As I make my way closer to a production implementation, I find new things that I need to have a clearer position on.
The current issue is the location of the certificates that are required for an OpenZiti controller, along with the edge/fabric routers.
For user end points, my understanding is that its best to use some type of credential manager. This could be a vault for server endpoings, or a keychain for client endpoints.
However, I am unsure what is the best practice for the controller, edge routers and fabric routers.
I realised that I needed to know more information when I started to investigate the following three common types of DNS attacks:
- poisoning attacks
- take over an authoritative DNS servers
- compromise the registration of the domain itself
Hence, I thought to ask for some guidance around this. Specifically, how you store and manage your certificates for the controller and routers to minimise such an attack.
At this point, the main thing I know is that you no longer need a private DNS if you have app embedded ziti… as there is no intercept. Removing this is a big win, but you still need a DNS if you want to integrated with non embedded applications.
Also, when you are using a private DNS, you need to have strong internal controls around how the controller and routers certificates are protected. It needs to replicate the same types of controls that would be used to manage public DNS certificates.
One of the other topics I am also keen to learn more about is SPIFFE… as I also believe this to be a great way to extend protection… in a simple and practical manner.
Let me know if you have any tips to point me in the right direction.