Why Direct SSH Access is Restricted in myDRE

Why Direct SSH Access is Restricted in myDRE

In the myDRE environment, direct SSH access to virtual machines (VMs) is blocked for security, technical, and compliance reasons. Instead, users must connect through Azure Bastion, a secure way to access their VMs. Here’s why this approach is necessary:

Technical Limitations

  1. No Public IP Addresses: Linux VMs in myDRE do not have public IP addresses. This means they cannot be reached directly from external networks without a secure way like Bastion.
  2. Firewall Protection: Direct SSH access could bypass firewall settings. SSH has features like reverse tunneling, which might allow unintended data transfers out of the secure network.

Security Risks

  1. Data Leaks: SSH supports features like port forwarding and tunneling, which could be used to move data out of the controlled myDRE environment. Additionally, direct SSH connections allow unrestricted access to the clipboard, enabling users to copy and paste data freely. This form of data transfer cannot be logged or audited, posing a significant security risk.
  2. Brute-Force Attacks: Open SSH ports are common targets for hackers who try to guess passwords repeatedly. If multiple users share a public IP, the risk of attack increases.
  3. Misconfigurations: Users with direct SSH access could unintentionally change security settings, making the system vulnerable.

Compliance with Security Standards (ISO 27001)

  1. Audit and Monitoring: Bastion records all SSH sessions for tracking and ensures users log in with myDRE credentials, preventing unauthorized access.

Read more:
  1. Security Manifesto
  2. Copying and Pasting in myDRE: Easy or Safe?

    • Related Articles

    • External access in your workspace

      Introduction By default myDRE workspaces do not have connection to the internet. This ensures that data within the workspace is secure and auditable - we know what comes in, and what goes out. However, sometimes you do need a connection to a web ...

    • Has Your Access Been Restricted?

      You may notice that your access to the workspace has been restricted. This happens when the regular access review check wasn’t completed on time by the workspace Accountable. To keep workspace secure and compliant, the system automatically restricted ...

    • Access Reviews in User Portal

      Access Reviews (AR) are periodic checks to ensure that only authorized users can access Workspaces within myDRE. They allow Accountable and Privileged members to review and confirm user permissions. Access Reviews unburden the Workspace Accountable ...

    • Access Review Initiation on January 15th

      Dear all, Last month, we successfully launched Access Reviews (AR) in production, a feature designed to ensure compliance with ISO27001 standards. On January 15th, AR will be initiated. These are periodic checks to ensure only authorized users can ...

    • Domain and IP Allowlisting [External Access]

      Roles for External Access in the Workspace Accountable and Privileged: Read + Write Advanced: Read only Rest All: No access Platform Support Team (PST members): Read + Write These steps will be performed only by the Accountable and Privileged Member ...