December 4, 2020
Today we released a new open-source tool, the Snap Labs BastionBox! BastionBox is a simple, secure way to manage access to your cloud and on-premises lab environments. Head on over to our GitHub page for technical details and to try it out!
At Snap Labs, we provision a lot of lab environments. This means we have tons of system credentials, SSH keys, and VPN configurations to keep track of. We’re also extremely conscious of the security implications of misconfiguring a security group for one of our lab instances. Windows boxes with RDP open to the internet (especially vulnerable lab images!) don’t tend to last very long without getting compromised…
To address both of these problems, we implemented a bastion host approach for access to our labs. Every lab we deploy is only accessible through a single instance, integrated with our platform, that manages the VPN configurations and console connections for a seamless and secure lab access experience for our users.
We really like this approach and think others could benefit from adopting the same principles. So, we open sourced a good portion of our internal solution! What does the open source version do?
The Snap Labs BastionBox is easy to deploy into AWS through a pre-configured AMI, or into any other lab environment through a simple install script on Ubuntu 20.04 (and likely others systems. It provides two ways to access systems in your lab environment:
Console connections use the awesome Apache Guacamole (https://guacamole.apache.org/) project to provide a clientless remote access gateway to your lab systems directly through your browser. To create a new console connection, simply provide credentials/connection details for a system in your lab and save the connection. Then, connect to your lab system through the browser in one click. BastionBox makes sure you’re authenticated and passes along the previously saved connection details to authenticate to your lab system.
BastionBox implements an OpenVPN server and custom scripts to dynamically create and revoke VPN configurations. This is an easy way to share access to your lab when you want to, and to revoke it when you’re done sharing. To create a configuration, simply provide a name and the operating system that you’ll be connecting from, then hit create. BastionBox will automatically create a new OpenVPN configuration file and save it for download at any time.
Our goal was to create a single, simple interface to allow lab access management. At the same time, we hope to bolster your lab’s security posture by reducing the number of systems exposed to external networks.