FLOSS Weekly 757: Noodling Around with OpenZiti - Philip Griffiths, OpenZiti and Secure Networking
Nov 8, 2023
auto_awesome
Philip Griffiths of OpenZiti discusses how OpenZiti is becoming the Linux of secure networking. They talk about implementing zero trust principles, the similarities to a VPN, OpenZiti's security and authorization, and upcoming events and projects.
OpenZiti aims to become the Linux of secure networking by implementing zero trust principles.
OpenZiti functions similarly to a VPN but puts private networks inside applications.
OpenZiti integrates with Caddy to provide completely dark services, enhancing security and privacy.
Deep dives
OpenZT: A Secure Networking Solution
OpenZT is a project that aims to address network insecurity by implementing a zero-trust networking approach. Unlike traditional VPNs, OpenZT seeks to put private networks inside applications themselves, allowing for secure access from anywhere without relying on trust in the network. This approach eliminates the majority of external network attacks, making it a more secure solution. OpenZT is open-source and completely free, with the mission of making security by default and zero trust easy for everyone to adopt.
Understanding Zero Trust Networking
Zero Trust Networking is a concept that challenges the traditional notion of implicitly trusting anything within an internal network. Instead, it advocates for a framework where strong authentication and authorization are required before establishing any connections. OpenZT implements zero trust principles by using cryptographic identities and strong authentication mechanisms. This approach ensures that only authenticated and authorized connections are allowed within the network, reducing the risk of unauthorized access or lateral movement of malware.
Integration with Caddy for Enhanced Security
OpenZT has an integration with Caddy, a popular web server, to enhance security and privacy. By leveraging Caddy's capabilities, OpenZT allows for completely dark services that are only accessible through authenticated and authorized connections. This means that the services hosted within OpenZT can remain hidden from the public internet, significantly reducing the attack surface and minimizing operational overhead. With this integration, users can enjoy private and authenticated access to their Caddy-hosted websites without the need for inbound ports or complex firewall configurations.
ZT provides secure connections without browser security indicators
ZeroTier (ZT) offers a secure networking solution without the need for browser security indicators. ZT implements mutual TLS between every hop and end-to-end encryption between source and destination endpoints. The encryption method is extensible, with default options like ChaCha20Poly1305, but the ability to use others like FIPS140-2 or quantum encryption. The browsing experience may not display a green lock icon, but ZT ensures a private and secure connection, encrypting metadata to maintain privacy and obfuscate the network's topology.
Onboarding and identity authentication in ZT
ZT's onboarding process requires endpoints to have strong identities, ensuring secure connectivity. The process involves placing ZT routers on trusted demarcation lines, but it's recommended to extend trust to the host level. Typically, an endpoint and an identity are necessary for onboarding, but exceptions exist. For example, ZT offers solutions for browser-based deployments where users don't manage their devices. ZT also supports external identity providers, allowing integration with existing identity systems. The goal is to minimize barriers to entry and make onboarding as seamless as possible for different use cases.
Philip Griffiths of OpenZiti explains to Doc Searls, Shawn Powers, and Jonathan Bennett how OpenZiti is on its way to becoming the Linux of secure networking.
An overview of OpenZiti and how it implements zero trust principles by putting private networks inside applications.
How OpenZiti functions similarly to a VPN.
OpenZiti's security and how it authorizes connections.
