Bastion Host Security Service

The Bastion Host Security Service is one of a series of security measures implemented to ensure IET - Data Center and Client Service (DCCS) compliance with the UC Davis Cyber-safety Program policy. The specific objectives of the series of measures will be to integrate multi-factor authentication, strengthen passwords and encrypt traffic traveling to and from systems in the Data Center.

Implementation Date
Winter Quarter 2007

Objective
Strengthen passwords and integrate multi-factor authentication.

Service Description
Bastion hosts function as gateways between internal and external networks. They are intended to help defend the internal network against attacks. The campus Bastion Host Security Service works by restricting access individuals outside the DCCS network have to Unix type operating systems housed in the Data Center. This security service requires that individuals first log in to the secured SSH server (the bastion host) using a hard token and a password with SSH. Hard tokens use one-time passwords, so even if a password is intercepted it cannot be reused. After successfully logging in to the bastion host using the hard token, the authorized individual will be able to use SSH from the bastion host to log in to DCCS systems.

Technical Description
This service is comprised of four secured Tectia SSH servers (bastion hosts). The Tectia servers are configured to work with hard tokens that are properly registered with the DCCS Secure Computing hard token database and valid accounts. Accounts and hard tokens are managed via the IDCA service permit.

Implications

1. As a result of the Bastion Host Security Service implementation, many scheduled or automated tasks that were running on systems housed in the Data Center will no longer work. DCCS staff will work with system administrators to secure scheduled and/or automated tasks without the use of a hard token. System administrators running scheduled or automated tasks on systems housed in the Data Center should contact cybersecurity@ucdavis.edu for more information.
2. ISUN systems will no longer be able to connect to other systems in the Data Center.

Service Fees
Costs associated with the Bastion Host Security Service are part of the existing DCCS equipment housing fee.

Resources
Access to the documentation below is restricted. Contact itsecurity@ucdavis.edu to request access

• Bastion Host User Guide: Getting Started (PDF)
• Bastion Host User Guide: SFTP Drive (PDF)
• Bastion Host User Guide: SSH with X Forwarding (PDF)
• Bastion Host User Guide: Using SSH Keys (PDF)
• Bastion Host User Guide: Windows Users (PDF)
• Bastion Host User Guide: Tunneling on Mac OS X (PDF)
• Bastion Host Names and Maintenance Schedule (PDF)