NetFoundry’s CloudZiti Zero Trust overlay for secure log collection and management of SIEM / SOAR platforms

NetFoundry Platform Architecture

Introduction

SIEM (Security Information and Event Management) and SOAR (Security Operations and Response) platforms provide a centralized solution for security event management and analysis, enabling organizations to collect and analyze security event data from various sources to detect and respond to potential security threats. They typically include log management, event correlation, and alerting capabilities, among others.

Log management is a critical component of a SIEM solution. SIEM solutions collect, analyze, store, archive logs and events from various sources in an organization's IT infrastructure, such as firewalls, servers, endpoints, and applications for use in incident investigation, forensic analysis, and compliance reporting.

Why SIEM / SOAR platforms, agents, and collectors should not be on the internet using HTTPS or VPNs

While collecting logs from data sources and sending data from the log collector to the platform, SIEM / SOAR platforms can be subject to any of the following cyber security attacks

  1. Log tampering: Attackers can attempt to modify or delete log data to cover their tracks and avoid detection. This can be done by compromising log collectors or using malware to modify logs before they are forwarded to the SIEM platform.

  2. Credential theft: Attackers can target SIEM systems to steal administrative credentials or other sensitive information, allowing them to gain unauthorized access to the system and potentially compromise its data.

  3. Denial-of-service (DoS) attacks: Attackers can attempt to overwhelm the SIEM platform with a flood of traffic, causing it to become unavailable and hindering its ability to detect and respond to security incidents.

  4. SQL injection attacks: Attackers can attempt to inject malicious code into the SIEM platform's database, allowing them to steal sensitive data or modify system settings.

  5. Malware attacks: Attackers can target SIEM systems with malware designed to exploit vulnerabilities and gain unauthorized access to the system, steal data, or disrupt its operations.

  6. Evasion techniques: Attackers can use various techniques to evade detection by SIEM systems, such as using obfuscation techniques to hide malicious activity or leveraging zero-day vulnerabilities to bypass detection.

Adding multiple layers of security to try and prevent the attacks is the only option available with the traditional model of network security with HTTPS or VPNs.

NetFoundry's CloudZiti, a Zero trust Managed NaaS platform is built on OpenZiti. OpenZiti is a free and open-source project focused on bringing zero-trust networking principles directly into any application.

CloudZiti proposes to change this model by making the network dark from the internet and removing the need to open ports inbound anywhere added with the best available technologies like mTLS for link security, Poly 1305 Cha Cha 20 for E2E security, micro-segmentation, authentication before connection via separate data and control channels( powered by SDN), etc.

The following document explains the security layers of Ziti in detail. 

The traditional IPsec VPN and internet-based HTTPS log forwarding are vulnerable to attacks listening to traffic on open IPs & ports and are breached constantly by sophisticated cyberattacks. VPNs are also clunky for user experience and can have high operational overhead and total cost of ownership (TCO)

CloudZiti’s unique Secure-by-Default architecture provides private, zero-trust connectivity

  • Between SIEM or SOAR platform at the enterprise or MSSPs and data sources & log collectors
  • For administrators and power users of the platform to have secure, private access to the management console

This article will guide you on the steps to establish

  • Zero Trust Private connection between Log agents and SIEM system for collecting and forwarding log data from the various data sources to the SIEM system. The same can be replicated for a log collector deployed at an enterprise DC or cloud that may be applicable in any SIEM solution.
  • Zero Trust Private access to the SIEM management console

The guide can also be used with deploying a self-hosted Zero-Trust NaaS platform with OpenZiti.

In our Lab setup, we have considered an open-source security platform Wazuh, that offers unified XDR and SIEM protection for endpoints and cloud workloads. The Wazuh indexer, Wazuh server, and Wazuh dashboard are hosted in AWS Singapore. The Wazuh agents shall be deployed across laptops, desktops, servers, and Azure cloud instances.

NetFoundry's customers such as delta secure and Ohka Systems have integrated our solution as part of their SIEM offering. 

  • This Case study covers how Ohka, a SOCaaS provider upgraded their ZeroTrust framework with CloudZiti, by establishing private, zero-trust connectivity between Ohka and their customer's application and systems(server-to-server) as well as between Ohka and its customer's users(client-to-server).
  • In this customer spotlight session with DeltaSecure, CEO Dominic, shares insights on how they use OpenZiti’s Zero Trust overlay to ensure secure logging to their SOC and prevent data leaks for SIEM / SOAR integrations. 

Pre-requisites

1. The edge routers and endpoints need to reach the CloudZiti controller and CloudZiti-hosted edge routers for registration and operation. Please make sure to have the required ports, IPs, and URLs reachable in the outbound towards the internet if you have firewall ACL policies.

2. CloudZiti traffic should be bypassed from proxy or any deep packet inspection in between since it involves mTLS and E2E encryption. 

The guide has the required details. 

https://support.netfoundry.io/hc/en-us/articles/4402361752717-Firewall-Requirements

Architecture overview

MSOC1.png

Step 1:  Create a network

The options in a Teams / Growth plan may vary. Refer to the support guide on creating a network on a Teams / Growth account. Teams plan is free for up to 10 endpoints with no credit card needed

For Enterprise accounts, follow the below steps:

  • Log in to your CloudZiti Console at https://nfconsole.io/.
  • Once logged in, you will be prompted to create your network.
  • Give your network a name.
  • Select the region where you would like to host your network (controller)
  • Hit Create My Network to commence the provisioning of your network.
  • It will take approximately 5-10 minutes for the network provisioning to complete. Once your network is ready, you will see the spinning globe icon turning green.

For additional information or assistance please see our Support Hub article Product v7-Create and Manage Networks.

Step 2: Provision CloudZiti-hosted Edge routers to build the fabric

CloudZiti-hosted Edge Routers provide data transport as part of the fabric for endpoints and customer edge routers to dial to the fabric.  At least one publicly accessible Edge Router is required for endpoints and edge routers to create a fabric. Having a min of two hosted ERs is a best practice for redundancy and smart routing. 

  • From your Network Dashboard page, navigate to Edge Routers.
  • Under the Edge Routers tab, click on the + sign at the upper right to add an edge router.
  • Give your edge router a name.
  • Give your edge router a router attribute (optional). Router attributes are tags applied to a router. The same tag can be applied to other edge routers to form a group of NetFoundry-hosted Edge Routers.
  • Select NetFoundry Hosted as your hosting type, and choose the Data Center region strategic to Cloud Resources.
  • Hit Create to commence the provisioning of your edge router.
  • Once your edge router is registered, it will start accepting outbound fabric connections from a private edge router or endpoints.

See more details here - https://support.netfoundry.io/hc/en-us/articles/360044956032-Create-and-Manage-Edge-Routers on the NetFoundry Support Hub.

For this lab demonstration, we have created hosted edge routers at OCI Singapore and AWS Mumbai. The "Teams or growth" plans may provide limited options for cloud providers to host CloudZiti-hosted routers. Teams plan is free for up to 10 endpoints with no credit card needed.

Step 3: Deploy Wazuh Platform components in AWS

Refer to Wazuh architecture and Wazuh documentation for the deployment of Wazuh Platform components.

Step 4: Create the customer edge router for hosting the Wazuh services

Customer self-hosted Edge Routers (CERs) act as egress routers for endpoints / other CERs to reach the services terminated on the CER endpoint.

For this lab demonstration, we have set up the customer edge router at AWS Singapore where the Wazuh Platform components reside.

Create and Register Customer Edge Router

  • From your Network Dashboard page, navigate to Edge Routers.
  • Under the Edge Routers tab, click on the + sign at the upper right to add an edge router.
  • Give your edge router a name.
  • Give your edge router a router attribute (optional). Router attributes are tags applied to a router. The same tag can be applied to other edge routers to form a collection of Customer-hosted Edge Routers. This attribute can be used for provisioning APPWANs.
  • Select Customer Hosted as your hosting type.
  • Hit Create to complete the process.
  • A new customer-hosted edge router would be created with the registration key. This registration key is required to register the edge router to the network.
  • Download the JWT registration token.

Use the below deployment guides to provision a Customer-hosted Edge Router into your AWS / Azure/ GCP/ OCI.

https://support.netfoundry.io/hc/en-us/articles/5701001893133-Deployment-guides-for-provisioning-customer-edge-routers-in-public-clouds

Use the deployment guide below to provision a Customer-hosted Edge Router in a private cloud.

https://support.netfoundry.io/hc/en-us/articles/5700949793293-Deployment-guides-for-provisioning-customer-edge-routers-in-a-private-cloud

See more details here - https://support.netfoundry.io/hc/en-us/articles/360044956032-Create-and-Manage-Edge-Routers on the NetFoundry Support Hub.

Step 5: Deploy Ziti endpoints for Wazuh agents

The Wazuh agent which is installed and run on the end user devices, application servers, etc to be monitored communicates with the Wazuh server, sending data in near real-time. Refer Wazuh agent installation guide for more details.

Ziti Endpoints - the lightweight agents built on our Ziti SDKs, are installed on the devices or on application servers, etc where Wazuh agents run. Ziti endpoints are enrolled to the CloudZiti network using the registration process via one-time use secure JWT,

The Ziti endpoints enable you to easily extend your network to any app, host, or cloud to establish a Zero Trust Private connection between Wazuh Log agents [data source] and the SIEM system for collecting and forwarding log data from the various data sources to the SIEM system.

For additional information or assistance please see our Endpoints section on the NetFoundry Support Hub. Ensure that Co-existing solutions[e.g. Zscaler policies] are not blocking the Ziti endpoints from accessing the services.

To embed CloudZiti zero trust networking directly into your app for agent-less deployments, use our Ziti SDKs.

NetFoundry and our customers have been working together on the journey of application-embedded zero-trust networking that is the most secure of all the zero-trust network models.

Here are some of the many examples of how CloudZiti can secure networks for apps and workloads:

Read more at NetFoundry For developers

Step 6: Create service, APPWAN & ER- Policy

A) Service

The service definition provides the details of what device, or devices) will be utilized to provide access to services, either on the device(Zero Trust Client SDK Application) or on the network connected to the device (via its LAN, for example).  The service also defines how the endpoints acting as clients to the service will access the service.  Also, the service hosting details are provided.

  • From your Network Dashboard page, navigate to Services.
  • Under the Services tab, click on the + sign at the upper right to add a service.
  • Choose the type of your service. Clicking on Advanced Services allows you to create services with IP/Port ranges.  
  • Select Advanced Service as the service type and give the service a name. Give your service a service attribute (optional). Service Attributes are tags applied to a service. The same tag can be applied to other services to form a group of services.
  • In the Edge Router Attributes field, specify the public ( ex NF Hosted) edge routers participating in this service. If all edge routers are participating in this service, then leave this field blank. 
  • The Client intercept configuration is the section used to denote how the Client Endpoints that will be utilizing this service need to access it. There can be a hostname or IP Address or IP subnet specified, along with the application port numbers or port ranges. Multiple individual ports or port ranges can be configured. The hostname can be any contrived hostname to be utilized by the Client user.  The protocol - TCP or UDP or both may be allowed.
  • The Destination Configuration is used to configure the terminating endpoints and the destination details if forwarding is disabled. Select one or more endpoints to host the service by the individual endpoint names or endpoint group attributes. Select protocol/address/port forwarding if the destination is reachable on the same hostname/IP/protocol/port or port range as in the client intercept configuration.
  • If the destination IP / hostname/port is different from the client configuration, you can disable forwarding of IP / hostname or port or protocol and provide the details. The CloudZiti local DNS will resolve the client configuration to the destination configuration. Ensure that the application/ destination is reachable on the IP/port/ port range/protocol as specified in the destination configuration.

  • Hit Create to complete the process.

Service for the Wazuh agent connection, and enrollment with the Wazuh server at AWS

Service for the Wazuh dashboard at AWS

For additional information or assistance please see our Support Hub article Create and Manage Services.

B) APPWAN

The AppWAN defines the services that can be accessed by one or more client endpoints.

  • From your Network Dashboard page, navigate to AppWANs.
  • Under the AppWANs tab, click on the + sign at the upper right to add an AppWAN.
  • Give your AppWAN a name.
  • In the Service Attributes field, specify the services or service attributes to be associated with this AppWAN.
  • In the Endpoint Attributes field, specify the endpoints or endpoint attributes to be associated with this policy.
  • Click Create to complete the process.

Note: The use of the endpoint/service attribute will select all endpoints/services having that specific attribute. The @ symbol is used to tag Individual endpoints/services and the # symbol is used to tag a group of endpoints/services/edge routers.

APPWAN for enabling the Wazuh agent to connect and enroll with the Wazuh server at AWS

APPWAN to enable HTTPS access to the Wazuh dashboard at AWS

For additional information or assistance please see our Support Hub article Create and Manage AppWANs.

C) ER-Policy: 

Edge Router Policies - Defines specific Edge Routers for specific Endpoints (can be used for Network Transport segregation/optimization).

  • From your Network Dashboard page, navigate to Edge Routers.
  • Under the Edge Routers Policies tab, click on the + sign at the upper right to add a policy. An Edge Router Policy allows a specific endpoint or group of endpoints to have access to a specific edge router or group of edge routers.
  • Give your edge router policy a name.
  • In the Edge Router Attributes field, specify the edge routers to be associated with this policy. The use of the edge router attribute will select all edge routers having that specific attribute.
  • In the Endpoint Attributes field, specify the endpoints to be associated with this policy. The use of an endpoint attribute will select all endpoints having that specific attribute.
  • Hit Create to complete the process.

To know more about Edge Routers Policies go to the Create and Manage Edge Router Policies article on the NetFoundry Support Hub.

Step 7: Access your services

Wazuh dashboard at AWS is being accessed over the CloudZiti network via a private hostname that is not reachable via the public internet

Wazuh agents are enrolled and connected with the Wazuh server at AWS over the CloudZiti network

The Wazuh indexer, Wazuh server, and Wazuh dashboard are completely dark to the internet. The Wazuh agents communicate with the Wazuh server, sending data in near real-time via the CloudZiti Zero Trust NaaS platform.

The Wazuh dashboard is accessed via a private hostname that is not reachable via the public internet.

The Wazuh Platform components are therefore dark to the outside world and reachable only within the CloudZiti network.

 

Was this article helpful?
3 out of 3 found this helpful

Comments

0 comments

Please sign in to leave a comment.