Ideas for Ziti TV?

Hi community!

If you haven’t seen, me and @qrkourier are routinely live-streaming on Friday’s at 11 am ET. We have covered all sorts of things in the past and no topic is off limits as long as it’s about zero trust or OpenZiti. :slight_smile:

What topics are interesting to you? Any ideas on what you would like to see me or @qrkourier talk about?

Find past live streams here on youtube! https://www.youtube.com/channel/UCAsrfQasdZmp2Gq07Ej_5cQ/videos?view=2&live_view=503

Cheers

3 Likes

We must to an episode on how to do a zitifcation. The chemist inside us all is asking, “how do we reduce activation energy”??

Ohh I think it’d be nice presenting how-to’s for more advance use cases. Like for example, how to add an aditional router.
Difference between router types (Specially for configuration files).
And maybe something like the showing the different HA options which are really enterprise grade options Ziti may offer IMHO.

Sounds good! We need documentation around these as well but videos are a bit easier to get out to the world and can cover a bit more ground. I like it - perhaps next week! unless something exciting comes out :slight_smile:

2 Likes

It would be great to do one on the difference between the control and data planes… and their different configurations… and what protections are needed for each plane.

For instance… my understanding is that for the control plane… you need to have specific ports open… so that the controller can listen for requests… this means that its important for it to have DDOS protection…

In contrast, my understanding for that data plane is that … all ports are to be closed… as the controller provides a dialler to marshal the traffic between end points.

Providing a more detailed overview about this would be super awesome… I am learning at the speed of light :slight_smile:

1 Like

One more topic… it would be useful to demonstrate how access is protected between a ziti connection versus traditional approach…

This would include the use of network discovery tools such as nslookup and dig.

I don’t really know much about them… but a short session about this… would be useful.

This includes how to test the security of an open ziti network… as these tools will not help because there is no IP addressing… so with this in mind… what other tools do you need to show that its all working as designed

I just found this resource… it would be great to cover this in more detail

I’m happy to cover all those ideas. Thanks for taking the time to write them down. Coming soon. :slight_smile:

One more.. how to install an identity on the ZitiMobileEdge.

This came about because I have just installed the QuickInstall on a server that I am hosting.. and was wanting to test it out.

This process installs the controller.. and an edge router.

After this I got a bit stuck.. as I was unsure what the next step was... then after watching this really awesome video (link below)..

After watching it to the end, I realised that I needed to setup an end point.. so I have installed the zitiapp on my mobile.. but then I am stuck again..

  1. how do you create the identity for an edge device

  2. how do you get the identity file to your mobile securely.

  3. the mobile version of the ziti app also distinguishes between a JWT and a QR code.

I am thinking that a QR code is probably better for a mobile device.... which then raises the next question.. how do you create a QR code?

You are on the exact right track. Any identity is a usable for a mobile. If you have installed the ziti admin console, when you make an identity you have the option to download a jwt or show a qr code. The mobile can use the camera to then enroll from the ZME (ziti mobile edge)

Getting it to the mobile securely is often done by email and humans communicating and confirming the correct user received the email and enrolled the device themselves. Once that confirmation happens you can assign services to that identity feeling good it was delivered to the right target. Exactly how you deliver that registration token is ultimately up to you.

The ZME allows you to enroll either a downloaded jwt, or take a picture/qr code. The picture/qr is just the jwt encoded into a qr code... Either way works

1 Like

With the admin panel (ZAC)..it would be great if you can share more details on how it is protected.

Is it only available over Ziti network.. or it is open to the public internet? If its over a Ziti network.. how do you setup the first user to make this possible?

My preference is not to use it.. and do it all by CLI

Although.. The idea of pointing your mobile to a QR code is pretty cool.. and super easy..

Hence.. it would be nice to disable it once done.. and do all of the rest via CLI.

It's protected by being delivered via HTTPS over an authorized (you had to log in) connection. We really don't define "how" one should deliver this token to ones end users. In the SaaS product from NetFoundry a human needs to enter an email address, another human (presumably) gets that email with a jwt inside it along with a qr encoded image. That email - which the SaaS platform built 'around' ziti (not in the opensource ZAC) looks like this

You can see i can now download/enroll my jwt (which I do when using a "desktop edge") or i can pop open the qr code image, pull out my mobile and scan that image.

The jwt is a one-time-use token. You can also configure these tokens to be very short lived (they have an expiration inside them). So you can make an identity and say "you need to register in 10 minutes or this will no longer be valid"

This is how we send a token to "non-technical people" (or technical people who just don't want to be bothered, this is after all, a very convenient and easy to perform process).

Perhaps though - this question should be forked out of the ziti tv question. If you want to continue this sort of line of questions would you be so kind as to make a new thread? This one is diverging :slight_smile:

We'll cover this today https://youtu.be/X0AET3BYubo

We could try and use SPIRE (SPIFFE implementation) as a 3rd party CA that can auto enroll in Ziti networks. Might need some prep as we would need Spire, Ziti, and some kind of workload (like a build or a test runner).

3 Likes

It’ll be fun and instructive at the very least, and quite possibly a very interesting use case for bootstrapping identities in Kubernetes.

Hey gang. Did you know that we (that’s the royal we) zitified Apache Guacomole?
https://github.com/apache/guacamole-server

This is much awesomeness, esp. given that this is how Lapsus$ got into Okta. And RDP one of the top exploits according to CISA.

Might have been using a tunneler? But same principles apply. Looks like a C application?

Yeah I spent some time on that (Ziti/Guac). Best case you can mask the web interface using a tunneler and still keep the server on premise. If you need to use guacamole to access servers in many private networks you can mask the front end and the guacd service with a tunneler…just use intercept names in the guacamole config. Some risk here as this requires you to allow the server pretty extensive access to services…you can mitigate with SAML and of course masking the front-end.

@NicFragale: looks like someone took interest!

1 Like

A great topic to cover is the relationship between ports and listeners.

This can include how the traditional TCP/IP handshake works… and what makes the OpenZiti way of working different.

Then… it would be useful to cover off on how it facilitates a higher level of protection. This would then lead into the conversation of PKI certificates.

One concern I had was that the controller needed to have open ports… but… after talking with a friend about this… its not the open port that hackers will attack… rather… the listener.

So… it would be really useful to go into more detail around the layers of protection around the controller listener. I guess this also includes the listeners for the edge routers (please correct me on this).

To finish this topic off… it would be then useful to provide some guidance around the creation of new identities using the controller certificates… I imagine that there is a ziti command for this… but do not know the details

1 Like

Thanks for the ideas! Happy to oblige when we can!

That "listener" is realistically only attackable via that open port - so from my perspective you're both correct. That's why you can take the "management" tier out of the 'open' internet and bind it only to a local ip if you want - or bind it via some other IP. You could even decide to make that part of the api accessible only through ziti itself. You could run a tunneller on the controller and have it offload the management API to the local interface.... I think I might do this on a ziti tv because it sounds fun and cool.... :slight_smile: . You could also just do this through classic firewall settings by allowing only known IP addresses to access the IP the management interface is bound on but that feels "less zero trusty" to me and a bit more of a headache than using ziti (and less fun lol).

Ah - that's the beauty of OpenZiti!!! You are getting a new private key, a new certificate every time you create an identity and "enroll" it. That's literally what enrolling is doing. You are making a new key and a new cert "from the overlay PKI". Great set of posts from @andrew.martinez cover this in depth here https://openziti.github.io/articles/bootstrapping-trust/part-01.encryption-everywhere.html. Totally worth the read.

There are also ziti commands to make a whole PKI. That's exactly what the expressInstall function does. If you open up that big huge shell script - ziti-cli-functions.sh you can take a peek. Find the function named ziti_expressConfiguration and you can follow exactly what expressInstall does manually if you want to learn HOW it works. You'll see a call in there to createPki which makes three different root CA stores and sets up the whole PKI to be used. Routers are special - they handle all of this on their own when they go through enrollment.

Thanks for the continued questions, keep them coming! :slight_smile: