banner
JackYoung

JackYoung

生活、摄影、写作、代码。
github
bilibili
email
🏠 Home📸 Photos📝 Archives🤞About

Use Zero Trust for Intranet Penetration

#技术1339
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The author wanted to set up a VPN on their NAS to access videos remotely, but found that the server they purchased had poor security measures. They discovered Cloudflare's Zero Trust service, which allows for secure access to networks. The author explains the concept of Zero Trust and how it improves upon traditional network access models. They then provide a step-by-step guide on how to set up a tunnel using Cloudflare's service, including creating a tunnel, using Docker for the setup, and configuring two-factor authentication. The author concludes by recommending Cloudflare's Zero Trust service for those with similar needs.

Introduction#

I have always wanted to set up a penetration on my home NAS so that I can watch videos outside. When I came across a cheap server, I bought it to play around with. However, I found that the security measures implemented by the server manufacturer were not very good, and my NAS was hacked after a while. I was worried about the loss of my data. While playing with Cloudflare, I discovered their Zero Trust service, so I decided to use CF's service to meet my penetration needs.

About Zero Trust#

Zero Trust Network Access, also known as ZTNA, is a network access model that contrasts with the traditional perimeter-based network access model. In the traditional model, certain devices and networks are deemed trustworthy, while others are considered untrustworthy. A firewall is used to create a boundary between the trusted and untrusted devices and networks.

This model has its advantages, such as ease of management and lifelong applicability after initial configuration. However, it also has some drawbacks. Firstly, if a new threat emerges, such as a virus or an attack, that surpasses the protection provided by the firewall, then the firewall becomes ineffective. Secondly, attackers can bypass the firewall through social engineering or other means and launch attacks from within the trusted domain. Lastly, the boundary-based trust model cannot detect attacks originating from devices that are defined as trusted. These weaknesses necessitate changes to the boundary model to adapt to current network security requirements.

The Zero Trust Network Access model is an improved solution to the problems of the boundary model. By default, no device or network in the network should be trusted, which prevents attacks between devices within the same trust domain in the boundary trust model. Trust should be established through an authentication and authorization-based access control system. Furthermore, trust should be dynamic, meaning that authorization needs to be evaluated and transformed in real-time based on access. Cloudflare's Zero Trust Access service is based on these principles. And the best part is, it's free!

Using Zero Trust#

Creating a Tunnel#

After logging into Cloudflare, you will see "Zero Trust" on the left side of the main interface.
Zero Trust

If it's your first time using it, you will be prompted to purchase the service. If you're using it for personal use, you only need to purchase the free version. Click on it and select "Access" -> "Tunnels".
Tunnels

Click on "Create a tunnel", enter a name, and click "Save tunnel". On the new page, you will be prompted to select your system.

System

Due to the ease of use of Docker, I recommend using Docker for the following steps. After clicking on the Docker icon, the command for using Docker will appear below. It is recommended to add "-d --net=host --name=" before using it. The command should look like this:

docker run \
-d \
--net=host \
--name=<yourContainerName> \
cloudflare/cloudflared:latest \
tunnel --no-autoupdate \
run --token <your token here>

Docker will automatically pull the necessary image and run it. After successful execution, a connection success message will appear at the bottom of the page. Click "Next".
In the next page, you will enter information for public access.

Public Access

Choose your existing domain for "Domain" and enter an unused "Subdomain". In the "Service" section below, select the information of the service in your internal network. For example, if I have a web service in my internal network running on the server I connected to CF using Docker, I can choose the "HTTP" service and enter "localhost:80" in the "URL" field. The port may vary depending on your local setup. After entering the information, click "Save tunnel".
Now, you can use the service provided by Cloudflare to achieve internal network penetration. Access your domain that you just set up, and you will be able to access your service.

Two-Factor Authentication#

The reason I gave up on using the purchased server for penetration is because of this. I couldn't ensure the security of the server, but luckily Cloudflare also provides authentication services.
Go back to the "Zero Trust" page, select "Access" -> "Application" -> "Add an application" -> "Self-hosted".

Self-hosted

On the next page, enter your application name, desired session duration, and the subdomain you created earlier. Click "Next" to proceed to policy editing.
In the "Policy" section, enter a name, select the session duration, and scroll down to configure two-factor authentication for email based on the example in the image.

Policy

Note that the email address in the "Require" field needs to match the registered Cloudflare address. This is the highlighted area in my image (if you want to use a different email, you need to add it in the main interface under "Manage Account" -> "Members"). Here's a pitfall: CF capitalized the first letter of my email, causing me to not receive the verification email no matter how many times I entered my email address.
After completing the above steps, you can leave the rest of the settings as default and click "Next".
Once the setup is complete, when you access your domain, you will be prompted to enter your email address to obtain the OTP.

OTP

Enter the email address used in the "Policy" section to receive the OTP, and then you can access your application.

Conclusion#

Although Cloudflare's Zero Trust functionality may not have a large bandwidth, it is sufficient for watching 1080p videos. It also meets my requirements for two-factor authentication, providing a certain level of protection for my assets. If you have similar needs, I recommend giving Cloudflare's application a try. (In comparison, our company's SDP service is really lacking...)

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.