How to Zitify your SSH connection with NetFoundry ZSSH - ZERO TRUST SSH

INTRODUCTION

SSH is a security protocol that every developer and administrator utilizes for connectivity to computers and servers. It provides a secure shell for login from one computer to another.

SSH needs access to the SSHD port before starting the authentication process which requires the port to be exposed to the network, exposing it to attack. 

SSH also allows access via public key cryptography meaning an administrator can log onto the machine and “add a key” to a file that grants a user access. After a user leaves the company or becomes no longer authorized to access a server - this key needs to be removed from the system in order to deny access to the machine.

ZSSH is a program that takes the GO-based ZITI-SDK and uses the GO standard library to make a new “CLI” (command-line interface) allowing developers and administrators to use SSH/SCP over a ZITI network eliminating the port used by SSH from the internet-based firewall preventing any connections whatsoever from any network client. In this configuration, the SSH process is effectively "dark". 

The only way to SSH to a machine configured in this way is to have an identity authorized for that Ziti Network through which the client securely connects to SSHD and SSH server.

With ZSSH's continual authorization through the use of policy checks, SSH access can be made more secure by preventing somehow who should no longer be able to access the machine at the ZITI network overlay layer.

ZSSH.png

In our Lab setup, the ZSSH application running from a remote user machine will have Zero Trust secure SSH access to Edge Route[running SSHD].

CREATE A NETWORK

The options in a Teams / Growth plan may vary. Refer to the support guide on creating a network on a Teams / Growth account. 

For Enterprise accounts, follow the below steps:

    • Log in to your NetFoundry Console athttps://nfconsole.io/.
    • Once logged in, you will be prompted to create your network.
    • Give your network a name.
    • Hit Create My Network to commence the provisioning of your network.
    • It will take approximately 5-10 minutes for the network provisioning to complete. Once your network is ready, you will see the spinning globe icon turning green.

mceclip0.png

mceclip3.png

 

mceclip5.png

For additional information or assistance please see our Support Hub article Product v7-Create and Manage Networks.

CREATE EDGE ROUTERS

Provision NetFoundry-Hosted-Edge routers

At least one publicly accessible Edge Router is required for endpoints and edge routers to create a fabric. Having a min of two hosted ERs is a best practice for redundancy and smart routing. 

  • From your Network Dashboard page, navigate to Edge Routers.
  • Under the Edge Routers tab, click on the + sign at the upper right to add an edge router.
  • Give your edge router a name.
  • Give your edge router a router attribute (optional). Router attributes are tags applied to a router. The same tag can be applied to other edge routers to form a group of NetFoundry-hosted Edge Routers.
  • Select NetFoundry Hosted as your hosting type, and choose the Data Center region strategic to Cloud Resources.
  • Hit Create to commence the provisioning of your edge router.
  • Once your edge router is registered, it will start accepting outbound fabric connections from a private edge router or endpoints.

To learn more about Edge Routers go to the Create and Manage Edge Routers article on the NetFoundry Support Hub.

Provision a Customer-Hosted-Edge Router into your On-prem DC / AWS / Azure / OCI / any Public Cloud:

Customer self-hosted Edge Routers (CERs) act as egress routers for endpoints / other CERs to reach the services terminated on the CER endpoint.

Create and Register Customer Edge Router

  • From your Network Dashboard page, navigate to Edge Routers.
  • Under the Edge Routers tab, click on the + sign at the upper-right to add an edge router.
  • Give your edge router a name.
  • Give your edge router a router attribute (optional). Router attributes are tags applied to a router. The same tag can be applied to other edge routers to form a collection of Customer-hosted Edge Routers. This attribute can be used for provisioning APPWANs.
  • Select Customer Hosted as your hosting type.
  • Hit Create to complete the process.
  • A new customer-hosted edge router would be created with the registration key as below. This registration key is required to register the edge router to the network.
  • Copy your edge router registration key. You may also opt to save it as a JWT or a config file.

     

Create and Register CERs in a private cloud

Use the below deployment guides to provision a Customer-hosted Edge Router into a branch office or a private cloud.

https://support.netfoundry.io/hc/en-us/articles/5700949793293-Deployment-guides-for-provisioning-customer-edge-routers-in-a-private-cloud

Create and Register CERs on  AWS / Azure / OCI / any Public Cloud

Use the below deployment guides to provision a Customer-hosted Edge Router into your AWS / Azure/ GCP/ OCI.

https://support.netfoundry.io/hc/en-us/articles/5701001893133-Deployment-guides-for-provisioning-customer-edge-routers-in-public-clouds

 

Download ZSSH

  1. To download the binary, navigate to the following URL and select the link that is appropriate for your platform.

  2. Once you have downloaded the binary of your platform, validate it runs after setting permissions of the file. We have changed the binary name to “zssh” in our Lab.

Endpoint Creation

  • From your Network Dashboard page, navigate to Endpoints.
  • Under the Manage Endpoints tab, click on the + sign at the upper right to add an endpoint.
  • Give your endpoint a name.
  • Give your endpoint an endpoint attribute. Endpoint attributes are tags applied to an endpoint. The same tag can be applied to other endpoints to form a group of endpoints.
  • Hit Create to complete the process.
  • You may download your registration key in .jwt file format or scan the client registration key QR code.
  1. Enroll the ZSSH CLIENT using the JWT file obtained from the NetFoundry Console. Note the identity file that is created is JSON. This file is extremely important and should be held in a private/encrypted/secured location on the machine.

    • ./zssh enroll -j "path/to/enroll.jwt"

The ZSSH binary, utilizing the produced IDENTITY, is now well known to the network.

Creating an Edge Router Policy

Edge Router Policies - Defines specific Edge Routers for specific Endpoints (can be used for Network Transport segregation/optimization).

  • From your Network Dashboard page, navigate to Edge Routers.
  • Under the Edge Routers Policies tab, click on the + sign at the upper right to add a policy. An Edge Router Policy allows a specific endpoint or group of endpoints to have access to a specific edge router or group of edge routers.
  • Give your edge router policy a name.
  • In the Edge Router Attributes field, specify the edge routers to be associated with this policy. Use of edge router attribute will select all edge routers having that specific attribute.
  • In the Endpoint Attributes field, specify the endpoints to be associated with this policy. Use of endpoint attribute will select all endpoints having that specific attribute.
  • Hit Create to complete the process.

To know more about Edge Routers Policies go to the Create and Manage Edge Router Policies article on the NetFoundry Support Hub.

CREATING A SERVICE

The service definition provides the details of what device, or devices) will be utilized to provide access to services, either on the device(Zero Trust Client SDK Application) or on the network connected to the device (via its LAN, for example).  The service also defines how the endpoints acting as clients to the service will access the service.  Also, the service hosting details are provided.

  • Ensure that POWER USER is ON for your user in the NetFoundry Console.

power_user.png

  • From your Network Dashboard page, navigate to Services.
  • Under the Services tab, click on the + sign at the upper right to add a service.
  • Select “Advanced Configuration”.
  • Enter Information

    1. Service Name: As desired.

    2. Service Attributes: As desired.

    3. Encrypt This Service: YES (ALWAYS!)

    4. Select Hosts For This Service: Find and select the GATEWAY created from PREREQUISITES.

      1. Note that in the example an attribute (#) applicable to the GATEWAY identity is used.

    5. Select the Edge Router Attributes Box: #all

    6. Select the HOST Config Box: host.v1 / NEW CONFIG

      1. Config Name: As desired.

      2. Code: {"port": 22,"address":"127.0.0.1","protocol":"tcp","listenOptions":{"bindUsingEdgeIdentity":true}}

        1. Breakdown of Code:

          1. port: IPv4 port: Instructs the SERVER endpoint to egress towards this port at the destination.

          2. address: IPv4 or DNS resolvable record: Instructs the SERVER endpoint to egress towards this destination.

          3. protocol: TCP or UDP: Instructs the SERVER endpoint to egress packets with the selected protocol.

          4. listenOptions/bindUsingEdgeIdentity: TRUE or FALSE: How the CLIENT endpoint targets the SERVER endpoint.

    7. Remove the INTERCEPT Config Box by clicking the red “X” in the top right corner of the box.

  • Select the “CREATE/UPDATE” button in the bottom right.

mceclip22.png

ZSSH-SERVICE1.png

mceclip23.png

mceclip1.png

[NOTE] You will notice “127.0.0.1” in the “address” field of the Code section. This could also be a LAN reachable server outside the localhost as well. We have chosen the localhost machine, i.e Edge router, which has SSHD, such that it was not necessary to instantiate another machine with SSHD.

[NOTE] When creating an “Advanced Configuration” Service, you will notice that the default screen presented has both the “host.v1” and “intercept.v1” configuration boxes presented. When an SDK embedded application is utilizing this service to connect and receive data from the network, the “intercept.v1” config is not required and can be removed by selecting the “X” in the top right of the box. The same would be true for an SDK-embedded application that serves data to the network, however, in this case, the SSH SERVER does not have the SDK embedded within its code and therefore still requires the translation into IP performed by the ZITI Tunnel. Therefore, only one config designation is required to create a valid Service definition - the “host.v1” config applicable to the ZITI Tunnel.

Creating an AppWAN

The AppWAN defines the services that can be accessed by one or more client endpoints.

  • From your Network Dashboard page, navigate to AppWANs.
  • Under the AppWANs tab, click on the + sign at the upper right to add an AppWAN.
  • Give your AppWAN a name.
  • In the Service Attributes field, specify the services or service attributes to be associated with this AppWAN.
  • In the Edge Router Attributes field, specify the edge routers or edge router attributes to be associated with this policy.
  • In the Endpoint Attributes field, specify the endpoints or endpoint attributes to be associated with this policy.
  • Hit Create to complete the process.

Note: Use of endpoint/service/edge router attribute will select all endpoints/services/edge routers having that specific attribute. The @ symbol is used to tag Individual endpoints/services/edge routers and the # symbol is used to tag a group of endpoints/services/edge routers.

mceclip3.png

For additional information or assistance please see our Support Hub article Create and Manage AppWANs.

ZSSH in Action

Connect CLIENT/ZSSH to SERVER/SSHD (Endpoint to Endpoint, Zero Trust)

On the CLIENT, you should now have an identity file [JSON], Private key [.pem], ZSSH binary [zssh.exe]

  1. Run ZSSH with the following syntax in the CMD - command prompt [if the Client machine is Windows]:

    1. zssh -i "[PRIVATEKEY]" -c "[IDENTITY]" -s "[SERVICENAME]" "[USERNAME]@[SERVERNAME]"

      1. Breakdown of syntax:

        1. zssh: The application which has the ZITI SDK built into it.

        2. -i "[PRIVATEKEY]": The PRIVATEKEY generated from AWS
        3. -c "[IDENTITY]" : The IDENTITY created through enrollment (A JSON).

        4. -s "[SERVICENAME]" : The Service name given in Console.

        5. [USERNAME] : The username of a valid user on the destination/SERVER where SSHD resides

        6. @[SERVERNAME]" : The SERVER (Endpoint)’s name given in the Console.

mceclip2.png

mceclip3.png

mceclip4.png

Was this article helpful?
2 out of 3 found this helpful

Comments

0 comments

Article is closed for comments.