Bastion hosts

All of this is great, but why would you need this if you're managing servers? Especially servers you control...

Consider your environment.

In the office, you might have access to every machine the company has under its dominion, because you're sat on a LAN segment that has unfettered access to every other network segment.

Remotely, you might have a VPN machine on the border of your network, to which you need to initially establish a connection before you're able to SSH to other machines.

Bastion hosts are something you might consider, and they can be used in conjunction with a VPN.

You, as the system administrator, can decide that you'd like a single point of ingress for people SSH'ing to machines to easily log traffic and maybe manage keys  perhaps because you're just vindictive and want everyone's config file to be that much longer?

Work with your network team, consult your company's policies, and design a network that you can easily maintain, and that others won't mind using.

Your company may have specific security policies in place that limit what you're allowed to do. Remember, it's not about what you can do, it's about what you should do. No one will congratulate you for being clever when you're being marched out of the office for bypassing security. By all means highlight security problems when you see them, just don't exploit them.

上一章目录下一章