Skip to content

Enforce MFA for remote access to Unix servers and Network Devices.

Motivation

According to OWASP "The most common way that user accounts get compromised on applications is through weak, re-used or stolen passwords. Despite any technical security controls implemented on the application, users are liable to choose weak passwords, or to use the same password on different applications. As developers or system administrators, it should be assumed that users' passwords will be compromised at some point, and the system should be designed in order to defend against this."

MFA is by far the best defense against the majority of password-related attacks, including brute-force, credential stuffing and password spraying, with analysis by Microsoft suggesting that it would have stopped 99.9% of account compromises.

Remote access to Unix servers and Network Devices is specially critical because of sensitive nature of the data and traffic handled by these devices and because of they high exposure. As a result, it relies on robust software controls and, particularly, MFA.

12Port Solution

12Port offers several solutions to enable MFA remote access to Unix servers and Network Devices:

  • MFA for native SSH clients
  • 12Port WEB SSH client
MFA for native SSH clients

12Port gateway acts as a man-in-the-middle network component accepting connections using native SSH protocol from desktop and mobile SSH clients such as terminal, PuTTY or other client build by a 3rd party vendor.

After accepting the client connection, the gateway interrupts the protocol flow with authentication step before resuming the session with the remote Unix server. Users interact with 12Port server to provide second authentication factor using the SSH client streaming the interactive screen prior to switching the stream to the destination endpoint.

Besides native SSH client there are no agents or WEB Browser required to run on both client and server devices.

The authentication step involves several phases.

  • User is authenticated and authorized in one of the integrated user directories such as Microsoft Active Directory, Microsoft Entra ID or server own user directory.

  • User is double authenticated using one of several MFA providers such as Entra ID, RSA/SecureID, Google or Microsoft TOTP, HOTP (such as Yubikey), Duo Security or MFA code sent to email.

  • After multiple authentication and authorization verifications the gateway resumes the access to the remote Unix server and Network Device.

In addition to remote access to a specific Unix server or Network Device, 12Port allows users to authenticate once to access 12Port Privileged Shell. Once authenticated in the 12Port Shell, a user might connect to several remote servers reusing the single sign on to the 12Port Shell.

The diagram below shows the software architecture to inject MFA into the native SSH protocol.

MFA for native SSH clients

12Port WEB SSH client

In addition to injecting MFA controls into the native protocol described in the previous chapter, 12Port provides a WEB SSH client to access remote Unix servers and Network Devices. WEB client has advantages of better security when accessing server side infrastructure over the public networks as well as no requirements to deploy even native SSH client to the client endpoint simplifying the access from 3rd party infrastructure.

WEB SSH client enforces MFA in two distinct places

  • WEB client requires MFA authentication when user logs in to the WEB application. Once logged in, the user might access several remote Unix servers and Network Devices avoiding additional authentication.

  • WEB client might optionally require additional authentication to access selected remote Unix servers and Network Devices ensuring the user identity to connect to most critical infrastructure.

The diagram below depicts the software architecture of the WEB SSH client.

MFA for WEB SSH client

12Port Advantage

In addition to enforcing MFA for Unix servers and Network Devices, 12Port enabled several useful options to increase network security.

  • Session recording allows to record, play back and convert to video complete session.

  • Session events recording captures keystrokes, files and clipboard transfers happened in the session.

  • Granular access control allows to grant or revoke permissions to selected users to connect to selected remote Windows servers, to upload or download files and clipboard.

  • Optional access approval process enables multi-level interactive or automatic access approval selected depending on the day of the week or time of the day.

  • Comprehensive event log reports access and activity inside the session.