Customers who sign-up prior to 30/06/2024 get unlimited access to free features, newer features (with some restrictions), but for free for at least 1 year.Sign up now! https://webveta.alightservices.com/
Categories
Security

A method for randomizing VPN security for cloud based workloads – ALight Technology And Services Limited

One of the most important software is VPN for connectivity. There are two famous options in Open-Source world:

  1. Wireguard
  2. OpenSSH

Irrespective of which software is being used, this articles describes a methodology for Zero trust security architecture for accessing cloud workloads.

The problem:

The rogue R&AW spying equipment capable of seeing, reading mind etc…

If I know or see IP’s they know IP’s. If I know or see passwords / keys, they know passwords and keys.

Solution:

Random keys generated programatically, transferred programatically, configs updated programatically, random IP of VPN server, random port for VPN, breach detection, log monitoring, pre-defined maximum interval before keys, IPs, Ports get randomized – periodically, programatically.

This article describes an approach at a high level, but very configurable and customizable.

Component – 1: AWS Lambda / Azure Function

The server can be spun up programatically from a pre-defined Golden Base Image based on a trigger such as AWS Lambda or Azure Function. The criteria for Lambda / Function is out of scope but can be done based on your needs. Now we have random public IP address.

Component – 2: Server-side daemon on Linux machine

This component is responsible for programatically re-generating keys or ovpn file based on the VPN software.

This component randomizes the VPN port and programatically updates the configuration files.

Opens the new port in Firewall programatically.

Starts the VPN service.

Periodically stops VPN, resets keys, ports, updates config and starts VPN service.

Encrypts and passes the public IP of the VM, new random port, public key or ovpn file.

This information needs to be passed to Component 3 mentioned below. How can the information be passed? There are several techniques i.e through some web dashboard etc… i.e users would go to some pre-defined web portal, download an encrypted file containing encrypted information or in some other way.

Component – 3: Client Components

This component takes the encrypted info, updates client-side config on a necessary basis, encrypts any info that needs to be sent to the portal. If any info needs to be passed, the encrypted file would be uploaded and Component-2 would allow the users.

The Client would be responsible for letting users know of till when the new VPN credentials are valid etc…

Makes appropriate config changes.

I am implementing similar system mentioned above, I would be happy to share some code snippets and some further details.

In the above scenario, I wouldn’t know the public IP or port or keys of the VPN server and client and wouldn’t be displayed on screen. Now what can the hackers – Uttam / Veera / Diwakar / e / fake females and Bojja Srinivas do?

If shown on screen, they might record or do screenshots using invisible equipment, in the above scenario, what can they do? If the keys are automatically rotated every few hours, Lambda shutsdown and spins up new instances every few hours, what can they do?

I don’t have any fake aliases, nor any virtual aliases like some of the the psycho spy R&AW traitors of India. NOT associated – “ass”, eass, female “es”, “eka”, “ok”, “okay”, “is”, “erra”, yerra, karan, kamalakar, diwakar, kareem, karan, sowmya, zinnabathuni, bojja srinivas (was a friend and batchmate 1998 – 2002), mukesh golla (was a friend and classmate 1998 – 2002), thota veera, uttam’s, bandhavi’s, bhattaru’s, thota’s, bojja’s, bhattaru’s or Arumilli srinivas or Arumilli uttam (may be they are part of a different Arumilli family – not my family).

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO
Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Facebook

LinkedIn

Threads

Instagram

Youtube

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

LinkedIn

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

+44-33-3303-1284 (Preferred number if calling from U.K, No WhatsApp)

kantikalyan@gmail.com, kantikalyan@outlook.com, admin@alightservices.com, kantikalyan.arumilli@alightservices.com, KArumilli2020@student.hult.edu, KantiKArumilli@outlook.com and 3 more rarely used email addresses – hardly once or twice a year.