I am working on a basic security lab to test and implement various CloudZiti and OpenZiti elements. Here is a simplified view for discussion purposes of this proposed network to be secured:
This network will simulate the average office / enterprise with an internal network of hosts and devices and servers connected via wired ethernet on one firewall interface, a reverse proxy for web application delivery to Internet users on its own DMZ interface, and a WiFi network on its own DMZ interface. The firewall does NAT for all 3 of these interfaces. The Internet interface is to an ISP and uses one publicly reachable IP address.
My questions are about the best way to approach a typical enterprise network like this with hosted web applications and remote administration being the primary inbound traffic at this stage of the lab experiment.
- What is the best way to utilize CloudZiti with this environment?
- How should OpenZiti elements be logically placed and configured? Tunnels, edge router, controller? I’d appreciate some help in understanding the intended approach to an environment like this one as I try to learn and understand Ziti enough to gain confidence in possible commercial implementations.
The “internal network” consists of various OS platforms and hardware devices, servers running as VM and Docker containers, etc.
- Is the reverse proxy still a valid component in a Ziti world or is it obviated by the nature of how Ziti works? How can the CloudZiti services best be leveraged?
- Is there a way to direct all inbound traffic to a Cloudziti tunneler rather than allow connections to the actual network IP address? Is that a relevant question?
- This seems like a perfect example to try to use the Browzer component since the main service this network provides to the Internet is a list of about 15 web applications (currently running on various reverse proxied ports on the translated external IP address).
- Does the Ziti zero trust paradigm essentially remove the need for this hardware segmentation at the firewall? Does each server instance and host need to run some sort of client software?
Would really appreciate any and all help translating my old school knowledge and experience to the new Ziti paradigm. Thanks for the help and discussion.