STOP using VPN, embrace Zero-Trust networking!

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everybody this is Christian and I'm going to explain why you should stop using vpns for accessing it infrastructure Yes you heard it right vpns aren't really considered that much secure anymore there's another security concept raising in professional it these days and that is just killing it we will take a look at zero trust network access shortly called z10a find out what this New Concept is about and what makes it Superior to vpns and I'm going to show you exactly step by step how to implement this in your network using twingate a ztna servers that's free for up to 5 users and 10 remote networks that's just perfect for us Homeland nerds and it's also great for corporate environments as well so thanks twingate for making this video possible let's jump right into it okay so first of all I want to give you a brief overview of the service twin gauge you can get all the information on the official homepage twingate.com there you can find all the product information the documentation resources pricing and all the other stuff you can see they advertise themselves as an alternative to VPN so that's what you typically would use to securely authenticate to any remote it infrastructure and access internal resources you can manage servers with it kubernetes clusters web applications RDP SSH basically anything that is somehow network based and it's a service that is trusted and used by some respectable and fast growing companies worldwide they allow granular Access Control lighting fast speed they have a pretty impressive technology and protocol stack underneath we will also talk about some of the details here in a few minutes and yeah they also integrate well with any other systems that you typically use in professional it such as endpoint protections authentication providers they support terrify foreign X DNS and I also follow a least privileged access system so that means that when using twin gate you only get access to the resources that you actually need and not just everything so we will talk about some of the conceptual things um what makes twin gate uh different than a VPN solution here as well but I also want to say a few words about this server is because I know some of the people here on this channel um we love self-hosting and there's always a question here can you actually trust a cloud servers can you actually trust a provider well they are a us-based company but you can see they have a pretty good documentation about their polities about their compliance settings and you can see that they are very focused on security they support multi-factor authentication for any type of resource even SSH which is pretty cool and they also are compliant with their strictest requirements for soc2 gdpr and some other Enterprise industry standards which means this is a very powerful platform that integrates well with modern I.T Concepts it is completely free for any individuals and small teams such as homeless people yeah it can replace VPN for remote access completely it's free for up to five users one admin and 10 remote networks which is pretty great and it works on yeah most of the home lab systems that you would use it works on NAS Raspberry Pi of course Linux operating systems and any of the clients that you would typically use such as iOS Mac Windows Android these are all supported train guide starts with a very strong statement here they're saying it's time to ditch your vpns and embrace zero trust network access by using their service and that might surprise some people because we have used vpns for decades in it and vpns are still considered a very secure system to establish secure remote tunnels between two networks so what is the problem and why do we actually need to replace them to understand some of the problems with traditional VPN Solutions we need to take a closer look at how it works so I suppose this is what probably most of you will know when you have some kind of technical experience with networking if you want to get access to internal services that are in an isolated or protected Network environment usually that's protected by a net firewall or a net router and you can't get access directly to these internal Services you deploy a VPN server somewhere in the internal Network and then you need to allow the incoming traffic from your VPN client to this VPN server usually by using dnet or port forwarding on your home router firewall to open a port that the client can connect to the VPN server and then it can establish a secure VPN tunnel so all the data in between is encrypted and from the VPN server the client can usually access all the resources in your internal networks such as servers web apps whatever you need access to and yeah so this is how it used to be or how we did remote access in it for many many years and it's considered a very secure system because the secure VP tunnel is always encrypted but there are some problems with this solution and I want to highlight some of them here and the first is that you would typically need a static IP or DNS that might be required on your home router firewalls mine Port because the client needs a Target and a destination to connect to and that also consequently means that you need to forward um the incoming ports on your home router firewall to the Target VPN server in your network so I've marked this yellow because these problems you typically only have in traditional VPN Solutions like ipsec open SSL these kind of things we have also talked about some services like tail scale or zero tier that kind of work around these two problems here but there's still a third problem and this is that as soon as the client establishes a secure connection between the client and your VPN server it automatically becomes a trusted part of the internal Network because your VPN client will get an IP address and from there it's usually able to reach any destination service within that internal Network and I know what some people will say no one question that the whole reason why we're using a VPN yeah we want to get access to all our internal resources from outside securely so what the hell is the problem with that and this is mostly not a technology problem this is more a conceptual problem there are a lot of it environments and corporate environments operating still based on the assumption that there are two parts of the network there's one isolated secure network that is our internal corporate Network where we control all the things so we deploy the devices we create the users we apply security policies and all that stuff and then there is a dangerous worldwide web existing where all the nasty things are happening so hackers are trying to get access from outside to inside and so on and when it environments or companies follow this principle or this assumption they usually have strong protection policies against the bad networks so it's pretty hard to get from outside to the inside network but once you get to the inside Network then there are usually very weak policies existing and that's because particularly a problem when using vpns because once a VPN client really becomes compromised because of an of an attack or because of phishing because of malware whatever is happening it's pretty easy for somebody to move around the internal Network this is also called lateral movement and this is why we need a new security concept that is why we need to get rid of this assumption that there are some clients or devices that we can trust more than others and this is what zero trust is actually about so one thing that is important to understand some people think that zero trust means that we never trust anything but that's actually not true it only means that we constantly need to verify fi and track the trust and this is done based on three different pillars so the first one is a strong user and device authentication so that means we constantly need to identify the particular user or the device and this is usually based on strong authentication policies like multi-factor authentication strong password policies and so on the second pillar is authorization following a least privileged principle we only give access to something that the device or the user actually needs nothing more and the third thing is we need to constantly check the compliance with the security policies can we trust the device or the user based on things like is the device or the client up to date has it an anti-virus protection installed does it have a device encryption or a biometric protection such as Touch ID on Macs for example and these are three things ensure we do our best efforts to protect our network resources so this is the actual concept and I know it's not easy to implement all these kind of security policies and Azure trust Concept in a company especially if the network is already existing you will need to change many many things and you always need to revisit your current security policies if they are following this zero trust concept or if you need to improve some things if you need to implement this and this is where twin gate jumps in because twingate is a service that allows you to implement all these three things in your it infrastructure Network let's have a look how that actually works okay so let's start again with kind of the same setup we have some internal services that are protected behind our home router slash firewall we have a client that comes from the external network and want to get access to internal services so we will start by installing the twin gate connector which is a small application that you deploy somewhere in your internal network from where you can access the internal services and of course the client need to somehow establish a secure connection to the twin gate connector in order to get access to the internal services but what's different when using twingate is that you actually don't need to configure anything on your home router or firewall you don't need to open any ports you don't need to allow traffic from outside to inside and it's still handling a secure authentication based on a few different components and one of them is the twin gate controller so this is the controlling part so this is not what you need to install somewhere this is completely hosted in Twin Gates infrastructure and it's part of this service that they provide they really have created a secure architecture that always makes sure that the client and the train gate connector both are authenticated and then there's the second part which is called the twin gate relay so this is important for controlling the data flow in the data streams this is also hosted in the Twin Gates infrastructure and you don't need to install anything the twin gate connector will open a connection from inside the network through the tring gate relay and the client will also initiate a separate connection this is also the reason why you don't need to open any ports because the traffic is from the Twin gate connector from inside the network to outside so you only need to allow web traffic from the local network to the external network which is really always allowed and the train guide relay is responsible for establishing a secure connection between the connector and the client even through nut firewalls without having to configure an IP address without having to configure a dnet or port forwarding it's pretty clever and it also has some kind of fallback connection so when for whatever reason peer-to-peer connections are not possible because there are protection policies for example the home router firewall doesn't allow UDP protocols for whatever reason the twin gate Relay can also serve as a fallback connection so then the traffic is always flowing through Twin Gates Cloud infrastructure of course but they still don't have access to the short-lived security key so they can't really inspect the traffic inside anyway in most cases the peer-to-peer connection is still possible to establish and that's of course a direct connection between the client and your network based on the quick protocol which is fast reliable and that is why twingate offers such an incredible high throughput and speed but it's also very important to mention is that Ringgit also supports many authentication providers if you paid attention to the website you probably saw names like Azure ID OCTA Google authentication and so on so you can easily implement this in your Azure ID infrastructure and with the train guide controller it's always made sure that the client actually or the user has actually access to the internal services and resources so if you want to sign up on Twin gate you can just click on sign in and then usually create and deploy twin gate completely for free you get a 14 days trial of twin gate business and after that the twin gate startup plan is free forever and once you're logged in you and you created your account you will get to the twin gate interface this is where you set up all the things before we can start getting access to our resources so first of all we need to add a remote Network you can see I've already added two Network cl1 that is my home lab Network and the second will be a cloud Network that I've not deployed yet but I'm still working on this and if you want to add a new network you can just add it you can add a location on AWS Azure or gcp but if you're using an on-premise or home network you can just use on-premise and then if you go into the network you can add connectors to this network one thing that is also important a network is what is considered a separate part of your environment and you can add as many networks as you want so if you have isolated parts of your home lab you can add a remote Network for any of these but it's totally fine to just work with one remote Network which is your usual home lab Network and once you edit the network it usually starts with two connectors but you can also just use one it's definitely recommended to add more connectors to the same network and so this is for high availability and redundancy of course just keep in mind that when you add more connectors they should be on the same network and they also should be configured the same way so I'm going to add a new connector here in my remote Network you can see that just creates an empty template you can of course change the name of this let's call it connector dmo1 for example confirm the changes and then you can deploy this connector software in your home lab infrastructure using one of the deployment methods supported by twin gauge you can see it has many different ways to deploy the connector you could use a simple darker command a Helm chart you can use cloud infrastructure you can also just deploy it on a Linux server which if you want or use infrastructure as code so I'm going to use the docker to just show you around you always need to generate two separate tokens here one access token and one refresh token for every connector so these are unique and you should not reuse them for different connectors also make sure you don't share them or expose them publicly somewhere so this is how the secure connection is handled so let's generate the tokens and then we can basically just copy these okay so once we have that we can also customize the docker command for example give it a custom DNS server or enable local network logs and so on but I don't want to do that right now it's totally fine to not customize it and then you can just copy the command execute it somewhere on a Docker server and then the container is spawn up and it's connected to Twin gate however you probably know from all my other tutorials that I love to use Docker compose instead of just regular darker commands so what I've done is I've created a darker compose template for the twin gate connector on my GitHub boilerplates repository there you can find all the other different templates and Snippets for deployments of my tutorials let's go in Darker compose and let's go to the twin gate connector folder so here's the docker compose file that you can use and you can see it's actually pretty simple you don't need to configure anything else and so for a short demonstration I'm just going into my demo one server I think this is a Linux server that already has Docker installed but let's create a new project folder and let's call it connect Vector demo 1 and let's open this in vs code and let's create the docker compose file so in this compose file I will just copy everything from the template paste it in here and first of all I want to connect this to an existing Docker Network so you can check with the docker Network LS command if you have already created a custom Network you can attach this container otherwise it will just create another default network from the compose file that should also be fine but I want to connect this to the front and networks so I'm going to uncomment all of these lines here and I'm going to change the name to front end and I also need to uncommand these two lines here to connect the container to this existing Network so and this basically just deploys the twin gate connector Docker container in the latest version you just need to change a few things the first one is the twin gate Network so this should be your twin gate Network and and what's important it is not this remote Network here this is also the account name so let's let's see a creative in here and of course we also need to copy the axis and refresh token that we've just generated for this connector okay so that should be all um you can also customize a few other things like the lock level if you want to see what's going on inside or or if you want to add a custom DNS server but I don't need any of this let's just um let's just start a container with a compose app and let's see if it's working so in the interface when we refresh it we should see that the connector is now connected so this has just like I've explained it has initiated a connection from inside my home network to the twin gate server in the cloud infrastructure and there you can also see the two twin gate components that I've explained in the presentation the controller for authentication and the relay for the data stream Okay cool so let's go back to network so once we have connected our connectors we can now start adding our home lab resources like for example you can see I've added a proxmox resource at a container resource you can add any internal resource that you like you just need to give it a name for example it's uh just connect my for example let's just connect my firewall interface there you need to select a remote networks and then we can add the address it can be a DNS name or an IP address for example my Fireball has an IP address that is this one here and a port we can also restrict access to specific ports or protocol for example my Fireball has multiple services like it has a web interface it has an SSH interface for managing the console of the firewall and I don't want that my users have access to the console I just want to give them access to the user portal and not to the administrative interfaces I can just Define the port 4 for free for the user portal and block anything else like UDP and I also can block icmp for Ping requests so then this resource only has access to this particular port and let's create the resource I know we can also say which users or which groups have access to this resource I just have created one resource for everyone so let's add this and see if it works so now I'm trying to log into my home network using my MacBook and I don't want to connect my MacBook to the Wi-Fi so I'm disconnecting from my home Wi-Fi and instead use my iPhone as a hotspot I know it's like I'm just using my regular phone connection that is of course a completely different network now you can see if I want to access the IP address of my firewall on Port 4 for free this of course is not possible because the MacBook doesn't have an established connection to my home network but when I log in using twingate and I'm now authenticated and all got access to my firewall user portal but I can't access the administrative interface on a different port for example this is not allowed and I also can't open an SSH connection to my firewall of course the same does also work for all the other resources in the Twin gate client you can see what resources your user has currently access to for example um let's try to open my proxbox server I'm just copying the address and yeah you can see this is my proxmox interface and once I log out from Twin gate and I try to refresh the connection you can see this is not possible anymore and yeah so this is how you can access all your internal resources securely from remote networks but of course this is only in part one because this is very similar what a VPN would do only that we use the least privileged principles we only give the users access to resources that they should have access to and not not the entire network so the device trust is managed in the devices and policies menu so first of all you can see when you click on devices that you can see all the different devices that are connected to your twin gate Network and you can also manage these devices you can see if they are up to date and if they have Security checks in place for example my Mac doesn't have barometric configuration or screen lock enabled but if we go to my MacBook you can see the barometer configuration so the touch ID is enabled and the screen lock as well and we can use this kind of security postures as a part of our trust policies so first of all we need to go into the security Tab and here you can see what different trust profiles you can configure based on the types of operating system for example you can see Windows as some other other security policies that you can enable then Mac OS for example Mac OS only supports screen lock and biomedical configuration on Windows clients you can also check if they have an antivirus installed a firewall enabled screen lock and hard drive encryption you can of course also use your phone to access your auto engage resources and when you create a trusted profile for example let's create one for Mac OS something like trusted devices you can specify some verification requirements for example you can also connect antivirus systems like crowdstrike in June but I'm not going into the details about antivirus integration now instead we could also create the device postures check for screen lock and biometric configuration and once we added this trusted profile we need to go into policies and we can just modify the default policy or create a custom one for example trusted policy in this policy we can now select our buys a security profiles such as only the trusted devices so that means that all by Macs need to have screen lock and biometric configuration enabled in order to become a trusted device and I also want to enable multi-factor authentication for the authentication requirements so that means that only users that have multi-factor authentication enabled on their account and are using a trusted device can get access and what is now pretty cool you can configure these policies and Security checks on each individual resource so that means like if you want to access the firewall interface we can edit this and change the default policy to The Trusted policy that only users that use Mac OS with biometric configuration multi-factor authentication and so on have access to their firewall users portal and just like this you can configure all your resources to really ensure the maximum security and constantly verify if you can actually trust the client's devices and if the user is securely authenticated or not this of course makes your network and your remote access much more secure than any VPN could offer you so that's the power of the zero trust concept it's not just a technology and the remote access but it's also the very secure concept of authentication authorization and compliance checks with security policies I'm really interested what do you think about that if you're interested to implement this in your infrastructure environment or maybe home lab using twingate please leave me a comment if you have any questions you can also join our Discord and we can talk about that and yeah that's it for today thanks everybody for watching I will catch you in the next video take care bye bye
Info
Channel: Christian Lempa
Views: 50,432
Rating: undefined out of 5
Keywords:
Id: iKq15WXdN88
Channel Id: undefined
Length: 24min 11sec (1451 seconds)
Published: Wed Aug 30 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.