If you haven’t seen, me and @qrkourier are routinely live-streaming on Friday’s at 11 am ET. We have covered all sorts of things in the past and no topic is off limits as long as it’s about zero trust or OpenZiti.
What topics are interesting to you? Any ideas on what you would like to see me or @qrkourier talk about?
Ohh I think it’d be nice presenting how-to’s for more advance use cases. Like for example, how to add an aditional router.
Difference between router types (Specially for configuration files).
And maybe something like the showing the different HA options which are really enterprise grade options Ziti may offer IMHO.
Sounds good! We need documentation around these as well but videos are a bit easier to get out to the world and can cover a bit more ground. I like it - perhaps next week! unless something exciting comes out
It would be great to do one on the difference between the control and data planes… and their different configurations… and what protections are needed for each plane.
For instance… my understanding is that for the control plane… you need to have specific ports open… so that the controller can listen for requests… this means that its important for it to have DDOS protection…
In contrast, my understanding for that data plane is that … all ports are to be closed… as the controller provides a dialler to marshal the traffic between end points.
Providing a more detailed overview about this would be super awesome… I am learning at the speed of light
One more topic… it would be useful to demonstrate how access is protected between a ziti connection versus traditional approach…
This would include the use of network discovery tools such as nslookup and dig.
I don’t really know much about them… but a short session about this… would be useful.
This includes how to test the security of an open ziti network… as these tools will not help because there is no IP addressing… so with this in mind… what other tools do you need to show that its all working as designed
You are on the exact right track. Any identity is a usable for a mobile. If you have installed the ziti admin console, when you make an identity you have the option to download a jwt or show a qr code. The mobile can use the camera to then enroll from the ZME (ziti mobile edge)
Getting it to the mobile securely is often done by email and humans communicating and confirming the correct user received the email and enrolled the device themselves. Once that confirmation happens you can assign services to that identity feeling good it was delivered to the right target. Exactly how you deliver that registration token is ultimately up to you.
The ZME allows you to enroll either a downloaded jwt, or take a picture/qr code. The picture/qr is just the jwt encoded into a qr code… Either way works
It’s protected by being delivered via HTTPS over an authorized (you had to log in) connection. We really don’t define “how” one should deliver this token to ones end users. In the SaaS product from NetFoundry a human needs to enter an email address, another human (presumably) gets that email with a jwt inside it along with a qr encoded image. That email - which the SaaS platform built ‘around’ ziti (not in the opensource ZAC) looks like this
You can see i can now download/enroll my jwt (which I do when using a “desktop edge”) or i can pop open the qr code image, pull out my mobile and scan that image.
The jwt is a one-time-use token. You can also configure these tokens to be very short lived (they have an expiration inside them). So you can make an identity and say “you need to register in 10 minutes or this will no longer be valid”
This is how we send a token to “non-technical people” (or technical people who just don’t want to be bothered, this is after all, a very convenient and easy to perform process).
Perhaps though - this question should be forked out of the ziti tv question. If you want to continue this sort of line of questions would you be so kind as to make a new thread? This one is diverging
We could try and use SPIRE (SPIFFE implementation) as a 3rd party CA that can auto enroll in Ziti networks. Might need some prep as we would need Spire, Ziti, and some kind of workload (like a build or a test runner).
Yeah I spent some time on that (Ziti/Guac). Best case you can mask the web interface using a tunneler and still keep the server on premise. If you need to use guacamole to access servers in many private networks you can mask the front end and the guacd service with a tunneler…just use intercept names in the guacamole config. Some risk here as this requires you to allow the server pretty extensive access to services…you can mitigate with SAML and of course masking the front-end.
A great topic to cover is the relationship between ports and listeners.
This can include how the traditional TCP/IP handshake works… and what makes the OpenZiti way of working different.
Then… it would be useful to cover off on how it facilitates a higher level of protection. This would then lead into the conversation of PKI certificates.
One concern I had was that the controller needed to have open ports… but… after talking with a friend about this… its not the open port that hackers will attack… rather… the listener.
So… it would be really useful to go into more detail around the layers of protection around the controller listener. I guess this also includes the listeners for the edge routers (please correct me on this).
To finish this topic off… it would be then useful to provide some guidance around the creation of new identities using the controller certificates… I imagine that there is a ziti command for this… but do not know the details
Thanks for the ideas! Happy to oblige when we can!
That “listener” is realistically only attackable via that open port - so from my perspective you’re both correct. That’s why you can take the “management” tier out of the ‘open’ internet and bind it only to a local ip if you want - or bind it via some other IP. You could even decide to make that part of the api accessible only through ziti itself. You could run a tunneller on the controller and have it offload the management API to the local interface… I think I might do this on a ziti tv because it sounds fun and cool… . You could also just do this through classic firewall settings by allowing only known IP addresses to access the IP the management interface is bound on but that feels “less zero trusty” to me and a bit more of a headache than using ziti (and less fun lol).
Ah - that’s the beauty of OpenZiti!!! You are getting a new private key, a new certificate every time you create an identity and “enroll” it. That’s literally what enrolling is doing. You are making a new key and a new cert “from the overlay PKI”. Great set of posts from @andrew.martinez cover this in depth here Bootstrapping Trust | Ziti. Totally worth the read.
There are also ziti commands to make a whole PKI. That’s exactly what the expressInstall function does. If you open up that big huge shell script - ziti-cli-functions.sh you can take a peek. Find the function named ziti_expressConfiguration and you can follow exactly what expressInstall does manually if you want to learn HOW it works. You’ll see a call in there to createPki which makes three different root CA stores and sets up the whole PKI to be used. Routers are special - they handle all of this on their own when they go through enrollment.
Thanks for the continued questions, keep them coming!