What does Zero Trust network mean?
Zero Trust is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access.
The strategy around Zero Trust is don’t trust anyone. We’re talking about, ‘Let’s cut off all access until the network knows who you are. Don’t allow access to IP addresses, machines, etc. until you know who that user is and whether they’re authorized, says Charlie Gero, CTO of Enterprise and Advanced Projects Group at Akamai Technologies in Cambridge, Mass.
What is ScaleFT?
- ScaleFT provides Zero Trust network solution out of the box.
- It provides two solutions Server-access & Web-access solution.
- ScaleFT can be used to secure access to web applications, enabling centralized management and immediate enforcement of authorization policy.
ScaleFT Server access — SSH or RDP?
For the server SSH or RDP access, two things are needed (Agent & Client).
Note: This blog assumes that ScaleFT account, team & cloud account link is already done.
- ScaleFT Agent should be installed on dthe machine (target host that needs to SSH to it) so it can grant access to only who can have it.
- It provides features related to certificate-based authentication, user account management, and auditing access events.
# Run those commands to setup ScaleFT on Linux. # Add the ScaleFT apt repo to your /etc/apt/sources.list system config file. echo "deb http://pkg.scaleft.com/deb linux main" | sudo tee -a /etc/apt/sources.list # Trust the repository signing key. curl -C - https://dist.scaleft.com/pki/scaleft_deb_key.asc | sudo apt-key add - sudo apt-get update sudo apt-get install scaleft-server-tools
Don’t forget to open port 22 on the target host machine to enable SSH.
- ScaleFT Client should be installed on the client machine that will SSH to the target host.
- Install the ScaleFT client from https://www.scaleft.com/docs/client/
Bastion Host setup with ScaleFT — Best practice
- Best practice is having ZERO machines that are having any ports other than 22 public to the internet (with public IP).
- Bastion host is used to SSH to machines with no public IPs.
- Bastion host is a machine that is publicly accessible that is has only port 22 open to the world for SSH connection.
- Keep an eye always on the bastion host as it’s publicly accessible so it will be target for attacking.
ScaleFT Web access?
ScaleFT can be used to secure access to web applications using Access Fabric.
Access Fabric is a distributed proxy which uses ScaleFT’s authorization engine to enforce zero trust principles.
Check this link https://www.scaleft.com/blog/how-to-deploy-a-beyondcorp-style-web-app-behind-the-scaleft-access-fabric/ for more details about deploying web application behind Access Fabric.
Access Fabric authentication under the hood:
- The user types xyz.com in the browser & xyz.com is an access fabric url.
- The Access Fabric will, if necessary, require the user to authenticate against their team’s configured identity provider.
- The Access Fabric confirms with ScaleFT’s authorization engine that the user, the client device and the user’s authentication session comply with any policies applied to the application being accessed.
- The Access Fabric forwards the request to the underlying application, with custome header confirming the user’s identity.
- On the web application level, you have to validate this header.
- Ways to validate headers are mentioned here https://www.scaleft.com/docs/access-fabric-signed-headers/
Nginx Setup with Access Fabric!
- This use case is to setup Web application behind Access Fabric using Nginx.
- Setup Nginx that is publicly accessible in-front of private web application.
- Setup Access Fabric url to be redirected to the your Nginx server.
- Setup CNAME record that points your domain
xyz.comto access fabric url generated by ScaleFT.
- Setup the Nginx server to be as a reverse proxy & points to the internal web application load balancer.
- Set the Nginx configuration to accept only traffic on poort 443 & headers to be Access Fabric authenticated using https://github.com/ScaleFT/nginx_auth_accessfabric.