VM Pass through

I have Ziti on my Windows laptop. I use it to ssh to a host that I would normally have to be connected to a VPN. As a test, i have Kali in a VM NAT’d, and it can ssh to the host, as i would on the windows laptop. Is there a way to setup so that even NAT’d VM’s on the box cant access the same things the native host OS can get to over Ziti? (im not using any ziti anything in the Kali VM, its all passed over the host OS Ziti connection)

Hi Chris, welcome to the Ziti community. You could do app-level Ziti (what we label as ZTAA) such that your host (or VM) doesn’t have access to anything by default. You then use app-level Zitifications on an app by app basis.

In your example SSH:

Other examples:

Illustration:

A related article you may find helpful: Zitifying SSH

Ok but what about other services? Lets say I use it so i can use RDP from my host OS, and dont want the Guest VM the ability to tunnel over my Host OS ziti?

I'm not entirely sure I understand the situation, but I think you're saying that your VMs have access to the host OS network because you've NAT'ed them and you'd like to not do that? Assuming I have that right, I personally like to set my VMs up in bridge mode, not NAT mode. It basically makes them just another machine on my home network. With the VM in bridge mode it gets its own IP address and doesn't get access to the host OS network stack. Is that what you're after? Then you can deploy ziti into the VM and provide access to windows from kali only through ziti.

Thanks TLJ, this was more of a thought experiment really. In this case I was fine with my VM being able to run over the tunnel. Im a full time pen tester, and an OSSTMM volunteer. I am writing a ZTA talk using the OSSTMM and plan to incorporate Openziti since 1. i love it and 2. its OSS (as the OSSTMM is open source) I tend to go down the rabbit hole and this was one of them. Just forward thinking a “what if”. And i like the idea of zitissh BUT what if im doing RDP etc… so not an actual issue at the moment just brainstorming. I have a lot more but ill post separate thoughts on those. thanks! oh PS i use NAT because of work. (i know scans over vpn are STUPID but i have to work with what i have) so in meraki cases i need to connect to the vpn via windows (host) and scan (via linux VM). Im trying to change that at work but thats a WHOLE other issue lol

1 Like

Your use case is actually quite interesting to me from an educational perspective. All too often some of the pushback about ZTHA (zero trust host access, running a zero trust tunneling app) is that it’s “safe enough” but you bring up a really good nuance that I don’t think I personally do a good job of highlighting - with a tunneler like this running, anything on the local machine is able to access the host/port provided by the tunneler.

And of course, as commented, application embedded zero trust apps like zssh clearly can solve this problem which is why it’s so amazing since you won’t need to run a tunneler, but it does require but does require zero trust enabled apps.

1 Like