Resolving Problems with Jump Boxes and Network Security

June 1, 2017 |
Image of Servers - Resolving Problems with Jump Boxes and Network Security

If you have worked in IT long enough, chances are that you have been part of or administered an environment where you (or members of the IT / development team) were required to implement and utilize a jump box to access protected resources.

A jump box is a system or device that acts as a bridge between two different networks, providing a method of controlled access from one network to another that contains more highly protected resources. Generally, jump boxes are highly regulated and monitored by a SOC (or similar technical oversight) and require elevated approval to be granted access. All traffic and actions by the jump box are logged and recorded to address regulatory compliance considerations.

While jump boxes may have ticked the check box for a regulatory audit to address separation of duties requirements, they have always presented three main problems:

  1. Very inconvenient: Though arguably they were SUPPOSED to be inconvenient, waiting for approvals and authorizations has always been cumbersome.
  2. Lateral movement: Once the jump box is open, the user has free reign to pretty much any and EVERYTHING on the protected network.
  3. Manual process: Many times, jump boxes had to be manually opened by a person, usually a member of a NOC / SOC team based on an email authorization chain or trouble ticket.

Illustration of a Jump Box without AppGate

There *IS* a better way!

Utilizing a Software-Defined Perimeter (SDP) solution such as Cryptzone’s AppGate addresses these primary concerns:

  1. All users have a light weight AppGate client installed on their device (Windows, Mac, iPhone iOS or Android) connecting them to a protected AppGate Controller, which grants the entitlements to the user for specifically authorized workloads. Adding additional entitlements is simple and can even be automatic: dynamic and contextual condition checking integrates with existing enterprise SIEM solutions to provide immediate security when changes occur – user location, time of day, device hygiene.
  2. With AppGate, users only gain access to resources for which they are specifically authorized to access. Unlike many VPN or jump box solutions, AppGate controls the specific resources that a user can access on the protected network, eliminating lateral movement (going from resource to resource without additional authorization, or worse – accessing / manipulating resources or data for which they are NOT authorized, leading to a compliance nightmare).
  3. AppGate can be configured to automate the approval process, eliminating the “man-in-the-middle” authorization headache. AppGate integrates with trouble ticketing systems to grant access to specific resources – and ONLY those resources – defined in the trouble ticket. Once the trouble ticket is resolved or closed, access to those resources can be immediately revoked.

Illustration of a Jump Box with AppGate

There was certainly a time and place for jump boxes as part of an enterprise network. But advances in technology have made them cumbersome and obsolete.  Updating your security and network infrastructure to use a Software-Defined Perimeter solution will solve jump box concerns, as well as address MANY more of your security and compliance considerations!

Back to Blog Home

Chris Steffen

Christopher Steffen joined Cryptzone in October 2016 as the Technical Director to educate and promote information security and regulatory compliance as it relates to network access management and cloud computing solutions. Before joining the team at Cryptzone, Chris served as the Chief Evangelist – Cloud Security for Hewlett Packard Enterprise (HPE). He has also served in executive roles as the Director of Information Technology at Magpul Industries (a plastics manufacturing company) and as the Principal Technical Architect for Kroll Factual Data (a credit service provider). Steffen has presented at numerous conferences and has been interviewed by multiple online and print media sources. Steffen holds several technical certifications, including CISSP and CISA.

Leave a Reply

Your email address will not be published. Required fields are marked *