{"id":42500,"date":"2023-12-04T05:48:33","date_gmt":"2023-12-04T10:48:33","guid":{"rendered":"https:\/\/netfoundry.io\/?p=42500"},"modified":"2024-12-05T10:33:23","modified_gmt":"2024-12-05T15:33:23","slug":"a-zero-trust-journey-bastion-security-dark-mode","status":"publish","type":"post","link":"https:\/\/netfoundry.io\/zero-trust\/a-zero-trust-journey-bastion-security-dark-mode\/","title":{"rendered":"A Zero Trust Journey: Bastion Security “Dark Mode”"},"content":{"rendered":"\t\t
\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

When we built Netfoudry\u2019s platform,\u00a0we followed a typical bastion security pattern<\/strong>: the stack was a fortress, and you had to be inside to do all the fun stuff. At that early stage,\u00a0it wasn\u2019t yet feasible to use OpenZiti<\/strong>\u00a0to create the safe zone that we needed in which to develop the foundational infrastructure.<\/p>\n

When OpenZiti was ready, we started to look at how we could apply what we\u2019d built and learned. We knew\u00a0we wanted to adopt\u00a0the zero trust mindset<\/a><\/strong>\u00a0that had motivated the development of OpenZiti in the first place. We had one strong layer of defense directly exposed to the internet: a perimeter of bastions. We knew that lots of developers were facing the same problem: first, get it working, then try to make it secure by bolting-on armor. We knew bad things would happen if an attacker somehow slipped inside the fortress, but we didn\u2019t want to impede day-to-day operations too much.<\/p>\n

OpenZiti was designed to solve this problem. With OpenZiti, it would become possible to start with secure-by-design without slowing down the getting-it-working part [Why every DevOps person should love OpenZiti<\/a>]. The only problem was that we didn\u2019t have it yet, so we built a temporary fortress with SSH. This is the story of how we retrofitted our infrastructure for zero trust with OpenZiti without rebuilding or shutting down during the process.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t

\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Isn\u2019t Secure Shell\u2026Secure?<\/h3>\n

There are dimensions to \u201csecure\u201d worth mentioning.\u00a0The OpenZiti approach to zero trust maturity is to secure the application instead of the network<\/strong>. The best way to secure the application is to embed the OpenZiti SDK directly into your application. This brings strong identity and zero trust principles directly into the process space. We won\u2019t get that far in this episode, but we will in a later post. We\u2019ll start by securing the host device instead of the network.<\/p>\n

Our immediate need was to remove our bastions from the open internet because vulnerability exploitation is the second most prevalent infection vector according to\u00a0IBM\u2019s updated X-Force Threat Intelligence Index<\/a><\/strong>. The previous report cited active network scanning as the most prevalent infection vector and so it makes sense that discovering vulnerable targets regularly involves active scanning of exposed server ports. Those vulnerabilities are then exploited, data is compromised, and trust is broken. You can learn more in\u00a0How Do Ransomware Actors Find Victims<\/a>\u00a0by NetFoundry\u2019s chief of security, Mike Gorman. Eliminating the network attack surface makes this problem go away.<\/p>\n

OpenSSH server has enjoyed a great security track record for the last few years. However,\u00a0internet exposure can still lead to problems like denial of service attacks, zero-day exploits, and insider misuse<\/strong>. A bastion presents an attack surface analogous to the gate and walls of a fortress. If there\u2019s one weakness then it will eventually be discovered.<\/p>\n

It was popular for a while to obscure the SSH server by configuring a non-standard port to listen for connections or require a port knocking pattern to open the listener port. Those tactics may have seemed clever at the time, but would only delay the discovery of the same weakness.\u00a0I like the idea of having an assurance of security that is not dependent upon the prospective intruder\u2019s lack of imagination<\/strong>.<\/p>\n

<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t

\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Gracefully Going Dark<\/h3>\n

Our build systems, support engineers, admins, and developers use the SSH infrastructure daily. We realized that we would have to step this forward without too much disruption. Our fortress walls comprised a fleet of Linux hosts, each running an OpenSSH server.\u00a0According to best practices, they were locked down tight but were still listening on the open internet. Going \u201cdark\u201d would mean the internet access we were using to reach the bastion hosts would no longer be available as soon as the firewall exceptions are removed, disallowing inbound 22\/TCP<\/strong>.<\/p>\n

<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"NetFoundry\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Enter the Dark Bastions<\/h3>\n

We treated our bastions like any other app and applied OpenZiti to control the network-level access to the servers\u2019 listening ports<\/strong>. On the SSH server host, we installed an OpenZiti tunneler as a system daemon. Any tunneler can be configured to provide server or client functionality. For the sake of clarity, I\u2019ll refer to \u201cserver tunneler\u201d or \u201cclient tunneler\u201d. In our case, the server tunneler was bound to a single OpenZiti service for SSH that shovels packets between the OpenZiti network and localhost:22, the device\u2019s host-only loopback interface. This is a simple thing to set up and works for any services you want to expose securely, on any OS, any device.<\/p>\n

We continued using the familiar \u201cssh\u201d (OpenSSH client) on the admin workstations in tandem with a client tunneler. This means\u00a0we didn\u2019t have to change our OpenSSH client configuration, the domain names we were using, or the \u201cssh\u201d command-line arguments and options!<\/strong>\u00a0The global DNS records for the bastions were still in place to allow for a seamless transition.<\/p>\n

A neat feature of an OpenZiti tunneling app is its ability to discover OpenZiti services with its built-in DNS. Our workstations then preferred the built-in OpenZiti DNS<\/strong>\u00a0above global DNS for name queries that match an authorized OpenZiti service.\u00a0This was powerful because it enabled a seamless transition!<\/strong>\u00a0Each workstation gained the ability to jump on and off the OpenZiti solution by merely toggling its client tunneler. We retained the global records to support our transition, but nothing stops us from deleting them entirely.<\/p>\n

<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"NetFoundry\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"NetFoundry\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t
\n

The final result is that the bastions are invisible to the attacker viewing them from the internet or the subnet behind the wall<\/strong>. Our authorized workstations continue to use them normally after installing OpenZiti as signified in the drawing by the ultraviolet \u201cZ\u201d badge. This has been\u00a0a painless change and is an enormous improvement in the overall security posture and immediate visibility of how the bastions are being used, and by whom!<\/strong>\u00a0Every time we gain a new admin or support engineer we add them to the system with these steps:<\/p>\n

    \n
  1. Ask for their SSH pubkey to add to the Jenkins job for bastion configs which uses an OpenZiti tunneler to access the dark bastions in the same way as the workstations<\/li>\n
  2. Have them install a tunneler on their workstation<\/li>\n
  3. Add the appropriate attributes to their identity in the NetFoundry console to authorize bastion access.<\/li>\n<\/ol>\n

    There\u2019s still one not-so-zero-trust feature of the dark bastions diagram: the SQL server. It is still visible to its local network and therefore vulnerable if a malicious actor can get behind the wall. We\u2019ll take a swing at that remaining vulnerability in a future episode.<\/p>\n<\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

    When we built Netfoudry\u2019s platform,\u00a0we followed a typical bastion security pattern: the stack was a fortress, and you had to be inside to do all the fun stuff. At that early stage,\u00a0it wasn\u2019t yet feasible to use OpenZiti\u00a0to create the safe zone that we needed in which to develop the foundational infrastructure. When OpenZiti was […]<\/p>\n","protected":false},"author":92,"featured_media":42543,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[477],"tags":[956,961,960,959,962,958,957,963],"class_list":["post-42500","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-zero-trust","tag-bastion-security","tag-devops-zero-trust","tag-enhanced-bastion-experience","tag-secure-remote-access","tag-secure-remote-management","tag-zero-trust-bastion","tag-zero-trust-or-developers","tag-zero-trust-remote-access"],"yoast_head":"\nA Zero Trust Journey: Bastion Security "Dark Mode"<\/title>\n<meta name=\"description\" content=\"Explore using a zero trust security approach to secure a Bastion. Learn about "dark mode" and how to Optimize DevOps for secure access.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/netfoundry.io\/zero-trust\/a-zero-trust-journey-bastion-security-dark-mode\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"A Zero Trust Journey: Bastion Security "Dark Mode"\" \/>\n<meta property=\"og:description\" content=\"Explore using a zero trust security approach to secure a Bastion. Learn about "dark mode" and how to Optimize DevOps for secure access.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/netfoundry.io\/zero-trust\/a-zero-trust-journey-bastion-security-dark-mode\/\" \/>\n<meta property=\"og:site_name\" content=\"NetFoundry\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/netfoundry.io\" \/>\n<meta property=\"article:published_time\" content=\"2023-12-04T10:48:33+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-12-05T15:33:23+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/netfoundry.io\/wp-content\/uploads\/2024\/12\/a-zero-trust-journey-bastion-dark-mode.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1536\" \/>\n\t<meta property=\"og:image:height\" content=\"804\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Philip Griffiths\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@netfoundry\" \/>\n<meta name=\"twitter:site\" content=\"@netfoundry\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Philip Griffiths\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/netfoundry.io\\\/zero-trust\\\/a-zero-trust-journey-bastion-security-dark-mode\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/netfoundry.io\\\/zero-trust\\\/a-zero-trust-journey-bastion-security-dark-mode\\\/\"},\"author\":{\"name\":\"Philip Griffiths\",\"@id\":\"https:\\\/\\\/netfoundry.io\\\/#\\\/schema\\\/person\\\/2020f6a86319585ac99dc3262fb40673\"},\"headline\":\"A Zero Trust Journey: Bastion Security “Dark Mode”\",\"datePublished\":\"2023-12-04T10:48:33+00:00\",\"dateModified\":\"2024-12-05T15:33:23+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/netfoundry.io\\\/zero-trust\\\/a-zero-trust-journey-bastion-security-dark-mode\\\/\"},\"wordCount\":1106,\"publisher\":{\"@id\":\"https:\\\/\\\/netfoundry.io\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/netfoundry.io\\\/zero-trust\\\/a-zero-trust-journey-bastion-security-dark-mode\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/netfoundry.io\\\/wp-content\\\/uploads\\\/2024\\\/12\\\/a-zero-trust-journey-bastion-dark-mode.jpg\",\"keywords\":[\"Bastion security\",\"DevOps zero trust\",\"Enhanced Bastion experience\",\"Secure remote access\",\"Secure remote management\",\"Zero Trust Bastion\",\"Zero Trust or developers\",\"Zero Trust remote access\"],\"articleSection\":[\"Zero Trust\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/netfoundry.io\\\/zero-trust\\\/a-zero-trust-journey-bastion-security-dark-mode\\\/\",\"url\":\"https:\\\/\\\/netfoundry.io\\\/zero-trust\\\/a-zero-trust-journey-bastion-security-dark-mode\\\/\",\"name\":\"A Zero Trust Journey: Bastion Security \\\"Dark Mode\\\"\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/netfoundry.io\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/netfoundry.io\\\/zero-trust\\\/a-zero-trust-journey-bastion-security-dark-mode\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/netfoundry.io\\\/zero-trust\\\/a-zero-trust-journey-bastion-security-dark-mode\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/netfoundry.io\\\/wp-content\\\/uploads\\\/2024\\\/12\\\/a-zero-trust-journey-bastion-dark-mode.jpg\",\"datePublished\":\"2023-12-04T10:48:33+00:00\",\"dateModified\":\"2024-12-05T15:33:23+00:00\",\"description\":\"Explore using a zero trust security approach to secure a Bastion. Learn about \\\"dark mode\\\" and how to Optimize DevOps for secure access.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/netfoundry.io\\\/zero-trust\\\/a-zero-trust-journey-bastion-security-dark-mode\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/netfoundry.io\\\/zero-trust\\\/a-zero-trust-journey-bastion-security-dark-mode\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/netfoundry.io\\\/zero-trust\\\/a-zero-trust-journey-bastion-security-dark-mode\\\/#primaryimage\",\"url\":\"https:\\\/\\\/netfoundry.io\\\/wp-content\\\/uploads\\\/2024\\\/12\\\/a-zero-trust-journey-bastion-dark-mode.jpg\",\"contentUrl\":\"https:\\\/\\\/netfoundry.io\\\/wp-content\\\/uploads\\\/2024\\\/12\\\/a-zero-trust-journey-bastion-dark-mode.jpg\",\"width\":1536,\"height\":804,\"caption\":\"A Zero Trust Journey: Bastion \\\"Dark Mode\\\"\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/netfoundry.io\\\/zero-trust\\\/a-zero-trust-journey-bastion-security-dark-mode\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/netfoundry.io\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"A Zero Trust Journey: Bastion Security “Dark Mode”\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/netfoundry.io\\\/#website\",\"url\":\"https:\\\/\\\/netfoundry.io\\\/\",\"name\":\"NetFoundry\",\"description\":\"Identity-First\u2122 Networking\",\"publisher\":{\"@id\":\"https:\\\/\\\/netfoundry.io\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/netfoundry.io\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/netfoundry.io\\\/#organization\",\"name\":\"NetFoundry\",\"url\":\"https:\\\/\\\/netfoundry.io\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/netfoundry.io\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/netfoundry.io\\\/wp-content\\\/uploads\\\/2024\\\/08\\\/netfoundry-icon-color.png\",\"contentUrl\":\"https:\\\/\\\/netfoundry.io\\\/wp-content\\\/uploads\\\/2024\\\/08\\\/netfoundry-icon-color.png\",\"width\":512,\"height\":512,\"caption\":\"NetFoundry\"},\"image\":{\"@id\":\"https:\\\/\\\/netfoundry.io\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/netfoundry.io\",\"https:\\\/\\\/x.com\\\/netfoundry\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/netfoundry\\\/\",\"https:\\\/\\\/www.youtube.com\\\/channel\\\/UCGN6PFj1rZu50yme9YsICmg\",\"https:\\\/\\\/www.instagram.com\\\/netfoundry.io\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/netfoundry.io\\\/#\\\/schema\\\/person\\\/2020f6a86319585ac99dc3262fb40673\",\"name\":\"Philip Griffiths\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/dca9b7a1e6d3a47ce3440cd0d6e3d5362df9613f48558fd1dd0ce8816f7c70af?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/dca9b7a1e6d3a47ce3440cd0d6e3d5362df9613f48558fd1dd0ce8816f7c70af?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/dca9b7a1e6d3a47ce3440cd0d6e3d5362df9613f48558fd1dd0ce8816f7c70af?s=96&d=mm&r=g\",\"caption\":\"Philip Griffiths\"},\"url\":\"https:\\\/\\\/netfoundry.io\\\/author\\\/philip-griffiths\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"A Zero Trust Journey: Bastion Security \"Dark Mode\"","description":"Explore using a zero trust security approach to secure a Bastion. Learn about \"dark mode\" and how to Optimize DevOps for secure access.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/netfoundry.io\/zero-trust\/a-zero-trust-journey-bastion-security-dark-mode\/","og_locale":"en_US","og_type":"article","og_title":"A Zero Trust Journey: Bastion Security \"Dark Mode\"","og_description":"Explore using a zero trust security approach to secure a Bastion. Learn about \"dark mode\" and how to Optimize DevOps for secure access.","og_url":"https:\/\/netfoundry.io\/zero-trust\/a-zero-trust-journey-bastion-security-dark-mode\/","og_site_name":"NetFoundry","article_publisher":"https:\/\/www.facebook.com\/netfoundry.io","article_published_time":"2023-12-04T10:48:33+00:00","article_modified_time":"2024-12-05T15:33:23+00:00","og_image":[{"width":1536,"height":804,"url":"https:\/\/netfoundry.io\/wp-content\/uploads\/2024\/12\/a-zero-trust-journey-bastion-dark-mode.jpg","type":"image\/jpeg"}],"author":"Philip Griffiths","twitter_card":"summary_large_image","twitter_creator":"@netfoundry","twitter_site":"@netfoundry","twitter_misc":{"Written by":"Philip Griffiths","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/netfoundry.io\/zero-trust\/a-zero-trust-journey-bastion-security-dark-mode\/#article","isPartOf":{"@id":"https:\/\/netfoundry.io\/zero-trust\/a-zero-trust-journey-bastion-security-dark-mode\/"},"author":{"name":"Philip Griffiths","@id":"https:\/\/netfoundry.io\/#\/schema\/person\/2020f6a86319585ac99dc3262fb40673"},"headline":"A Zero Trust Journey: Bastion Security “Dark Mode”","datePublished":"2023-12-04T10:48:33+00:00","dateModified":"2024-12-05T15:33:23+00:00","mainEntityOfPage":{"@id":"https:\/\/netfoundry.io\/zero-trust\/a-zero-trust-journey-bastion-security-dark-mode\/"},"wordCount":1106,"publisher":{"@id":"https:\/\/netfoundry.io\/#organization"},"image":{"@id":"https:\/\/netfoundry.io\/zero-trust\/a-zero-trust-journey-bastion-security-dark-mode\/#primaryimage"},"thumbnailUrl":"https:\/\/netfoundry.io\/wp-content\/uploads\/2024\/12\/a-zero-trust-journey-bastion-dark-mode.jpg","keywords":["Bastion security","DevOps zero trust","Enhanced Bastion experience","Secure remote access","Secure remote management","Zero Trust Bastion","Zero Trust or developers","Zero Trust remote access"],"articleSection":["Zero Trust"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/netfoundry.io\/zero-trust\/a-zero-trust-journey-bastion-security-dark-mode\/","url":"https:\/\/netfoundry.io\/zero-trust\/a-zero-trust-journey-bastion-security-dark-mode\/","name":"A Zero Trust Journey: Bastion Security \"Dark Mode\"","isPartOf":{"@id":"https:\/\/netfoundry.io\/#website"},"primaryImageOfPage":{"@id":"https:\/\/netfoundry.io\/zero-trust\/a-zero-trust-journey-bastion-security-dark-mode\/#primaryimage"},"image":{"@id":"https:\/\/netfoundry.io\/zero-trust\/a-zero-trust-journey-bastion-security-dark-mode\/#primaryimage"},"thumbnailUrl":"https:\/\/netfoundry.io\/wp-content\/uploads\/2024\/12\/a-zero-trust-journey-bastion-dark-mode.jpg","datePublished":"2023-12-04T10:48:33+00:00","dateModified":"2024-12-05T15:33:23+00:00","description":"Explore using a zero trust security approach to secure a Bastion. Learn about \"dark mode\" and how to Optimize DevOps for secure access.","breadcrumb":{"@id":"https:\/\/netfoundry.io\/zero-trust\/a-zero-trust-journey-bastion-security-dark-mode\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/netfoundry.io\/zero-trust\/a-zero-trust-journey-bastion-security-dark-mode\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/netfoundry.io\/zero-trust\/a-zero-trust-journey-bastion-security-dark-mode\/#primaryimage","url":"https:\/\/netfoundry.io\/wp-content\/uploads\/2024\/12\/a-zero-trust-journey-bastion-dark-mode.jpg","contentUrl":"https:\/\/netfoundry.io\/wp-content\/uploads\/2024\/12\/a-zero-trust-journey-bastion-dark-mode.jpg","width":1536,"height":804,"caption":"A Zero Trust Journey: Bastion \"Dark Mode\""},{"@type":"BreadcrumbList","@id":"https:\/\/netfoundry.io\/zero-trust\/a-zero-trust-journey-bastion-security-dark-mode\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/netfoundry.io\/"},{"@type":"ListItem","position":2,"name":"A Zero Trust Journey: Bastion Security “Dark Mode”"}]},{"@type":"WebSite","@id":"https:\/\/netfoundry.io\/#website","url":"https:\/\/netfoundry.io\/","name":"NetFoundry","description":"Identity-First\u2122 Networking","publisher":{"@id":"https:\/\/netfoundry.io\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/netfoundry.io\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/netfoundry.io\/#organization","name":"NetFoundry","url":"https:\/\/netfoundry.io\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/netfoundry.io\/#\/schema\/logo\/image\/","url":"https:\/\/netfoundry.io\/wp-content\/uploads\/2024\/08\/netfoundry-icon-color.png","contentUrl":"https:\/\/netfoundry.io\/wp-content\/uploads\/2024\/08\/netfoundry-icon-color.png","width":512,"height":512,"caption":"NetFoundry"},"image":{"@id":"https:\/\/netfoundry.io\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/netfoundry.io","https:\/\/x.com\/netfoundry","https:\/\/www.linkedin.com\/company\/netfoundry\/","https:\/\/www.youtube.com\/channel\/UCGN6PFj1rZu50yme9YsICmg","https:\/\/www.instagram.com\/netfoundry.io"]},{"@type":"Person","@id":"https:\/\/netfoundry.io\/#\/schema\/person\/2020f6a86319585ac99dc3262fb40673","name":"Philip Griffiths","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/dca9b7a1e6d3a47ce3440cd0d6e3d5362df9613f48558fd1dd0ce8816f7c70af?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/dca9b7a1e6d3a47ce3440cd0d6e3d5362df9613f48558fd1dd0ce8816f7c70af?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/dca9b7a1e6d3a47ce3440cd0d6e3d5362df9613f48558fd1dd0ce8816f7c70af?s=96&d=mm&r=g","caption":"Philip Griffiths"},"url":"https:\/\/netfoundry.io\/author\/philip-griffiths\/"}]}},"_links":{"self":[{"href":"https:\/\/netfoundry.io\/wp-json\/wp\/v2\/posts\/42500","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/netfoundry.io\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/netfoundry.io\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/netfoundry.io\/wp-json\/wp\/v2\/users\/92"}],"replies":[{"embeddable":true,"href":"https:\/\/netfoundry.io\/wp-json\/wp\/v2\/comments?post=42500"}],"version-history":[{"count":0,"href":"https:\/\/netfoundry.io\/wp-json\/wp\/v2\/posts\/42500\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/netfoundry.io\/wp-json\/wp\/v2\/media\/42543"}],"wp:attachment":[{"href":"https:\/\/netfoundry.io\/wp-json\/wp\/v2\/media?parent=42500"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/netfoundry.io\/wp-json\/wp\/v2\/categories?post=42500"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/netfoundry.io\/wp-json\/wp\/v2\/tags?post=42500"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}