ZeroTier & Security
-
Wondering what the overall opinion(s) are with regards to ZeroTier and information security / confidentiality when using a hosted controller.
I've had cursory discussions with other IT folks in the past and they seemed to be wary of ZT with regards to confidentiality and information security because:
-- Point 1 - ZT, in their own docs claims to basically emulate a L2 switch
-- Point 2 - L2 switches can be sniffed via span / mirror ports
-- Point 3 - As an IT pro you wouldn't connect your endpoints directly to someone else's L2 switch without due-diligence / NDA etc etc etc legalese necessary for colo and datacenter setups due to Point 2They (ZT) also make the claim that data is E2E encrypted, "and can't be read by roots or anyone else"
-
@notverypunny said in ZeroTier & Security:
Wondering what the overall opinion(s) are with regards to ZeroTier and information security / confidentiality when using a hosted controller.
I've had cursory discussions with other IT folks in the past and they seemed to be wary of ZT with regards to confidentiality and information security because:
-- Point 1 - ZT, in their own docs claims to basically emulate a L2 switch
-- Point 2 - L2 switches can be sniffed via span / mirror ports
-- Point 3 - As an IT pro you wouldn't connect your endpoints directly to someone else's L2 switch without due-diligence / NDA etc etc etc legalese necessary for colo and datacenter setups due to Point 2They (ZT) also make the claim that data is E2E encrypted, "and can't be read by roots or anyone else"
I don't really see any reason to be concerned but if you are just run Tinc or Nebula.
This doesn't have ports so you can't sniff or mirror a port.
If it's encrypted, what's the concern with using it?
-
I can't recall who manages the security keys for ZT, haven't used one in more than 3 years.. probably a lot longer than that.
-
There's also nothing stopping you from doing everything over HTTPS/SSH/whatever over zerotier. I just don't see the issue.
-
@notverypunny said in ZeroTier & Security:
Point 2 - L2 switches can be sniffed via span / mirror ports
Yes, but like sniffing encrypted traffic on a switch, sniffing ZT traffic is useless.
-
@notverypunny said in ZeroTier & Security:
As an IT pro you wouldn't connect your endpoints directly to someone else's L2 switch without due-diligence / NDA etc etc etc legalese necessary for colo and datacenter setups due to Point 2
As an IT pro I do every day, all day. It's called the WAN connection from the ISP. And we do it without any concern because the traffic is encrypted. Sniffing by the ISP is of no concern at all.
I'd have zero problems sharing a switch with someone from a security perspective as there's no valuable data going on the switch that someone can see.
If you need a colo or ISP to sign an NDA (colo is an ISP to its customers) then you have a problem and should never be running those computers.
-
@stacksofplates said in ZeroTier & Security:
If it's encrypted, what's the concern with using it?
Ding ding ding.
-
@stacksofplates said in ZeroTier & Security:
There's also nothing stopping you from doing everything over HTTPS/SSH/whatever over zerotier. I just don't see the issue.
Right, ZT, like all VPNs (as always the rules are general) should never carry unencrypted traffic unless it's of no value (someone's YouTube videos I guess). The VPN should only provide handling / tunneling, not the base security. If used properly, VPNs increase protection not decrease it. But they aren't a replacement for the necessary security that you should already have to make the traffic safe on the WAN or, for that matter, on a LAN.
You shouldn't be running unencrypted traffic even on a LAN that has no routing to the Internet. It's just reckless and pointless... why do that?
-
@notverypunny said in ZeroTier & Security:
They (ZT) also make the claim that data is E2E encrypted, "and can't be read by roots or anyone else"
They have to do this. If they didn't they would be such a massive point of attack as compromising their controllers would give unlimited access to tons of companies.
-
If you assume that being connected to an ZeroTier network is the same as having the host sitting directly on the internet, you'll be fine.
That is the basic premise of the zero trust security model - assuming that the network is hostile.
-
@pete-s said in ZeroTier & Security:
If you assume that being connected to an ZeroTier network is the same as having the host sitting directly on the internet, you'll be fine.
That is the basic premise of the zero trust security model - assuming that the network is hostile.
Yes this ^
-
Thanks for the input everyone, it's pretty much in line with my own thoughts on the subject. In case it wasn't clear, the points outlined in my initial post were a simplification / summation of the arguments that I've previously come up against with regards to using ZT for anything more than a hobbyist type of setup.
-
@pete-s said in ZeroTier & Security:
If you assume that being connected to an ZeroTier network is the same as having the host sitting directly on the internet, you'll be fine.
That is the basic premise of the zero trust security model - assuming that the network is hostile.
Ding ding, exactly. It's a connectivity tool, not a security tool. The security has to be provided normally. Any ZT provided security, is purely extra.
-
@scottalanmiller said in ZeroTier & Security:
@pete-s said in ZeroTier & Security:
If you assume that being connected to an ZeroTier network is the same as having the host sitting directly on the internet, you'll be fine.
That is the basic premise of the zero trust security model - assuming that the network is hostile.
Ding ding, exactly. It's a connectivity tool, not a security tool. The security has to be provided normally. Any ZT provided security, is purely extra.
Yes, and when it comes to security ZeroTier, as any other VPN, shows up as a virtual network adapter. So you can apply the OS' firewall like you could on any network adapter.
And the ZeroTier network itself also has some limited L2 rules to control the traffic, similar to a switch. It lacks tcp sessions and other things though so it's not like a real router/firewall.
There is also the possibility to connect ZeroTier to a compatible firewall and not the host directly.
-
@pete-s said in ZeroTier & Security:
@scottalanmiller said in ZeroTier & Security:
@pete-s said in ZeroTier & Security:
If you assume that being connected to an ZeroTier network is the same as having the host sitting directly on the internet, you'll be fine.
That is the basic premise of the zero trust security model - assuming that the network is hostile.
Ding ding, exactly. It's a connectivity tool, not a security tool. The security has to be provided normally. Any ZT provided security, is purely extra.
Yes, and when it comes to security ZeroTier, as any other VPN, shows up as a virtual network adapter. So you can apply the OS' firewall like you could on any network adapter.
And the ZeroTier network itself also has some limited L2 rules to control the traffic, similar to a switch. It lacks tcp sessions and other things though so it's not like a real router/firewall.
There is also the possibility to connect ZeroTier to a compatible firewall and not the host directly.
I'm running OPNSense at home and have the plugin working and connected to a client's PC's from my house.
Works great.
