For compliance reasons, Alert Logic® only allows specific Alert Logic employees to maintain the health, modifications, and compliance of the appliances. Once the appliance is claimed, the administrative credentials are managed by Alert Logic and are regularly rotated. All access to appliances occurs from jumpboxes located within Alert Logic SSAE 16 audited data centers. Access to these jumpboxes is restricted only to Alert Logic technicians who need to access appliances as part of their appliance support role.
Jumpbox access is centrally managed and a strong password policy is enforced. Multi-factor authentication using a strong password and a time-based token is required to access a jumpbox. In addition, communication between the jumpbox and technician workstation is encrypted using DTLS and SSHv2.
The technician issues a command from the jumpbox to a command and control server to access an appliance. When the appliance performs its next check-in with the Alert Logic cloud infrastructure, it receives an instruction to open a reverse SSH tunnel. The SSH tunnel will use TCP port 443 and will make attempts to use the closest AWS node first from a wide range of dynamic AWS IP addresses. If it cannot reach the nearest AWS node then it will default to the Alert Logic static IPs.
The Alert Logic technician authenticates with the appliance using public keys, which requires confirmation of the technician’s credentials to access. This gives the technician access to the appliance to run a limited set of status commands, such as retrieving statistics and viewing system information. Privileged commands (such as start/stop services, modify configuration, read log files) require the Alert Logic technician to enter a password unique to each appliance. These unique passwords are changed every quarter.
Historically, the connection to the appliance was made directly from the jumpbox via SSH. Some customers may still allow inbound access from Alert Logic data centers for this reason. Alert Logic now advises customers to remove this access since it is no longer needed. However, in the event that the reverse SSH tunnel is not working, Alert Logic technicians may require direct access via SSH for troubleshooting.