undefined | Better HN

0 pointseverforward16d ago0 comments

There are legit reasons, at least for two nested sessions. A production network that’s airgapped except for a bastion host that acts as a gateway. It’s better than port forwarding because you have to auth to the bastion host before the RDP chaining, and it often takes separate credentials for the second RDP session.

It’s a semi-common setup for higher security environments, and when you have a network of stuff that has known vulnerabilities you can’t patch for whatever reason. Traffic in and out is super carefully firewalled. It’s not great, but it’s better than a 25 year old MySQL with a direct public IP.

0 comments

embedding-shape16d ago

> airgapped except for a bastion host that acts as a gateway

First time I've heard of an airgapped system you could access remotely. Doesn't that kind of defeat the label "airgapped"? I think I'd just call that "isolated" at that point instead.

debarshri16d ago

This concept is related to PAM. You often have to do ops on infra and need some DMZ to do the ops. In regulated industry you have to record every operations done by the person and have to follow principle of least privilege. This what should happen in an ideal world.

embedding-shape16d ago

> You often have to do ops on infra and need some DMZ to do the ops.

This makes sense, "bastion" hosts and similar things is fairly common too. What's not common is calling those "airgapped", because they're clearly not.

hnlmorg16d ago

I agree. They’re network enclaves. Which isn’t the same thing as an air gapped network.

1 more reply

debarshri16d ago

Airgapped is a different concept altogether.

1 more reply

SigmundA16d ago

Logically air gapped :)

https://docs.aws.amazon.com/aws-backup/latest/devguide/logic...

dijit16d ago

AWS likes to redefine things.

Air gapped means... there is nothing except air in the gap between systems.

A physical tether would defeat it.

Now, I pedant could start talking about wifi, but air-gapping is a concept older than the internet. (It stems from plumbing where there's air that prevents back leakage of contamination).

https://en.wikipedia.org/wiki/Air_gap_(networking)

rzzzt16d ago

The moat!

j / k navigate · click thread line to collapse

0 comments

embedding-shape16d ago

> airgapped except for a bastion host that acts as a gateway

First time I've heard of an airgapped system you could access remotely. Doesn't that kind of defeat the label "airgapped"? I think I'd just call that "isolated" at that point instead.

debarshri16d ago

embedding-shape16d ago

> You often have to do ops on infra and need some DMZ to do the ops.

This makes sense, "bastion" hosts and similar things is fairly common too. What's not common is calling those "airgapped", because they're clearly not.

hnlmorg16d ago

I agree. They’re network enclaves. Which isn’t the same thing as an air gapped network.

1 more reply

debarshri16d ago

Airgapped is a different concept altogether.

1 more reply

SigmundA16d ago

Logically air gapped :)

https://docs.aws.amazon.com/aws-backup/latest/devguide/logic...

dijit16d ago

AWS likes to redefine things.

Air gapped means... there is nothing except air in the gap between systems.

A physical tether would defeat it.

Now, I pedant could start talking about wifi, but air-gapping is a concept older than the internet. (It stems from plumbing where there's air that prevents back leakage of contamination).

https://en.wikipedia.org/wiki/Air_gap_(networking)

rzzzt16d ago

The moat!

j / k navigate · click thread line to collapse