Various OpenZiti Questions

I was speaking to an OpenZiti community member with private DMs recently. After the conversation they said we share the conversation anonymised which should be valuable for others too.

User:

Just got out of a tag-up with our team and I had a couple questions.

  1. What the enforcement policy used on edge routers ( token based, cert based, user based)

  2. How does the HSM capabilities function

  3. Can clientless communication be done

  4. We had some debates about data flow mainly how often does the routers communicate with the controller does it have to be constant

Philip response:

Hey, thanks for the input. Lots of questions which I love … a call would definitely be best but I will take some initial stabs.

  • HW modules: Very interesting area. When I started this job almost 5 years ago, I knew almost nothing about networking and security. I cam across the O’Reilly book ‘Zero Trust Networks: Building Secure Systems in Untrusted Networks’ and it really helped me to learn… I kind of see it as a bible. Anyway, there is a section where they talk about a ‘Hardware-Based Zero Trust Supplicant’ (pg 140). The basic premise was, how nice to apply ZT to a OT/Purdue environment by having a ZT overlay on a low-cost device which can 1-1 plug into the high-value OT equipment and be tracked in asset mngt… but they said, this is pure fantasy. Well, it’s not; combined Ziti with a low-cost router with a HWRoT and you are done - e.g., some existing users use RUT240 - 4G/LTE Wi-Fi Router Teltonika Networks, which costs <$100 at scale. Ziti has the ability to work with external CA / IdP / JWT providers (see blog Integrate OpenZiti with JWTs, PKIs for seamless service authentication or documentation External JWT Signers OpenZiti) last year we used this with Capgemini and Arm to show OpenZiti working with Parsec and a generic HW key provider - Converging on a zero-trust blueprint to close the security and safety gaps in the automotive software industry - Capgemini Engineering United States.

  • Non-user connections: Yes, 100%. Ziti is built to work with any connection type (e.g., client-server, server-server, client-client, machine-whatever etc). This is because (1) Ziti has its system of embedded identity and thus does not depend on the overlay or have issues with either side connecting as its outbound (e.g., no issue overlapping IPs, need for port forward, NAT etc) and (2) has no concept of client/server… within Ziti there are only endpoints and services and you can configure your policies to enable access to anything (while being closed-by-default).

  • What is the enforcement policy used on edge routers: Depends on how you are asking the question, but, Ziti by default requires EVERYTHING to go through the process of bootstrapping trust - Bootstrapping Trust Part 1 (5 part blog). If you have not, you cannot exist on the overlay whether part of the edge or data plane. This provides the overlay component with strong identity (x509, via JWT etc) and initial authentication. Additional authorisation is done via policy and posture checks. For the former, the admin needs to define that endpoints and edge routers can communicate for apths to be allowed, for the latter, the endpoint have multiple posture checks which can be turned on incl. MFA TOTP, OS check, process check, domain join and device MAC - Posture Checks OpenZiti.

  • How does the HSM capabilities function: Depends on the definition of the question… a lot of my above points have covered Ziti’s built-in CA/PKI and its ability to work with external providers… am I missing some nuance / other question? Please clarify.

  • Can clientless communication be done: No, explicitly by design, it cannot. Ziti takes ZTNA to its logical conclusion of authenticate-before-connect. Unless you have an endpoint, with a bootstrapped identity, with requisite policy and authorisation, you are not given intercept information by the control plane and thus cannot have traffic intercepted to reach the destination. However, we have though through the chicken/egg conundrum of, ‘what if I want to give access to someone without them loading an agent on their device’. This provides several options, 2 immediately come to mind:

    • (1) App embedded: You can use Ziti SDKs to embed private connectivity into an application which runs in process space. An end user uses the app and they have no idea its embedded with private networking and the server/API is ‘dark’ with no inbound ports or public DNS.

    • (2) BrowZer: We created this capability to provide users with a public SaaS app experience while ensuring the app stays in a private IP address space with no inbound ports. We achieve this by injecting some Javascript, WASM and an x509 into their browser (without them realising) if they can authenticate against an IDP - Introducing OpenZiti BrowZer. BrowZer is beta atm, we are doing testing with some selected partners.

  • Data flow between routers and controller: It does not have to be constant but it is via talking to the controller that the routers are given policy changes. Why would you not want it to be constant?

User:

Hello Phillip

Thanks for your response. this is all great information

The actual use case is kind of hard to describe but essentially we will be taking data from various sensors, IOT devices, servers. Most of the time it will be machine/machine or machine/senor but there will be the occasional human. It is going to a huge multiple site solution with mostly no human interaction with makes this a challenge

Its great that the routers don’t have to be in constant communication as that is one of our huge problems we have been dealing with

I also have more questions below:

  1. How is identity management handled can this work with an AD

  2. Do you guys integrate with pfsense or other FW solutions

  3. I think by clientless communication I am talking about IOT devices that have no way to change what is installed can we get them onto the network in a way that protects the information in transit this is also a huge sticking point.

I would love to setup a one on one with you to discuss more and then expand to our full team

Philip

Thanks for the feedback. To your questions:

  • (1) Yes, it’s just a question of whether it’s seamless today. For example. with CloudZiti, we have already made Azure/Microsoft AD an automatic integration via API. It’s not out of the box with OpenZiti today in the same way.

  • (2) integrate… it depends on the definition. I am not overly familiar with the tech, but I note we were broadly discussing this topic in a Reddit recently - https://www.reddit.com/r/openziti/comments/108hmjx/opnsensepfsense_integration/ - so my question would refine to, what are the specific FW solutions and what OS do they run?

  • (3) completely clientless will not give you E2E to the endpoint (so you have some trust in the local network) but it much better than a traditional VPN. We had a large IoT use case recently in discourse (How do I create a service that connects to a Subnet via a router instead of just a single host? - #12 by TheLumberjack), it may be similar to your use case (if not, interesting to know how its not). Ultimately, if the IoT device can load a tunnel, or is Linux and can run an executable its easy to bring onto the overlay. Otherwise, we need to use an Edge Router type deployment and know there is a segment of untrusted connection (ideally, 1-1 plug in with a Hardware-Based Zero Trust Supplicant (HBZTS) but possibly operating on the whole network.