removed or limited to reduce the threat to the computer. It is hardened in this manner primarily due to its location and purpose, which is either on the outside of a firewall or inside of a demilitarized zone (DMZ) and usually involves access from untrusted networks or computers. These computers are also equipped with special networking interfaces to withstand high-bandwidth attacks through the internet.

In computer networks, a tunneling protocol is a communication protocol which allows for the movement of data from one network to another. It involves allowing private network communications to be sent across a public network through a process called encapsulation.

<span class="mw-page-title-main">Terminal server</span> Device that interfaces serial hosts to a network

A terminal server connects devices with a serial port to a local area network (LAN). Products marketed as terminal servers can be very simple devices that do not offer any security functionality, such as data encryption and user authentication. The primary application scenario is to enable serial devices to access network server applications, or vice versa, where security of the data on the LAN is not generally an issue. There are also many terminal servers on the market that have highly advanced security functionality to ensure that only qualified personnel can access various servers and that any data that is transmitted across the LAN, or over the Internet, is encrypted. Usually, companies that need a terminal server with these advanced functions want to remotely control, monitor, diagnose and troubleshoot equipment over a telecommunications network.

In network security a screened subnet refers to the use of one or more logical screening routers as a firewall to define three separate subnets: an external router, that separates the external network from a perimeter network, and an internal router that separates the perimeter network from the internal network. The perimeter network, also called a border network or demilitarized zone (DMZ), is intended for hosting servers that are accessible from or have access to both the internal and external networks. The purpose of a screened subnet or DMZ is to establish a network with heightened security that is situated between an external and presumed hostile network, such as the Internet or an extranet, and an internal network.

This is a comparison of notable free and open-source configuration management software, suitable for tasks like server configuration, orchestration and infrastructure as code typically performed by a system administrator.

This page is a comparison of notable remote desktop software available for various platforms.

An application delivery controller (ADC) is a computer network device in a datacenter, often part of an application delivery network (ADN), that helps perform common tasks, such as those done by web accelerators to remove load from the web servers themselves. Many also provide load balancing. ADCs are often placed in the DMZ, between the outer firewall or router and a web farm.

Web-based SSH is the provision of Secure Shell (SSH) access through a web browser. SSH is a secure network protocol that is commonly used to remotely control servers, network devices, and other devices. With web-based SSH, users can access and manage these devices using a standard web browser, without the need to install any additional software.

OpenSSH is a suite of secure networking utilities based on the Secure Shell (SSH) protocol, which provides a secure channel over an unsecured network in a client–server architecture.

A virtual firewall (VF) is a network firewall service or appliance running entirely within a virtualized environment and which provides the usual packet filtering and monitoring provided via a physical network firewall. The VF can be realized as a traditional software firewall on a guest virtual machine already running, a purpose-built virtual security appliance designed with virtual network security in mind, a virtual switch with additional security capabilities, or a managed kernel process running within the host hypervisor.

Routing and Remote Access Service (RRAS) is a Microsoft API and server software that makes it possible to create applications to administer the routing and remote access service capabilities of the operating system, to function as a network router. Developers can also use RRAS to implement routing protocols. The RRAS server functionality follows and builds upon the Remote Access Service (RAS) in Windows NT 4.0.

<span class="mw-page-title-main">Endian Firewall</span> Linux distribution

Endian Firewall is an open-source router, firewall and gateway security Linux distribution developed by the South Tyrolean company Endian. The product is available as either free software, commercial software with guaranteed support services, or as a hardware appliance.

References

↑ "Implementing Secure Administrative Hosts". docs.microsoft.com.
↑ robinharwood. "Get started with OpenSSH for Windows". learn.microsoft.com. Retrieved 2022-12-02.
↑ Grimes, Roger A. (July 26, 2017). "'Jump boxes' and SAWs improve security, if you set them up right". CSO Online.
↑ Pompon, Raymond; Vinberg, Sander (2021-09-21). "Protecting Critical Systems with Isolation and Jump Boxes - F5 Labs". F5 Labs. Retrieved 2022-01-28.
1 2 Hess, Ken. "Jump Box Security » Linux Magazine". Linux Magazine. Retrieved 2022-01-28.
1 2 "4 OT/IT network segmentation techniques - selecting a cyber resilient configuration- Applied Risk". Applied Risk. 2021-11-24. Retrieved 2022-01-28.
↑ "Jump server". Intelligent Systems Monitoring – Systems Monitoring Made Easy. 2018-05-03. Retrieved 2022-01-28.
↑ "Guidance for Secure Interactive Remote Access" (PDF). North American Electric Reliability Corporation. 2011-08-24. p. 38. Retrieved 2022-01-28.
↑ Grimes, Roger A. (2017-07-26). "'Jump boxes' and SAWs improve security, if you set them up right". CSO Online. Retrieved 2022-01-28.
↑ Bhargava, Rajat (January 10, 2014). "Is the Jump Box Obsolete?". O'Reilly Radar.
↑ Koerner, Brendan (October 23, 2016). "Inside the Cyberattack That Shocked the US Government". Wired.

External links

Wimmer, Peter Kai. "Secure Network Zones" (PDF). ATSEC Information Security. Archived from the original (PDF) on 2016-03-08.
Mathis, Roland (2004-09-20). "Installation of a Secure User-Chrooted SSH Jumphost" (PDF). GIAC. Retrieved 2019-06-12.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Implementing Secure Administrative Hosts". docs.microsoft.com.

[2] robinharwood. "Get started with OpenSSH for Windows". learn.microsoft.com. Retrieved 2022-12-02.

[3] Grimes, Roger A. (July 26, 2017). "'Jump boxes' and SAWs improve security, if you set them up right". CSO Online.

[Pompon_Vinberg_2021-4] Pompon, Raymond; Vinberg, Sander (2021-09-21). "Protecting Critical Systems with Isolation and Jump Boxes - F5 Labs". F5 Labs. Retrieved 2022-01-28.

[Hess-5] 1 2 Hess, Ken. "Jump Box Security » Linux Magazine". Linux Magazine. Retrieved 2022-01-28.

[Applied_Risk_2021-6] 1 2 "4 OT/IT network segmentation techniques - selecting a cyber resilient configuration- Applied Risk". Applied Risk. 2021-11-24. Retrieved 2022-01-28.

[Intelligent_Systems_Monitoring_2018-7] "Jump server". Intelligent Systems Monitoring – Systems Monitoring Made Easy. 2018-05-03. Retrieved 2022-01-28.

[NERC_2011-8] "Guidance for Secure Interactive Remote Access" (PDF). North American Electric Reliability Corporation. 2011-08-24. p. 38. Retrieved 2022-01-28.

[Grimes_2017-9] Grimes, Roger A. (2017-07-26). "'Jump boxes' and SAWs improve security, if you set them up right". CSO Online. Retrieved 2022-01-28.

[10] Bhargava, Rajat (January 10, 2014). "Is the Jump Box Obsolete?". O'Reilly Radar.

[11] Koerner, Brendan (October 23, 2016). "Inside the Cyberattack That Shocked the US Government". Wired.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]