Pritunl is an open source OpenVPN and IPSec solution that comes with a somewhat popular VPN client. Pritunl Zero fills in a few more gaps by providing zero trust access to SSH and Web Services similar to products such as Akamai EAA and Zscaller.
I installed an individual server using this guide. It was relatively easy although I had to open up a private browsing window to get past an initial HSTS error, and the default credentials mentioned in the documentation were not up to date (the solution is to run
pritunl-zero default-password). From there, setting up an internal service to proxy took about 5 minutes. One thing that I’d like to try out is the API for automatic registration of web-services. EAA and ZScaller for some reason still require manual setup.
Zero also offers a way to authenticate for SSH. It uses an SSH Certificate Authority to sign a users public key, the user then uses that key to access other servers. This approach allows for authorization without the need for Zero to ever talk to those servers. I’m a big fan of using SSH Certificate Authorities and have used Hashicorp’s Vault in the past to accomplish it. For network segregation, Zero can automatically create fleets of SSH bastions to route connections to internal resources. Zero provides a CLI tool
pritunl-ssh which takes care of the accompanying config on the client side.
All in all, I’m cautiously optimistic. Zero-Trust web-application proxies have long been one of my go to solutions for deploying secure internal applications. Having a solid open source option would be a great resource for companies that want the additional security but don’t want to purchase an enterprise license.
There’s been a ton of coverage of the recently discovered Capital One breach. I’m generally very skeptical when AWS security makes the news; so far, most “breaches” have been a result of the customer implementing AWS services in an insecure manner, usually by allowing unrestricted internet access and often overriding defaults to remove safeguards (I’m looking at you, NICE and Accenture and Dow Jones!). Occasionally, a discovered “AWS vulnerability” impacts a large number of applications in AWS – and it also impacts any similarly-configured applications that are *not* in AWS (see, for example, this PR piece…um,…Read More