Skip to content

Latest commit

 

History

History
17 lines (9 loc) · 2.7 KB

README.md

File metadata and controls

17 lines (9 loc) · 2.7 KB

SD-Perimeter

This project is mostly feature complete, however, things should be considered Beta quality at this point. Contributors and questions are welcome.

This project is focused on providing a set of scripts that can be used to create a Software Defined Perimeter using open source tools readily available in common Linux distributions. The techniques implemented here are heavily influenced by Google's BeyondCorp and the Cloud Security Alliance model of Software Defined Perimeter.

Tools:

fwknop - Used to allow the SDP server to remain completely hidden from unauthorized use. With this tool, the gateway server can be configured with 0 inbound port access. The net result is that the gateway server is more hardened against port scanning, DDoS attacks, etc. This component will be optional as the client component is not readily available on all major platforms (ie. iPhone). This project is definitely worth a look for anyone looking to contribute to a really awesome open source project!

OpenVPN - Used to ensure a completely encrypted communication channel between personal devices (laptop, cell phone, etc) and the gateway server. OpenVPN includes support on every major platform and is simple to adjust the configuration to the user's needs. In our model, we are not using OpenVPN in the traditional sense of a VPN as the gateway server will not be configured to forward traffic directly to an upstream device. OpenVPN also supports additional authentication plugins allowing things like two-factor authentication to become possible. OpenVPN also provides the awesome PKI tool easy-rsa. easy-rsa gives us the ability to provision and manage certificates for all of our components.

Squid - Used to provide authorization to upstream resources. Squid is being used because of it's ability to use external authentication helpers and assign access based on group memberships from either a common database, or LDAP server. Squid also gives us the granularity to apply rules based on destination host, URI, port or a combination.

Proxy Auto-Configuration - This is a simple a text file using javascript that can be loaded into a web browser to direct specific websites toward our Squid proxy.

Redsocks Proxy - This tool will be used to forward non-web traffic through our Squid proxy.