You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: security/security-design/shared-assets/bastion-py-script/README.md
+20-14Lines changed: 20 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,23 +1,23 @@
1
1
2
-
# Bastion session
2
+
# Oracle Cloud Infrastructure (OCI) Bastion Service
3
3
4
-
This reusable asset consist of a Python script that creates a bastion session with the Oracle OCI bastion service. The main purposes of this asset are:
4
+
This reusable asset consist of a Python script that creates a bastion session with the Oracle OCI Bastion Service. The main purposes of this asset are:
5
5
6
6
- Demonstrate the usage of OCI Python SDK
7
7
- Create a simple OS independent command-line interface for creating bastion sessions
8
8
- Create a simple way to make reusable configuration
9
9
- Create a `ssh` command that works with Linux, Mac OS and Windows by providing the flexibility to configure either `ssh` command or `putty` commands.
10
10
11
-
The script creates bastion session over SSH, and creates an example command to set up the tunnel for the target application. Other protocols like RDP can then be tunneled over the SSH session through the bastion service.
11
+
The script creates bastion session over SSH, and creates an example command to set up the tunnel for the target application. Other protocols like RDP can then be tunneled over the SSH session through the OCI Bastion Service.
Oracle Cloud Infrastructure (OCI) Bastion service, is a fully managed service providing secure and ephemeral Secure Shell (ssh) access to the private resources in OCI. OCI Bastion service, like the bastion fortress of medieval times, improves security posture by providing an additional layer of defense against external threats.
20
+
Oracle Cloud Infrastructure (OCI) Bastion Service, is a fully managed service providing secure and ephemeral Secure Shell (ssh) access to the private resources in OCI. OCI Bastion Service, like the bastion fortress of medieval times, improves security posture by providing an additional layer of defense against external threats.
21
21
22
22
Accessing virtual services directly from the internet is a clear no-go. Best practices is to never expose compute resources directly, neither for SSH or RDP traffic. RDP is known to be one of the most common Initial Access Vectors for ransomware types of attacks.
23
23
@@ -27,14 +27,14 @@ The main weakness with this model is:
27
27
- Extra set of required resources with risk of misconfiguration
28
28
- The jump server will require an additional layer of user governance.
29
29
30
-
The OCI Bastion service removes the public and private virtual cloud networking (VCN) hassle for access to a jump host. No public IP is needed, resulting in no surface attack area or zero-day vulnerabilities with a dedicated jump host. Customers also eliminate shared credentials, broad access limits, and other bad habits of using jump hosts. OCI Bastion service integrates with OCI Identity and Access Management (IAM) and allows the organization to control who can access a bastion or a session and what they can do with those resources.
30
+
The OCI Bastion Service removes the public and private virtual cloud networking (VCN) hassle for access to a jump host. No public IP is needed, resulting in no surface attack area or zero-day vulnerabilities with a dedicated jump host. Customers also eliminate shared credentials, broad access limits, and other bad habits of using jump hosts. OCI Bastion Service integrates with OCI Identity and Access Management (IAM) and allows the organization to control who can access a bastion or a session and what they can do with those resources.
31
31
32
-
The OCI Bastion service exists in two flavors:
33
-
- Managed session
34
-
With managed sessions an agent is running on the compute node, and the bastion session connects to the agent and tunnels SSH through the agent. The managed Session makes it possible to connect to a compute node from other networks without configure routing between the network where the compute node resides, and the network the bastion connection is initiated from.
32
+
The OCI Bastion Service exists in two flavors:
33
+
- Managed Session
34
+
With managed sessions an agent is running on the compute node, and the bastion session connects to the agent and tunnels SSH through the agent. The managed session makes it possible to connect to a compute node from other networks without configure routing between the network where the compute node resides, and the network the bastion connection is initiated from.
35
35
- Port Forwarding
36
-
In this mode the bastion service does not tunnel though the agent, but the bastion service must have access to the subnet where the compute node resides, and the subnet security list
37
-
For additional description of the bastion service please review:
36
+
In this mode the OCI Bastion Service does not tunnel though the agent, but the OCI Bastion Service must have access to the subnet where the compute node resides, and the subnet security list
37
+
For additional description of the OCI Bastion Service please review:
38
38
39
39
## Requirements
40
40
@@ -43,7 +43,7 @@ The following components needs to be installed in your environment:
43
43
- Latest version of the OCI CLI
44
44
- Requirements, as defined in requirements.txt
45
45
46
-
If you need to ru older Python versions (below 3.8), note the changes for asyncio in the exec_command procedure.
46
+
If you need to run older Python versions (below 3.8), note the changes for asyncio in the exec_command procedure.
0 commit comments