Boundary is much more than PAM

In my consulting days, I’ve spent time at 4 of the biggest banks in the world. During one DevSecOps assessment I was handed basic credentials which I found gave me full access to a class B subnet containing a global cache of all their FX trading codebase and a wealth of other archives that nobody should have access to. Would you trust your finances with an organization like that? This is a prime example for Boundary.

Privileged Access Management is something Consul and Vault users might be familiar with as there is a partial feature overlap already. PAM maps a user identity to a service using a policy and provides an audit trail for accountability. Consul and Vault each cover part but not all of the PAM use case.

Consul can provide routes and end-to-end mutual TLS between services. It can also inspect and direct traffic using Layer 7 policies such as a URL or part of a request. But Consul is missing the user identity, audit trail, and protocol awareness of PAM.

Vault actually covers the user identity side. A user can authenticate to Vault via an external mechanism like LDAP or OIDC and then generate a temporary SSH certificate to access a resource. Enterprise users can even use control groups to require a number of approvals before the user has access. But Vault does not establish a route to the SSH resource or monitor whatever the user does with that credential.

In the future, it also will record sessions and potentially direct or limit communication like Consul does with L7 across a growing list of protocols including HTTP, RDP, SSH, Kubectl, and Postgres databases. So if this is designed for Enterprise Cloud users why should a practitioner or hobbyist care?

As a hobbyist, Boundary is much more than an Enterprise product. For myself, Boundary replaces a very vulnerable set of components. I’ve also found some of our partners are excited to apply this in their own home labs. Take a simple use case for example. I’m active in the Fedora community and I sometimes invite developers to remote into my lab to access exotic development hardware like ARM servers and RISC-V development boards. I also run some local services including Cockpit and a GitLab instance behind the firewall. Any traditional remote access solution usually relies on the following three components:

Each of these presents a major problem, but number one is the biggest for me. Registering your edge IP with public DNS or dynamic DNS is literally like putting a sign up that everyone on the internet can see your address. DNS is a prime target for every botnet and malware script kiddy on the internet. You may as well set off a beacon advertising the darkest parts of the web to come scan your ports. Try this with a honeypot and see how quickly you find yourself mining someone else’s Monero or worse.

Number two is equally challenging. Given all the public attention you just brought on yourself, you’d better have a solid and reliable firewall and a connection that can handle a bit of DDoS flooding. If someone finds a vulnerable port on that IP you are automatically going to be registered with the next botnet hit list.

Number three presents a different problem. When you want to allow someone else access, most VPNs or bastion/jump hosts will expose the entire network by default, rather than just expose SSH to a cloud server or HTTP access to the local ARM server suddenly my collaborators have access to the entire network and all ports. Even without a VPN this can be a problem in corporate networks.

These same problems are faced by everyone from garage startups to tier 1 banks in the cloud. Boundary solves all of them in one universal package.

Sounds nice, right? So how complex is setup? Boundary Controller is a bit complex to set up from scratch. It requires a KMS or Vault to encrypt its data and a Postgres database. In accordance with the Tao of HashiCorp, it’s resilient and can be deployed as a single node or cluster. Even better, HCP makes it a snap to deploy, including automatic DNS and TLS certificates. We actually have a shared Controller in HCP for HashiCorp’s EMEA partners and each can have their own org to control.

What about Boundary Worker, which acts as edge gateways and monitors which hosts or host groups it has connectivity to? These also are resilient by design and can be deployed as single node or cluster. They can be deployed as cloud VMs or in a physical server with forwarding from the edge. Even better, our Go builds are extremely portable. I have found our ARM builds of Boundary Worker run just fine on commodity WiFi routers from ASUS, Ubiquiti, and more. They can be registered via PKI from the Boundary Controller locally or within HCP. If your router runs a Linux based kernel (most do) and has enough RAM (some do) then I find Boundary Worker generally will run on it just fine. Note that Boundary is currently only open source under an MPL2 license and there is no support from the Boundary team if your router crashes so please be careful and know it is at your own risk.

I see Boundary as much more than PAM. Boundary combines the features of cloud service discovery, identity access control, and encrypted VPN in a way that makes remote working far simpler and secure than any previous solution. Here is a snapshot of my Organization within our EMEA Partners HCP Boundary Controller. It contains cloud and on-prem projects:

Within each logical project there are targets. In this case I’ve pinned the IP addresses to what I need but Boundary also has a powerful Host Groups feature to automatically discover services as IPs change which is helpful for cloud projects. Boundary can also let you know if no hosts are available for a host group.

HashiCorp Vault has long been used for secrets management and partial access control but it is not a full PAM solution on its own. Some HashiCorp customers asked for more. Boundary delivers that and I think it far exceeds what I thought it would be. Boundary completes the Zero Trust suite from HashiCorp, combining Vault for dynamic secrets, Consul for dynamic service networking and mesh, and now Boundary for human-service access and PAM.

Like Vault, Boundary can be used everywhere from cloud to on-prem networks and I think it will catch on in much the same way. HCP can help you get started quickly and easily at low cost. In the meantime open source is already available for anyone to get started for free.

Related posts:

If you are reading this post, then you should already know that backpropagation algorithm is used to train a neural network through a method called chain rule. In simple terms, after each forward…

The arrest of Jack Teixeira, a 21-year-old member of the Massachusetts Air National Guard, has sent shockwaves through the United States. Authorities say Teixeira is responsible for leaking secret…

Design is essential in any field and should be considered when creating a product. A well-designed product can be more user-friendly and efficient, leading to increased sales. In addition…