Would OpenZiti help with something like this? By stopping an unknown communication with a command and control server?
Just asking for curiosity’s sake.
Hi @Merciless1, thanks for sharing. That’s an interesting article.
Per the article, the attack is done by “exploiting an unspecified N-day security vulnerability in F5 appliances”. F5 appliances are part of your underlay network – the IP-based network – and are thus clearly used for underlay type of work. Once exploited, the malware will then “act as a launchpad for subsequent intrusions”. This is the classic “land and expand” type of scenario.
If your entire network were comprised of OpenZiti nodes, it stands to reason that these attacks would be far less successful (hard to say that it’s entirely preventative). This is because in a typical OpenZiti deployment all your firewalls will (ok, should) have all incoming ports set to be denied by default. With no open ports on the underlay, it’s very, very hard to land and expand as there are no ports to attack. So while it’s impossible to state that OpenZiti will protect the network entirely, it sure stands to reason that your network will be far more resilient to these types of attacks.
If you have hosts with open, listening ports, OpenZiti cannot prevent attacks to those types of hosts. Perhaps that’s obvious. That’s why the default “always deny” incoming ports is so important.
So, yes. I think an OpenZiti overlay network would add strength to the overall security posture.
I’m interested to know if there’s any other opinions from the community.
I would add, if you set up your underlay/firewall so that outbound communication is only to the IP/DNS of the Ziti fabric - as that's is your only trusted source/destination for apps in the data centre - then even if the attackers were able to get a foothold in your network, the initial malware exploit would not be able to contact it's C&C server.