One of the most important software is VPN for connectivity. There are two famous options in Open-Source world:
- Wireguard
- OpenSSH
Irrespective of which software is being used, this articles describes a methodology for Zero trust security architecture for accessing cloud workloads.
The problem:
The rogue R&AW spying equipment capable of seeing, reading mind etc…
If I know or see IP’s they know IP’s. If I know or see passwords / keys, they know passwords and keys.
Solution:
Random keys generated programatically, transferred programatically, configs updated programatically, random IP of VPN server, random port for VPN, breach detection, log monitoring, pre-defined maximum interval before keys, IPs, Ports get randomized – periodically, programatically.
This article describes an approach at a high level, but very configurable and customizable.
Component – 1: AWS Lambda / Azure Function
The server can be spun up programatically from a pre-defined Golden Base Image based on a trigger such as AWS Lambda or Azure Function. The criteria for Lambda / Function is out of scope but can be done based on your needs. Now we have random public IP address.
Component – 2: Server-side daemon on Linux machine
This component is responsible for programatically re-generating keys or ovpn file based on the VPN software.
This component randomizes the VPN port and programatically updates the configuration files.
Opens the new port in Firewall programatically.
Starts the VPN service.
Periodically stops VPN, resets keys, ports, updates config and starts VPN service.
Encrypts and passes the public IP of the VM, new random port, public key or ovpn file.
This information needs to be passed to Component 3 mentioned below. How can the information be passed? There are several techniques i.e through some web dashboard etc… i.e users would go to some pre-defined web portal, download an encrypted file containing encrypted information or in some other way.
Component – 3: Client Components
This component takes the encrypted info, updates client-side config on a necessary basis, encrypts any info that needs to be sent to the portal. If any info needs to be passed, the encrypted file would be uploaded and Component-2 would allow the users.
The Client would be responsible for letting users know of till when the new VPN credentials are valid etc…
Makes appropriate config changes.
I am implementing similar system mentioned above, I would be happy to share some code snippets and some further details.
In the above scenario, I wouldn’t know the public IP or port or keys of the VPN server and client and wouldn’t be displayed on screen. Now what can the hackers – Uttam / Veera / Diwakar / e / fake females and Bojja Srinivas do?
If shown on screen, they might record or do screenshots using invisible equipment, in the above scenario, what can they do? If the keys are automatically rotated every few hours, Lambda shutsdown and spins up new instances every few hours, what can they do?
–
Mr. Kanti Kalyan Arumilli
B.Tech, M.B.A
Founder & CEO, Lead Full-Stack .Net developer
ALight Technology And Services Limited
Phone / SMS / WhatsApp on the following 3 numbers:
+91-789-362-6688, +1-480-347-6849, +44-07718-273-964
+44-33-3303-1284 (Preferred number if calling from U.K, No WhatsApp)
kantikalyan@gmail.com, kantikalyan@outlook.com, admin@alightservices.com, kantikalyan.arumilli@alightservices.com, KArumilli2020@student.hult.edu, KantiKArumilli@outlook.com and 3 more rarely used email addresses – hardly once or twice a year.
