Talk:Jump server

Latest comment: 2 years ago by Peaceray in topic Misinformation

Misinformation

edit

@peaceray Hello. Subnetting is not a standard security practice. It is a way to manage IP space. It does not add security, or prevent a machine from being secure. The first bullet point here says that a jump server is made more secure by part of a smaller subnet. That isn't true in anyway, shape, or form. In many cases, creating small subnets hurts more than it helps, or is suboptimal (see ipv6)

Can you explain why you re added that smaller subnets assist with securing jump servers?

You also added that ACLs can be used to choose who enters a network. But an ACL uses network signals only, and does not know who is sending them. This is another piece of misinformation you added.

You will notice this misinformation is unsourced. I'm going to remove it again, and hope you use the talk page before reading misinformation into this article. 2600:1700:12B0:3000:85A4:3E9A:69B1:D576 (talk) 05:00, 28 January 2022 (UTC)Reply

Subnetting was certainly was taught as a standard cybersecurity practice in my CISSP & Security+ preparation courses. But do not take my word for it.
  • "What Is Network Segmentation?". Palo Alto Networks. Retrieved 2022-01-28.
  • "What Is Network Segmentation?". Cisco. 2020-06-16. Retrieved 2022-01-28.
  • "What Is Network Segmentation and Why It Matters?". Default. 2020-10-23. Retrieved 2022-01-28.
  • "What is Network Segmentation?". VMware. 2022-01-13. Retrieved 2022-01-28.
  • "Network Segmentation Series: What is It?". Security Intelligence. 2021-02-15. Retrieved 2022-01-28.
  • "Network Segmentation: What It Is And Why It Matters". Fortinet. Retrieved 2022-01-28.
You can find a few more results at https://www.google.com/searchq=segmenting+a+network+for+security
Now that I have provided a half dozen+ sources for why subnetting / segmenting is a standard cybersecurity practice, would you please kindly list your sources why it is not? Perhaps you can find something approaching the About 98,600,000 result that Google claims for "segmenting a network for security". Peaceray (talk) 05:54, 28 January 2022 (UTC)Reply
Subnetting isn't a part of "jump hosts", it is part of networking in general. It misleading to claim that because subnetting is used to secure networks, jump hosts should be members of more subnets. That is your claim that you added. That is original research. You will find out, adding more networks to a hardended host makes it HARDER to secure. For modern ip protocols, you can't even adjust the subnet size if you'd like to, by standard.
https://datatracker.ietf.org/doc/html/rfc4291
There is your source for ipv6. Can you tell me which of your sources makes the claim in the prose you added, specifically, "it is safer to have smaller and more subnets attached to jump servers". I can't think of anyone who would recommend adding more complexity to a hardened box.
looking deeper, looks like all of your sources are actually unrelated to the topic of jump servers completely. Can you please provide a source for your claims about the best practices of configuring jump servers? Else, can we agree that this is original research and faulty. At best, it's someone's vague recollection of 1990s networking, at worst, it was someone trolling with misinfo. — Preceding unsigned comment added by 2600:1700:12B0:3000:85A4:3E9A:69B1:D576 (talk) 06:24, 28 January 2022 (UTC)Reply
Those sources specifically address your claim from your first edit summary Removed a list of misinformation. I. E. Smaller networks are not more secure.
Since my last comment here, I have provided citations for each Jump server#Security risks bullet item that is specific to that item's application to jump servers. You may discuss any problems you have with individual citations here. I am sure we can find other reliable sources with a little more research. Peaceray (talk) 06:36, 28 January 2022 (UTC)Reply
I think you moved the references incorrectly, because there is a reference about subnetting in the "strong logging" and "Keeping the OS" up to date bullets. But even if those were references about regular updates, that isn't specific to jump hosts. It is just general and vague advice. What is strong logging? Verbose logging can be an attack vector. The reference does not use this phrase. Maybe it would be easier to link to [Hardening_(computing)] in the prose instead of attempting to summarize that article here in the form of a list — Preceding unsigned comment added by 2600:1700:12B0:3000:85A4:3E9A:69B1:D576 (talk) 06:58, 28 January 2022 (UTC)Reply
The citations that I added each mention jump server & are specific to the particular security practice, either in application to or with jump servers.
The bulleted items are neither false nor misinformation. All of them are standard cybersecurity practices.
The citations I added discuss those security practices that buttress jump servers and their inclusion as part of a layered approach to cybersecurity. Yes, many of them are good security practices in themselves, but they are all necessary to the robust implementation of a jump server. I think that we would be wholly remiss to omit them. Peaceray (talk) 07:30, 28 January 2022 (UTC)Reply
As to tweaking the language of any of the items, I am certainly open to any improvements. Peaceray (talk) 07:32, 28 January 2022 (UTC)Reply