Decision about my Zero Trust Netwrok Infrastructure project

1

Hello,
I am new here and wish to become an advocate of OpenZiti.
I have started a project where I want to test the design and implementation of zero-trust network infrastructure to minimize security risk by using microsegmentation and zero-trust network access.
I was having many open source, but I discovered OpenZiti could test all these 2 important points to prove zero trust. My plan is to use 1 Ubuntu server, 1 client, and 1 Windows 10 for testing. I have my VirtualBox with Ubuntu Server and another Ubuntu desktop on another laptop and 1 laptop with Windows 10.
Is anything missing for my virtual Lab. Kindly draw my attention.

I saw some guidelines on YouTube, but I would love it if you could help me with some tips to start using OpenZiti, just to not have many issues.
If I get help, that will be great.
Thank you

2

Having a clear network plan helps you a lot. Physical layout? VLANs? NAT? Routing? DNS?

Which scenario are you testing and how is the scenario visible in the network plan?

I made also some of the first steps with a Hyper-V environment on my workstation.

3

Thank you.
I actually want to separate the 4 departments (IT, HR, Account, and Customer Service ) with VLAN, but OpenZiti has something better than the traditional VLAN, avoiding lateral movement within the network even when attackers get into it.

and test a staff member accessing the server (HR) from home securely , not with a traditional VPN.
I want to make sure that by using OpenZiti, every communication within the network that is considered potentially insecure is verified based on identity, context, and access rights.

thank you.

4

Hi @SinSin, welcome to the community and to OpenZiti!

Amazing! :slight_smile:

That's all you need (more than you need actually). You could add in: Android, iOS, MacOS to your list of testing since those are often deployed in the real world... Once you have thing working, the next step will be to add a router in your physical locations. This will shorten the path to the overlay network. I personally just have one router in the cloud and latency is never a problem for me, however closer is always better/faster so having a router in the locations as the users can help.

I would highly encourage you to deploy your first server on the open internet. It should have a controller and a router and that's all you need to get going.

I restarted a learning OpenZiti series on YouTube recently. In the second one, I added a second router so if you haven't seen those you might want to have a watch.

5

I appreciate the feedback to add other operating systems.
:ok_hand:

6

If I understand you correctly, then all four departments are placed in the same LAN and you want to separate it.

If the OpenZiti overlay network is the only way to communicate between the devices (because all services are only listening on 127.0.0.1), that will probably limit the lateral movement. But if it is possible to use e.g. RDP or SSH to another device from the underlying network, the attacker will likely use the underlying network connections.

And attackers can still use the layer 2 protocols.

7

Thank you for the contribution. I have to add some clarification about my project, which may help better for some additional tips. Thanks for your patience.

Implementation of Zero trust Infrastructure

The goal is to implement a Zero Trust Network Architecture (ZTNA) with micro-segmentation and zero trust network access (ZTNA) to limit internal network movements and prevent unauthorized access.
in virtual environment which can be deployed later on a hybrid network structure with on-premises and cloud services -
The system will insist on authentication and authorization before allowing any user or device, no matter how legitimate they may seem, to access sensitive data or network resources.

. Activities and Testing:
Design of the Zero Trust Architecture

  • Installation and Configuration of OpenZiti
  • Definition of Services and Policies
  • System Integration and Commissioning
  • Validation and Testing

. Testing Phase and Results

  • Access Control
  • Network Segmentation
  • Policy Adjustment during Operation
  • Performance Evaluation

(This was my 1st scenario.)
I have 1 laptop.
-- VirtualBox with the following VM:
Ubuntu Server
Ubuntu Desktop (ziti desktop edge)
Win 10 (ziti desktop edge)

Second laptop: In another area—accessing my Server
-- VirtualBox with Window 10 (ziti desktop edge)
-- 1 IOS and 1 Android phone with (ziti mobile edge)

(2nd scenario.)

I saw Netfoundry, thinking it can help me with cloud experimentation, but I have no company email.
I want something with no cost—I have some 10 days ahead to finish all these implementations and tests.

Can this be a help? -- Has anyone already experienced one that will not be too complicated ?

Oracle Cloud Free Tier—Offers always-free compute instances that can host OpenZiti securely.

AWS Free Tier—Provides EC2 instances that can be configured for zero trust networking.

Google Cloud Free Tier—Includes f1-micro instances that can run OpenZiti for secure access.

Microsoft Azure Free Tier—Offers B1s virtual machines that can be used for OpenZiti deployment.

IBM Cloud Free Tier—Provides Lite instances that can support OpenZiti’s zero trust architecture.

Any hint will be welcome.
Thank you.

8

Any of the free-tier cloud compute platforms are generally fine for very light workloads. Just beware that they are often limited to their "on demand" compute so sometimes the machine can just freeze up for some amount of time and you'll not know 'why' exactly.