Skip to main content

Virtual Private Network (VPN)

The VPN is a common component that is is responsible of establishing secure connections between Fluid Attacks' VPC and the private network of some of Fluid Attacks' clients.

Its main purpose is to provide a method to reach resources that are not accessible via Internet and are essential for Fluid Attacks' service.

These resources are typically source code repositories and pre-production application environments.

Public Oath

  1. Fluid Attacks will look for private-connection solutions that balance security, usability and standardization in order to provide a service that is as seamless and scalable as possible.
  2. An authentication architecture that uses role-based access control, strong passwords and multiple factors will be used for controlling who accesses client networks.
  3. When possible, detailed logs of network activity will be provided to clients via Integrates.

Architecture

  1. The vpn component is managed as code using Terraform.
  2. Sensitive information for establishing secure connections with client networks is stored in encrypted YAML files using Mozilla SOPS.
  3. It implements two different architectures, Cloudflare and AWS.

Cloudflare

ArchitectureArchitecture
  1. This architecture uses Fluid Attacks' Cloudflare network in order to connect Fluid Attacks and its clients.
  2. Fluid Attacks Hackers use Cloudflare WARP to connect to the Cloudflare network.
  3. Authentication to Cloudflare WARP for hackers is done via Okta.
  4. A AWS Batch compute environment called warp initializes machines with Cloudflare WARP installed so they can reach the networks of clients.
  5. Authentication to Cloudflare WARP for AWS Batch is done using a service token.
  6. Posture policies like having the latest OS version, firewall turned on, and encrypted hard drive, are enforced over all devices connected to WARP.
  7. The AWS VPC is accessible via WARP for developers to perform debugging.
  8. Navigation logs for traffic between Fluid Attacks and the networks of clients are pushed to a s3 bucket using Cloudflare Logpush.
  9. Minimum privilege traffic rules exist so only users with permissions have access to networks of clients.

Networks of clients can be reached in two different ways.

Connector

  1. The client installs cloudflared in a machine belonging to the network they want to share with Fluid Attacks.
  2. cloudflared communicates with Fluid Attacks' Cloudflare network.
  3. The cloudflared instance becomes a pivot machine that allows Fluid Attacks to reach the client network.
  4. As the client is the owner of the cloudflared instance running in their network, they can set up minimum-privilege rules for it to only reach those resources that should be accessible.
  5. Internal DNS requests are forwarded to the client's DNS servers.

Egress

  1. Fluid Attacks provides a pair of reserved IPv4 public addresses that are used exclusively for reaching the client's network. These are called egress ips.
  2. The client exposes the resources that need to be accessed to the Internet and only allows traffic from Fluid Attacks egress ips.

AWS

ArchitectureArchitecture
  1. This architecture is deprecated and will be removed in the future.
  2. It uses AWS Site-to-Site VPN Connections.
  3. A subnet called batch_clone is routed through all the Site-to-Site VPNs so it can reach the networks of clients.
  4. It uses Route53 to resolve domains within the networks of clients.
  5. Fluid Attacks Hackers can access hosts in the networks of clients by using the AWS Client VPN.
  6. Authentication to the AWS Client VPN Endpoint is done via Okta.

Contributing

Please read the contributing page first.

Last updated on