I’m not really sure what you’re thinking when you say different API connection methods. I think you’re hinting at the whole ZTNA/ZTHA/ZTAA thing. I can do a session on that again, sure.
1 Like
That would be great.
How about a simple conversation on how we can use a secure zero-trust network in a simple DevSecOps program so that we can prevent companies from becoming the next Uber? I estimate 3 minutes to cover the concept.
It would be very useful to have a Ziti TV where you show how to configure External JWT Signers (Keycloak, for example) and show how to use them in order to create and enroll identities.
1 Like
I’m guessing you’ve seen this, but here’s a related ZitiTV from a couple of months ago when we released initial support for external JWT signers: Ziti TV Mar 31 2023 - OIDC/External signers/Keycloak working session - YouTube
Hi, would be very useful to show how to configure a SentinelOne posture check, not using the process but through the sentinel API. Maybe this feature is something already in dev?
Hi @Quentin, welcome to the community and to OpenZiti!
At this time, there's no way to integrate with other APIs from posture checks, but that sort of thing makes perfect sense to me! When that becomes a reality, that sounds like a fun Ziti TV. It also fits into querying something else like OPA too, so it totally makes sense to me!
Building on this @Quentin, this is something we do in CloudZiti with other tools (S1 could be done in the future). As @TheLumberjack says, it's not via the posture check, we do it via an API integration, so that if the external EDR says the device is insecure, services are removed from the endpoint in question.
If i understantd well, there is a custom development in cloudziti that calls the sentinelone api to check the device satus and if secure, through controller apis, removes the services associated with the device?
Exactly. You understand.
Hardening Ziti Controller and Router for public access would be a nice topic against all attacks (f.e. brute-force).
I‘m sure many out there would be interested in..
Are you contemplating a brute-force attack against the admin password? Sounds like an interesting topic.
against all kinds of attacks (api/web general and brute force), is it safe to use zac on the same machine? is it safer to use a cryptic virtual path for zac?
I read somewhere that you can set limit on tcp sessions in the configs? or is it firewall stuff (IDS)?
NetFoundry advertise they was never hacked, maybe you can tell a little bit how you accomplish this?
1 Like
We don't describe everything the NetFoundry NaaS product does (for obvious reasons of informing attackers), but it includes some of the core features of the NaaS product, which have evolved over many years of providing services to the world's most security conscious.
This includes having a whole team whose job is to build comprehensive security services around OpenZiti, including hardening, monitoring, IAM, encryption, DDoS protection, and more. We also extensively use OpenZiti internally. A few examples we talk about publicly:
- connecting our Jenkins to OpenZiti Github, over OpenZiti (GitHub - openziti/ziti-webhook-action: Github Action to post a Webhook over a Ziti network)
- Our DevOps... over OpenZiti (https://www.youtube.com/watch?v=uBXdp7fsMNc&ab_channel=OpenZiti)
- Our support engineers, over OpenZiti (Business Rule Driven Just-in-Time Network Access).
Would it be possible to do an episode about enabling https for OpenZiti services using a public CA? I found a forum post about this but I wasn't able to get it working, but this would be very useful for a project I'm working on.
Hi @aidanhopper, welcome to the community and to OpenZiti!
Sure that sounds like a fun episode. I'll add it to the "ideas list". FWIW, there's actually a community member right now in the process of adding some documentation that sounds similar to what you're requesting. Believe it or not, I was just about to go have a look at it for myself. If you're interested in seeing the doc as it is right now, you can check out the vercel preview here. I'll also keep this in mind for the "learning OpenZiti" series that I started this week. 
1 Like
That doc is about the admin console, but I took the idea to be tls for ziti services.
I assume the server you're publishing with ziti doesn't have a tls cert, so you wish to add one.
I know of only one way, a reverse proxy providing tls for the server, publishing the proxy with ziti instead of the server. You could also publish the server with ziti if not already isolated to the proxy.
This looks like a good way to do this with total network isolation, ie no exposed ports and inline tls proxy: GitHub - openziti-test-kitchen/ziti-caddy: Zitified Caddy server
1 Like
Yes, that is what I meant. I have not seen this ziti-caddy repo I'll have to play around with it.
I've been meaning to as well. I hope to hear about your experience with it.
I am already in the habit of using Caddy or Traefik because, with a DNS solver, it makes this very easy. The only downside is that I have multiple Ziti services sharing a server port so they're vulnerable to a forged server name or host header. I could have separated them by port now that I think about it, but Zitified Caddy solves this by isolating the Caddyfile stanzas by Ziti identity.
1 Like
2 posts were split to a new topic: BrowZer Related Questions