ZeroTier rules to limit freelancer access
-
I'm currently doing a POC on ZeroTier for my company to replace an aging Fortinet solution. I have ZeroTier setup on a couple servers and a couple test machines. So far everything is great and working well - at least until I started looking at flow rules. Here is the problem I'm looking to solve with a flow rule...
I have 50 Employees, 15 servers (server1 thru server15) and 10 Freelancers. The employees should be able to access all 15 servers. The freelancers should only be able to access servers 2-7. Can someone give me an idea of what the ruleset would look like? Thank you in adavance.
-
@SenseiWilliams said in ZeroTier rules to limit freelancer access:
I'm currently doing a POC on ZeroTier for my company to replace an aging Fortinet solution. I have ZeroTier setup on a couple servers and a couple test machines. So far everything is great and working well - at least until I started looking at flow rules. Here is the problem I'm looking to solve with a flow rule...
I have 50 Employees, 15 servers (server1 thru server15) and 10 Freelancers. The employees should be able to access all 15 servers. The freelancers should only be able to access servers 2-7. Can someone give me an idea of what the ruleset would look like? Thank you in adavance.
This has nothing to do with ZeroTier.
Let's walk back. What do you mean by access to a server?
RDP? SSH?
Because once a user is in said server, via any secure method, you need to have a solution inside the network to prevent access to any other server from inside.
-
@JaredBusch said in ZeroTier rules to limit freelancer access:
Because once a user is in said server, via any secure method, you need to have a solution inside the network to prevent access to any other server from inside.
That makes sense.
However that can be as simple as using each servers firewall to block rdp/ssh from everything but zerotier.
That prevents moving horizontally from one server to another.That being said, I know little about zerotier. I would however also look at cloudflare access solution. They have some very interesting solutions for managing users and access to internal resources. Some of them are free as well. I've been trying to give it a go but haven't had the time yet.
https://www.cloudflare.com/products/zero-trust/access/ -
@Pete-S said in ZeroTier rules to limit freelancer access:
@JaredBusch said in ZeroTier rules to limit freelancer access:
Because once a user is in said server, via any secure method, you need to have a solution inside the network to prevent access to any other server from inside.
That makes sense.
However that can be as simple as using each servers firewall to block rdp/ssh from everything but zerotier.
That prevents moving horizontally from one server to another.Again after I've connected to SERVER5 via ZT, how do you prevent me from accessing SERVER1-4 and SERVER6-15 -- or any other internal resource since the server I'm connecting to is already inside your network's main firewall?
-
@dafyre said in ZeroTier rules to limit freelancer access:
Again after I've connected to SERVER5 via ZT, how do you prevent me from accessing SERVER1-4 and SERVER6-15 -- or any other internal resource since the server I'm connecting to is already inside your network's main firewall?
I've never had a network where being inside the main firewall gave me access to anything. I've had customers with systems like that, but only because they chose a vendor that requires all security concepts be disabled.
By default, no business system design would be exposed through that system. Servers are not, nothing is, exposed simply by "existing on the network." Everything requires authentication and authorization, even for people on the LAN. Otherwise everyone with an Ethernet cable would have access to every file, database, backup, etc. The mayhem!
The main firewall is to make brute force and fishing attacks difficult if not impossible. That's all. Internal firewalls, application layer security and more are what control internal access.
I'm not implying that it is wrong to want to also provide security at the VPN / ZT layer. Only that it should be extra and that system to system access should never be a concern because if it is, there's a huge security hole needing to be addressed some other way.
-
@dafyre said in ZeroTier rules to limit freelancer access:
@Pete-S said in ZeroTier rules to limit freelancer access:
@JaredBusch said in ZeroTier rules to limit freelancer access:
Because once a user is in said server, via any secure method, you need to have a solution inside the network to prevent access to any other server from inside.
That makes sense.
However that can be as simple as using each servers firewall to block rdp/ssh from everything but zerotier.
That prevents moving horizontally from one server to another.Again after I've connected to SERVER5 via ZT, how do you prevent me from accessing SERVER1-4 and SERVER6-15 -- or any other internal resource since the server I'm connecting to is already inside your network's main firewall?
Let's call zerotier a VPN for simplicity and let's say we want to control ssh network access.
You prevent network access on ssh from SERVER1 to SERVER2 by setting the OS firewall on SERVER 2 to only allow ssh from IPs on the VPN subnet.
That means you can reach each servers ssh port from VPN, but not from anywhere else. So if you ssh into one server through VPN, you can't ssh from there to the next server.
-
@Pete-S said in ZeroTier rules to limit freelancer access:
@dafyre said in ZeroTier rules to limit freelancer access:
@Pete-S said in ZeroTier rules to limit freelancer access:
@JaredBusch said in ZeroTier rules to limit freelancer access:
Because once a user is in said server, via any secure method, you need to have a solution inside the network to prevent access to any other server from inside.
That makes sense.
However that can be as simple as using each servers firewall to block rdp/ssh from everything but zerotier.
That prevents moving horizontally from one server to another.Again after I've connected to SERVER5 via ZT, how do you prevent me from accessing SERVER1-4 and SERVER6-15 -- or any other internal resource since the server I'm connecting to is already inside your network's main firewall?
Let's call zerotier a VPN for simplicity and let's say we want to control ssh network access.
You prevent network access on ssh from SERVER1 to SERVER2 by setting the OS firewall on SERVER 2 to only allow ssh from IPs on the VPN subnet.
That means you can reach each servers ssh port from VPN, but not from anywhere else. So if you ssh into one server through VPN, you can't ssh from there to the next server.
Right, which is why I asked the OP to clarify what he meant by server access.
-
@JaredBusch said in ZeroTier rules to limit freelancer access:
@Pete-S said in ZeroTier rules to limit freelancer access:
@dafyre said in ZeroTier rules to limit freelancer access:
@Pete-S said in ZeroTier rules to limit freelancer access:
@JaredBusch said in ZeroTier rules to limit freelancer access:
Because once a user is in said server, via any secure method, you need to have a solution inside the network to prevent access to any other server from inside.
That makes sense.
However that can be as simple as using each servers firewall to block rdp/ssh from everything but zerotier.
That prevents moving horizontally from one server to another.Again after I've connected to SERVER5 via ZT, how do you prevent me from accessing SERVER1-4 and SERVER6-15 -- or any other internal resource since the server I'm connecting to is already inside your network's main firewall?
Let's call zerotier a VPN for simplicity and let's say we want to control ssh network access.
You prevent network access on ssh from SERVER1 to SERVER2 by setting the OS firewall on SERVER 2 to only allow ssh from IPs on the VPN subnet.
That means you can reach each servers ssh port from VPN, but not from anywhere else. So if you ssh into one server through VPN, you can't ssh from there to the next server.
Right, which is why I asked the OP to clarify what he meant by server access.
Sure, I know why you asked. My reply was to @dafyre as an example how you can limit traversing the network once you're "inside".
-
@Pete-S said in ZeroTier rules to limit freelancer access:
Let's call zerotier a VPN for simplicity
And... because it is
-
@Pete-S said in ZeroTier rules to limit freelancer access:
You prevent network access on ssh from SERVER1 to SERVER2 by setting the OS firewall on SERVER 2 to only allow ssh from IPs on the VPN subnet.
That means you can reach each servers ssh port from VPN, but not from anywhere else. So if you ssh into one server through VPN, you can't ssh from there to the next server.That might not work. Two problems that I can think of...
-
Each devices is on the VPN and has a VPN IP address. So server to server communications can happen via VPN IPs. So it would potentially end up being allowed. ZT is specifically a VPN designed to be used for local, as well as distant, communications so we expect even local server to server traffic to still traverse the VPN, just not the router.
-
There might be a need for other users to SSH between servers or the servers themselves to communicate over SSH. This isn't stated, so it is only a possibility. But we have to consider that we might be blocking more than requested if we get this behaviour to work.
-
-
@scottalanmiller said in ZeroTier rules to limit freelancer access:
@Pete-S said in ZeroTier rules to limit freelancer access:
You prevent network access on ssh from SERVER1 to SERVER2 by setting the OS firewall on SERVER 2 to only allow ssh from IPs on the VPN subnet.
That means you can reach each servers ssh port from VPN, but not from anywhere else. So if you ssh into one server through VPN, you can't ssh from there to the next server.That might not work. Two problems that I can think of...
-
Each devices is on the VPN and has a VPN IP address. So server to server communications can happen via VPN IPs. So it would potentially end up being allowed. ZT is specifically a VPN designed to be used for local, as well as distant, communications so we expect even local server to server traffic to still traverse the VPN, just not the router.
-
There might be a need for other users to SSH between servers or the servers themselves to communicate over SSH. This isn't stated, so it is only a possibility. But we have to consider that we might be blocking more than requested if we get this behaviour to work.
It's very easy to make it work. Zerotier makes it slightly more complicated than a perimeter firewall with VPN because every server becomes dual homed. So you have to firewall zerotier as well or rely on the stateless zerotier flow rules.
Or you can just rely on authentication and authorization for every service and have no network segmentation. More risky but less work.
It's likely not ssh the OP is trying to do access control on though. I just used it as an example.
-
-
@Pete-S said in ZeroTier rules to limit freelancer access:
Or you can just rely on authentication and authorization for every service and have no network segmentation. More risky but less work.
To me this is what makes more sense. I get the value is DOUBLE protection. But at a minimum this should be there first, ZT only as a completely additional layer of protection.
-
@scottalanmiller said in ZeroTier rules to limit freelancer access:
@Pete-S said in ZeroTier rules to limit freelancer access:
Or you can just rely on authentication and authorization for every service and have no network segmentation. More risky but less work.
To me this is what makes more sense. I get the value is DOUBLE protection. But at a minimum this should be there first, ZT only as a completely additional layer of protection.
I agree. Network access control and segmentation is just to make it freakishly hard to traverse for malicious actors and software.
