About 5 years ago I was introduced to the concept of Software Defined Networking (SDN) through a colleague who used to work at Microsoft. He explained how SDN solves the "last mile" problem with networking by virtualising the remaining network engineering activities. Unfortunately, I lacked the tools to be able to take advantage of this opportunity.
This changed 6 months ago when I became aware of NetFoundry. I recognised how NetFoundry provides the tools to build, deploy and manage SDNs. Since then, I have been engaged with the OpenZiti team to learn how it all works. I have prepared demonstrations to showcase the fundamentals and are now progressing into more advanced capabilities.
What it does
My demonstration shows how user account management activities can be rerouted to operate over a dark network.
How we built it
The demonstration consists of six components:
- Ziti controller to provide a network fabric
- Ziti Desktop Edge tunneller to access the network fabric
- Ziti Admin Console to manage the network fabric
- Oracle Apex application to provide public and private pages
- ORDS server to act as a proxy for the Oracle Apex application
- Golang server to act as a reverse proxy for the ORDS server.
Challenges we ran into
To prepare for the demonstration, I needed to build a reverse proxy server in Golang. While I had a prototype, I did not understand how it worked. As a result, I spent a lot of time learning how things worked as I troubleshot. One specific issue related to traffic being redirected to the origin server. I thought it was a problem with the code but it turned out to be a DNS configuration.
When I conducted integration testing, I experienced many x509 certificate conflicts.
- My first attempt used a self signed certificate. This caused a conflict with the ziti fabric because it was not known, causing the following error > x509: certificate is not valid for any names, but wanted to match markamind.online
At the time, I was confused by this because I did not receive this message when I tested the reverse proxy with my website. My hypothesis was then to register a public domain and generate a public DNS certificate, assuming this would correct the problem.
- After implementing this, I received another conflict related to Subject Alternative Names. This was because the certificate that I created did not include wildcard DNS entry, whereas my website did. > x509: certificate relies on legacy Common Name field, use SANs instead
My next hypothesis was to then reuse a server certificate and key that was created for installing the Ziti Admin Console.
- After implementing this, I received the same SAN conflict message
My next hypothesis was to create my own Certificate Authority to generate the certificates in the specific format required. I found a great resource and eventually validated the Certificate Authority in the Ziti Admin Console.
- However, I could not progress any further as I did not know how to download the jwt file to enrol the identity.
Since then, I have received instructions on how to download the jwt file, which is my next step after submitting my results. My understanding is that this will allow me to created a "trusted" identity using my self signed Certificate Authority to complete the demonstration.
Accomplishments that we're proud of
The one achievement that I am the most proud of was the validation of a self signed Certificate Authority in the Ziti Administration Console.
- It was an area that I had very little understanding of
- It is a very technical topic that is the basis of network security
- It allowed me to troubleshoot integration testing
What we learned
This experience provided the opportunity to learn about the potential of SDN.
- Current implementations of network security offers a false sense of confidence
- Client based x509 certificates can be deployed and managed at scale
- Protecting websites with a reverse proxy and a dark network is simple to implement
- Client based tunneller apps provide users with a personalised experience
I also learned a lot about the drawbacks
- x509 certificates requires a high degree of precision and careful planning
- Troubleshooting certificate conflicts is difficult to do
- Managing a x509 certificate implementation requires strict security protocols
- There is a steep learning curve to design, build and deploy SDNs
- Only a few application servers are currently "zitified"
What's next for Turning your user accounts dark
This experience has helped me uncover a new business service:
- A digital service that turns user accounts dark with Ziti
I am now in the process of validating a commercial structure, developing an onboarding program, and implementing a beta launch campaign.