Posted on

Zero Trust network using ScaleFT (No More VPN)

What does Zero Trust network mean?

Zero Trust is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access.

The strategy around Zero Trust is don’t trust anyone. We’re talking about, ‘Let’s cut off all access until the network knows who you are. Don’t allow access to IP addresses, machines, etc. until you know who that user is and whether they’re authorized, says Charlie Gero, CTO of Enterprise and Advanced Projects Group at Akamai Technologies in Cambridge, Mass.

What is ScaleFT?

  • ScaleFT provides Zero Trust network solution out of the box.
  • It provides two solutions Server-access & Web-access solution.
  • ScaleFT can be used to secure access to web applications, enabling centralized management and immediate enforcement of authorization policy.

ScaleFT Server access — SSH or RDP?

For the server SSH or RDP access, two things are needed (Agent & Client).

Note: This blog assumes that ScaleFT account, team & cloud account link is already done.

Agent:

  • ScaleFT Agent should be installed on dthe machine (target host that needs to SSH to it) so it can grant access to only who can have it.
  • It provides features related to certificate-based authentication, user account management, and auditing access events.
# Run those commands to setup ScaleFT on Linux.

# Add the ScaleFT apt repo to your /etc/apt/sources.list system config file.
echo "deb http://pkg.scaleft.com/deb linux main" | sudo tee -a /etc/apt/sources.list

# Trust the repository signing key.
curl -C - https://dist.scaleft.com/pki/scaleft_deb_key.asc | sudo apt-key add -

sudo apt-get update

sudo apt-get install scaleft-server-tools

Don’t forget to open port 22 on the target host machine to enable SSH.

Client:

Bastion Host setup with ScaleFT — Best practice

  • Best practice is having ZERO machines that are having any ports other than 22 public to the internet (with public IP).
  • Bastion host is used to SSH to machines with no public IPs.
  • Bastion host is a machine that is publicly accessible that is has only port 22 open to the world for SSH connection.
  • Keep an eye always on the bastion host as it’s publicly accessible so it will be target for attacking.
Bastion host setup for SSH connection

ScaleFT Web access?

ScaleFT can be used to secure access to web applications using Access Fabric.

Access Fabric is a distributed proxy which uses ScaleFT’s authorization engine to enforce zero trust principles.

Check this link https://www.scaleft.com/blog/how-to-deploy-a-beyondcorp-style-web-app-behind-the-scaleft-access-fabric/ for more details about deploying web application behind Access Fabric.

Access Fabric authentication under the hood:

  • The user types xyz.com in the browser & xyz.com is an access fabric url.
  • The Access Fabric will, if necessary, require the user to authenticate against their team’s configured identity provider.
  • The Access Fabric confirms with ScaleFT’s authorization engine that the user, the client device and the user’s authentication session comply with any policies applied to the application being accessed.
  • The Access Fabric forwards the request to the underlying application, with custome header confirming the user’s identity.
  • On the web application level, you have to validate this header.
  • Ways to validate headers are mentioned here https://www.scaleft.com/docs/access-fabric-signed-headers/

Nginx Setup with Access Fabric!

  • This use case is to setup Web application behind Access Fabric using Nginx.
  • Setup Nginx that is publicly accessible in-front of private web application.
  • Setup Access Fabric url to be redirected to the your Nginx server.
  • Setup CNAME record that points your domain xyz.com to access fabric url generated by ScaleFT.
  • Setup the Nginx server to be as a reverse proxy & points to the internal web application load balancer.
  • Set the Nginx configuration to accept only traffic on poort 443 & headers to be Access Fabric authenticated using https://github.com/ScaleFT/nginx_auth_accessfabric.
Nginx Setup with Access Fabric
Posted on

Bug that cost couple of thousands USD, AWS Rusoto AssumeRole throttling bug

I found a bug in Rusoto, it’s the best & maybe the only AWS SDK for Rusoto programming language. It was painful, and irritating but the feeling I had when the bug was approved that it’s actually a bug was amazing!

What happened?

I was developing a Kinesis Consumer Client Library (KCL) in Rust, and suddenly after a month the AWS cloud trail bill increased by couple of thousand USD. What the fuck happened, it’s AssumeRole for my KCL!!

The bug in a nutshell, AssumeRole API was getting called 1 Million times in 1 hour instead of only one time (as it should be).

Bug Effect

  1. It was a multi-account AWS setup.
  2. The KCL was in account A & the Kinesis stream it self was in account B.
  3. AssumeRole is used for a cross-account authentication, so to use a service in another account. You have to do AssumeRole first.
  4. AssumeRole session lives for 1 hour & could be extended to 12 hours with AWS support help.
  5. You have to use this session while calling any api for the other account & when it’s expired re-call AssumeRole API — — -> The bug link in Rusoto.
  6. There was an AssumeRole request happening with each other request (~17000 per minute).
  7. So it was ~1M request per hour & it was supposed to be only one request.
  8. That caused throttling for the API because of AWS rate limits on AssumeRole API.
  9. Throttling the API resulted in way more logs on CloudTrail to notify that someone is abusing the AssumeRole API.
  10. More logs on CloudTrail caused the increase in the bill.

Bug Details

  1. The session_duration parameter is not used for caching.
  2. It causes:
  3. Huge performance issue, because it’s 2 requests instead of 1 (your API request + AssumeRole request).
  4. Also it causes throttling the Assume role API if you have a high load, which leads more money if CloudTrail is enabled.
  5. The session is valid for one hour, so it should be used till it’s expired.

Example: Kinesis stream get records API is calling Assume Role with each request instead of using the cached value.

The Solution is really simple & it’s a one line of code, use rusoto_credential::AutoRefreshingProvider to wrap the StsAssumeRoleSessionCredentialsProvider.

Post Mortem

I struggled a-lot in convincing my self that the bug is in Rusoto, it’s the best sdk out there, they can’t have such a bug & if they do I won’t be the first to find it. No Way!

Also because I’m newbie in Rust, it was very hard to debug the code as it’s really complicated.

This was a mistake, I would have saved a-lot of time and effort if this wasn’t my mind set.

Have faith in yourself!