Stop Using VPNs! Peer-to-Peer Zero-Trust Communication With Twingate

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

foreign [Music] access to stuff yet I do not want to use vpns their incarnation of evil that represents remnants of the past I want something else I want the solution to access specific resources without exposing the entire network while still being secure I want something that is easy to use but for admins and for users and I want something that is fast so it should be fast Hustle free zero trust access to devices infrastructure services or anything else that should be accessible only to specific people or devices and whatever that is it cannot be VPN I hate vpns their relics of the past I searched for a solution for a while without much luck then out of nowhere my luck changed Folks at fingate asked whether I would like to take a look at their solution I did take a look and I liked what I saw no that's wrong I did not like it I loved it and I thought I should share it with you but before I do let me explain why I hate vpns in the past everything that company had was often in a single location a data center laptops desktop sprinters and everything else was in the same place and more importantly for this story inside the same network so when it comes to securing access all we had to do was to make sure that nobody can get into that Network we could lock down everything and only allow access to those within the network easy right then came the need for remote work mind me I'm not talking about remote work as we have it today I'm talking about we have an incident it's Saturday night you are home fix it kind of remote work I will call that person Joe now since everything within the network is inaccessible to anyone outside the network we had to come up with a solution and that solution was and still is VPN or virtual private Network vpns enables secure connection to a specific network over internet someone outside that Network the person Joe that was woken up at 4am on Saturday night is given a secure connection to that Network only that person Joe would be able to access anything and everything while everyone else would still be locked out from the perspective of that privileged person it would seem as if they are inside the office which is inside the network if we exclude all the misery caused by slow connections inability to access stuff you can normally access without VPN like for example Netflix and the Myriad of other issues vpns proved to be great I guess and when you say great I mean better than nothing yet I hate its guts now companies for no strangers to people suffering so they did not mind that much Security First People well who cares about people but there was a problem though a VPN games is access to everything within a network and companies do not like that they did not want Joe to access everything but only the bare minimum required to do his job to fix that issue in Hope of being able to go back to sleep so companies decided to build multiple networks as a way to segregate resources and that required multiple vpns which required VPN connectors and a ton of other stuff that made everything even slower and more complicated and ended up converting misery into Nightmare and then came cloud and company started mixing on-prem with cloud and laptops and desktops and SAS and everything else the idea of having one network was long gone the idea having a few networks was also gone now we all live and work in a world where there are hundreds of networks and vpns are not the solution on top of that more and more people work from home which increases the number of Networks even more yet companies do not change easily they continue insisting that everything needs to go through that single Network or single group of networks or whatever it is you're on your laptop and you need to access let's say resources in AWS why not go through the VPN which will redirect all requests from your laptop to the corporate Network and from there make dozens of round trips around saturated internal Network until it eventually reaches AWS only to make the same trip back to you that makes sense right I mean only if you're a sadist the reality today is that many users are outside the corporate Network many resources are also outside that network servers are somewhere else laptops are somewhere else mobile phones or somewhere else and everything else in somewhere else and all those are connecting through internet and all that becomes a nightmare to manage a nightmare to use and ultimately not very secure and that is the conundrum we make people's lives miserable with the excuse of making everything secure those same vpns that are no longer securing a single Network live on internet they're public and visible to everyone they're constantly probed by malicious actors and they're constantly being bridged and when Bridge happens oh boy everything within the network is exposed so with vpns things are not very secure but the misery Still Remains to make everything even worse when a client your laptop is connected to a VPN all traffic goes through that VPN and into the corporate Network that means that when you go to Google you're still sending requests to the corporate Network which redirects them to Google and back that is so slow and such a nightmare for admins to manage that companies tend to deny access to stuff outside the network so you might not even be able to watch this video on YouTube without first disconnecting from the VPN it got so bad that I decided to reject any possibility being employed by a company that uses vpns I would rather be sending messages through carrier pigeons than through VPN carrier pigeons are at least fun what I want is peer-to-peer communication peer-to-peer communication is a direct communication between two computers or servers or devices services or whatever else you might want to communicate from and too when I as a private person want to talk with let's say google.com I do not go through VPN unless I'm using a corporate computer with a VPN which has already stated is a nightmare now to be honest that example is not really peer-to-peer requests are actually sent through a bunch of intermediary computers but for the sake of Simplicity let's pretend that is peer-to-peer the idea is to allow nodes to exchange messages directly without relying on a central server or anything mediary now peer-to-peer communication has its own set of challenges especially in distributed systems which we are not going to explore today a better example of peer-to-peer communication would be torrent you know what it is right that's how you were downloading pirate movies and music in the past so you know it those files were downloaded directly from other people's computers and other people's computers for downloading files directly from your computer now the problem with peer-to-peer Communication in corporate environments is that it is not secure we cannot simply allow anyone to access anything or everything so we need an intermediary to authenticate and authorize users that's allowing those who are authorized to access the network and everyone else to be denied but once that is done once a user or a device is authenticated the most efficient way to communicate is direct communication or peer-to-peer that is in the nutshell how twin gate works I will explain in more detail how that works but before I do just that let's see it in action first let's take a look at an application it it's already running in my cluster it has pods and I don't care about those right now what they do want to check is whether there is an Ingress and there isn't that means that the application is not accessible from outside the cluster at least not through Ingress and how about Services well the service type is cluster IP meaning that it is not accessible from outside the cluster now let's say that for one reason or another I would like to access that application from my laptop how would they do that should I create an English that would be silly since the application is not supposed to be accessible from outside the cluster it's me and no one else who should be able to access it should it change the service type to note Port well that would be even sillier since it would expose the application to everyone and not even in a good way should I go back to the idea to create an English but also add the authentication to the applications already it allows only specific people me to access it well that would be complicated and at the same time it would introduce complications via an internal communication is concerned since that should be without authentication and that's where Wingate comes into play I can use it to enable access to the application only from specific devices and specific people so let's do that the first thing we need to do is create a new network I will click on the add the network button and select the location in my case that will be other then I will type some name and click add remote Network button that was easy right next I need to deploy a connector that's an agent all sorts that will sit inside my firewall and take care of communication on that end so deploy connector select deployment method which in my case will be held and generate tokens and when I say tokens I'm in Twin gate really loves tokens they're everywhere and that's good it likes things to be secure but it also likes things to be simple to generate tokens I need to prove that I am who I am and not some random dude finally all that is left is to copy and paste the commands that fill install the connector in my cluster copy paste wait for a few moments and voila my cluster now accepts zero trust secure connections from well we are yet to see from whom and that was still easy very easy now that we're done with the connector we need to tell twin gate which Services it should expose so I'll go back to the network I created earlier and add resource it needs the internal service IP for that so let me go back to the terminal and get it by executing your cattle get services so I'm going to copy the service internal IP go back to Twin gate and paste it and now I can make things even easier by defining an Elias for that service I will call it silly demo but that does not work why why oh yeah it's a DNS I think it allows me to create a DNS through which I can access that service and that's awesome so how shall we call it I'll call it Siri demo.com how about that now my complaint here is that Wingate could have listed all my services in the cluster or a specific namespace so that I can choose the one I want instead of copying and pasting IPS I'm guessing that that finger team wanted to avoid sending any information from my cluster to their service but if that's the case counter argument could be that's fine we might want a self-managed version of finger but I'll get to that point later next I can decide who can access that resource I feel generous today so I will say that that will be that will be everyone everyone in my organization you on the other hand should create user groups and services and assign users to those so that you can fine tune who can access what now I can add the resource you send voila everyone in that group can now access that service by everyone I mean only me I'm lonely that's probably obvious right so that was still easy that was it I'm done with the server part I'm done with my tasks as an administrator and now comes the user side of the story how can I access that service forget the fact that I do have admin access to the cluster itself imagine the time someone else imagine that I am a person that the other me has added to the group that has access to the silly demo service what would that version of me have to do well the first step is to install twin get client you see that download link at the top right menu well that's the one you should use to download the client already have it installed so I will skip that part that step now if I click on the twin gate icon in the tray I can see that silly demo service is there all I have to do is copy the address or the alliance open a new tab in browser paste it and it does not work it cannot open that address because I did not specify the port that resource is accessible through the port 8080 and the question is how can I know that if I don't have access to a cluster how can I find out which ports to use should I go with some wiki page shouldn't Ringgit be able to discover that information from the service I think it should the address I copied should have contained the port as well nevertheless if I add the port everything Auto magically Works twin gate is redirecting safely all traffic from imaginary dnscily demo.com to the service in my cluster only I can access it it's safe and it's easy let's go to another one I can Prometheus in my class Trend as you probably know Prometheus does not have built-in authentication so if I expose it to the world anyone can access it if I don't expose it neither I nor people working with me can access it so it's All or Nothing type of situation so let's change that between it but this time at Double speed double double speed let's start by retrieving the service with the Q cattle services and copy the internal IP of Prometheus server next I will go to twinget add resource give it a name paste the IP and analyze click the create resource button select the group that should have access to it click the add one group button and there is no end it's done and it's easy if I switch from me as admin to me as user I can see that Prometheus was already added to the twin gate client and I can copy the layers and paste it into my browser and that's it on the eye and address in the group can access Prometheus for everyone else it does not exist no while secure and fast zero trust communication is the main feature of fingered there are others for mentioning if you click on one of the resources we can see the logs of all the activities related to that resource now that sometimes works well while at other times it's flaky you can see the activities related to silly demo and while inside it we can modify access rules edit it and so on and so forth now if I switch to the Prometheus resource the activity claims that all connections to Prometheus failed even though you saw that I did open it in the browser without any visible issues that's the flaky part I mentioned earlier we can also manage teams by managing users groups and service account months we can inspect all the devices that are connected through twin gate we can Define policies and finally there is the settings page that looks like a garbage can where things are put because no one could figure out where to put them where else to put them now let's switch gears and explain briefly how twin gate works the way twin gate Works behind the hood is actually complex and I will not go through all the internals instead I'll try to paint a simple picture which you can expand later through the dock switch by the way explain fairly well all the details we have a device let's say a laptop that wants to access a resource let's say a service in a kubernetes cluster bear in mind that this is only an example and in reality put the device and the resource can be almost anything the end goal is for the device to speak directly to the resource but only if that device is authorized to do so so the first step is to authenticate one against the other to do that the device has a twin gate client installed and the resource or to be more precise the cluster with that resource has the connector at the very beginning what the client and the connector initiate and establish an authenticated connection through the relay that is publicly accessible next both peers the client and the connector discover their public addresses so that the client can negotiate the connection be the connector and exchange their addresses from there on the client and the connector can communicate directly directly without relying on anything including the relay obviously there's much more to it but from the user's perspective what matters is that there is Discovery phase where addresses are well discovered an authentication where it is confirmed that the client is allowed to access their resource and that's it that's it the rest is direct peer-to-peer communication the authentication can be done through OCTA Google workspace Azure ID or a few other identity providers moreover unlike vpns all that works only for specific resources while any other communication goes without doing it so if you choose to watch a movie on Netflix instead of working that traffic will not go through twin gate now let's go into the fun part let's see what's good and what's bad about twingate and Battery you should use it I think it is a relatively new project so it has a few things that are not yet polished for example the recommended setup with Helm installs it in the default namespace which is unacceptable I could forgive twin gate if they forgot to specify the namespace in their instructions but they did and they chose to use the default namespace that is just silly the copy address option in the client contains only the IP or the Elias domain without giving a clue about the port that makes things complicated since the whole idea is to get access only to specific resources that means that the user will likely not have the possibility to discover the ports which begs the question how the heck can I know which port to use now I'm fully aware that in traditional settings ports discoveries an issue and a hard problem to solve but I used examples in kubernetes I chose to enable access to a kubernetes service which does have ports set explicitly so there should be no technical reason for twin gate not to discover which ports are used what else what else oh yeah it would be great if the connector installed in my cluster would be an operator with crds so I can Define it as custom resources and now comes the highest issue of them all there is no self-managed solution personally I prefer SAS Solutions like twin gate but they know that many companies prefer to self-manage everything especially when security is concerned not having a self-managed version version of twin gate might be a deal breaker at least for some companies now none of those issues are a big deal twinget is a relatively new service and I'm sure that all but the last one the one about being self-managed will be addressed soon heck by the time you're watching this they might have been solved already the biggest question is better between it will make a strategic decision to allow self-managed options that's certainly not for me that's certainly not something I would use but I'm sure that quite a few of you have that requirement now let's go through the good stuff to begin with users get easy easy very easy access to whatever they should access second admins have policies and visibility into what users are doing third alliances are awesome and DNS is which I did not even show are also amazing it's fast really fast it's not it is fast it's blazing fast I at least haven't noticed any inconvenience while using it it now comes the most important part it is not a VPN yay finally there are no usernames no passwords nor any other requirement that might make users suffer yet it is very secure more secure than if you use a VPN at least so here it goes from all the solutions I have used so far Green Gate might be the best option when secured access to resources is concerned you should try it out it's not open source but it's free for up to five users and 10 remote networks I believe that should be more than enough for you and a few of your colleagues to try it out later on you will have to pay for it and that's okay we should be paying for a service that helps us being more productive and especially with that same thing makes us more secure at the same time try it out and let me know what you think thank you for watching see you in the next one cheers thank you

Info

Channel: DevOps Toolkit

Views: 9,318

Rating: undefined out of 5

Keywords: devops, devops toolkit, review, tutorial, viktor farcic, k8s, kubernetes, VPN, Twingate, Zero-Trust Communication, Peer-to-Peer, Cybersecurity, Network Security, Privacy, Internet, VPN Alternatives, Secure Communication, Web Security, Data Protection, DevOps, DevOps Toolkit, Review, Tutorial, Viktor Farcic

Id: LxkAGgn9Yec

Channel Id: undefined

Length: 22min 51sec (1371 seconds)

Published: Mon Aug 21 2023