Virtual Private Network (VPN)
The VPN is a common component that is is responsible of establishing secure connections between Fluid Attacks’ VPC and the private network of some of Fluid Attacks’ clients.
Its main purpose is to provide a method to reach resources that are not accessible via Internet and are essential for Fluid Attacks’ service.
These resources are typically source code repositories and pre-production application environments.
Public Oath
- Fluid Attacks will look for private-connection solutions that balance security, usability and standardization in order to provide a service that is as seamless and scalable as possible.
- An authentication architecture that uses role-based access control, strong passwords and multiple factors will be used for controlling who accesses client networks.
- When possible, detailed logs of network activity will be provided to clients via Integrates.
Architecture
- The
vpn
component is managed as code using Terraform. - Sensitive information for establishing secure connections with client networks is stored in encrypted YAML files using Mozilla SOPS.
- It implements two different architectures, Cloudflare and AWS.
Cloudflare
- This architecture uses Fluid Attacks’ Cloudflare network in order to connect Fluid Attacks and its clients.
- Fluid Attacks Hackers use Cloudflare WARP to connect to the Cloudflare network.
- Authentication to Cloudflare WARP for hackers is done via Okta.
- A AWS Batch
compute environment called
warp
initializes machines with Cloudflare WARP installed so they can reach the networks of clients. - Authentication to Cloudflare WARP for AWS Batch is done using a service token.
- Posture policies like having the latest OS version, firewall turned on, and encrypted hard drive, are enforced over all devices connected to WARP.
- The AWS VPC is accessible via WARP for developers to perform debugging.
- Navigation logs for traffic between Fluid Attacks and the networks of clients are pushed to a s3 bucket using Cloudflare Logpush.
- Minimum privilege traffic rules exist so only users with permissions have access to networks of clients.
Networks of clients can be reached in two different ways.
Connector
- The client installs
cloudflared
in a machine belonging to the network they want to share with Fluid Attacks. cloudflared
communicates with Fluid Attacks’ Cloudflare network.- The
cloudflared
instance becomes a pivot machine that allows Fluid Attacks to reach the client network. - As the client is the owner
of the
cloudflared
instance running in their network, they can set up minimum-privilege rules for it to only reach those resources that should be accessible. - Internal DNS requests are forwarded to the client’s DNS servers.
Egress
- Fluid Attacks provides a pair
of reserved IPv4 public addresses
that are used exclusively
for reaching the client’s network.
These are called
egress ips
. - The client exposes the
resources that need to be accessed
to the Internet
and only allows traffic from
Fluid Attacks
egress ips
.
AWS
- This architecture is deprecated and will be removed in the future.
- It uses AWS Site-to-Site VPN Connections.
- A subnet called
batch_clone
is routed through all the Site-to-Site VPNs so it can reach the networks of clients. - It uses Route53 to resolve domains within the networks of clients.
- Fluid Attacks Hackers can access hosts in the networks of clients by using the AWS Client VPN.
- Authentication to the AWS Client VPN Endpoint is done via Okta.
Contributing
Please read the contributing page first.
General
- Any changes to vpn infrastructure must be done via merge requests.
- Infrastructure source code can be found here.
- All vpn client configurations can be found here. You can use SOPS to decrypt such values.
Accessing the VPN
You can connect to the vpn and gain access to our AWS VPC and client private networks. In order to do so, you need to:
- Go to the VPN Self-Service portal:
- Log in with your Okta Credentials.
- If you do not have enough permissions, please contact help@fluidattacks.com.
- From the portal:
- Download the vpn client configuration.
- Download and install the AWS Client VPN for your Operating System.
- Open the AWS Client VPN and import the downloaded configuration.
- Connect to the VPN.