STUN (Session Traversal Utility for NAT)
STUN servers can be queried via the STUN protocol to give the IP address you are known as on the internet (that is, after NAT).
Hole Punching
Outbound packets implicitly create an open port to allow the expected reply. This is exploited to allow a long running conversation to take place between peers.
Some NAT blocks this technique.
DERP (Designated Encrypted Relay for Packets)
A server through which traffic can pass if hole punching is not available.
This is secure since the packets are encypted by the two peers, so the server just routes packets without being part of the conversation.
WireGuard
Uses UDP so fast.
Built into the Linux kernel using a very small number of lines of code.
Peers are not identified by their IP addresses but their public keys.
TailScale
Part open source, part paid service that allows you to have a Virtual Private Network that can span multiple physical locations.
Each device talks to each other using all the technologies mentioned above.
The server part is proprietary but there are open source alternatives (Headscale, NetBird, Nebula from Slack).
Tailscale differs from the commercial Prisma Access in that it's architecture is peer-to-peer whereas yout traffic in Prisma passes through their edge Service Edge where packets can be inspected for security reasons.
Remote Desktops
There are a few (Selkies, Apache Guacamole, Kasm, n.eko etc) but they all follow one of two paradigms: old fashioned RDP; and WebRTC. The latter doesn't expose the VM directly (by using the technologies above), and uses encryption natively.
Kubernetes Cilium
Cilium is considered more secure than Calico as it uses WireGuard (see above) and eBPF - where Linux filters packets at the kernel level and also reduces copying data into user space so it's more efficient. (Apparently, Calico can now be configured to use WireGuard).
Note that if you want to use Cilium in AWS and you're using EksCluster to create your Kubernetes cluster, you first need to kubectl delete ds both aws-node and kube-system.
OAuth logins
If you want to hide your Kubernetes service behind an OAuth page, you can use oauth2-proxy which starts a pod in your cluster that links to the OAuth provider defined by --oidc-issuer-url. In my case this is https://accounts.google.com and I've configured my Google account to redirect to my URL and have it generate the credentials under OAuth 2.0 Client IDs at the Google GUI.
No comments:
Post a Comment