I’m not really sure what you’re thinking when you say different API connection methods. I think you’re hinting at the whole ZTNA/ZTHA/ZTAA thing. I can do a session on that again, sure.
1 Like
That would be great.
How about a simple conversation on how we can use a secure zero-trust network in a simple DevSecOps program so that we can prevent companies from becoming the next Uber? I estimate 3 minutes to cover the concept.
It would be very useful to have a Ziti TV where you show how to configure External JWT Signers (Keycloak, for example) and show how to use them in order to create and enroll identities.
1 Like
I’m guessing you’ve seen this, but here’s a related ZitiTV from a couple of months ago when we released initial support for external JWT signers: Ziti TV Mar 31 2023 - OIDC/External signers/Keycloak working session - YouTube
Hi, would be very useful to show how to configure a SentinelOne posture check, not using the process but through the sentinel API. Maybe this feature is something already in dev?
Hi @Quentin, welcome to the community and to OpenZiti!
At this time, there's no way to integrate with other APIs from posture checks, but that sort of thing makes perfect sense to me! When that becomes a reality, that sounds like a fun Ziti TV. It also fits into querying something else like OPA too, so it totally makes sense to me!
Building on this @Quentin, this is something we do in CloudZiti with other tools (S1 could be done in the future). As @TheLumberjack says, it's not via the posture check, we do it via an API integration, so that if the external EDR says the device is insecure, services are removed from the endpoint in question.
If i understantd well, there is a custom development in cloudziti that calls the sentinelone api to check the device satus and if secure, through controller apis, removes the services associated with the device?
Exactly. You understand.
Hardening Ziti Controller and Router for public access would be a nice topic against all attacks (f.e. brute-force).
I‘m sure many out there would be interested in..
Are you contemplating a brute-force attack against the admin password? Sounds like an interesting topic.
against all kinds of attacks (api/web general and brute force), is it safe to use zac on the same machine? is it safer to use a cryptic virtual path for zac?
I read somewhere that you can set limit on tcp sessions in the configs? or is it firewall stuff (IDS)?
NetFoundry advertise they was never hacked, maybe you can tell a little bit how you accomplish this?
1 Like
We don't describe everything the NetFoundry NaaS product does (for obvious reasons of informing attackers), but it includes some of the core features of the NaaS product, which have evolved over many years of providing services to the world's most security conscious.
This includes having a whole team whose job is to build comprehensive security services around OpenZiti, including hardening, monitoring, IAM, encryption, DDoS protection, and more. We also extensively use OpenZiti internally. A few examples we talk about publicly:
- connecting our Jenkins to OpenZiti Github, over OpenZiti (GitHub - openziti/ziti-webhook-action: Github Action to post a Webhook over a Ziti network)
- Our DevOps... over OpenZiti (https://www.youtube.com/watch?v=uBXdp7fsMNc&ab_channel=OpenZiti)
- Our support engineers, over OpenZiti (Business Rule Driven Just-in-Time Network Access).