[HN Gopher] HashiCorp Boundary ___________________________________________________________________ HashiCorp Boundary Author : yongshin Score : 392 points Date : 2020-10-14 15:55 UTC (7 hours ago) (HTM) web link (www.hashicorp.com) (TXT) w3m dump (www.hashicorp.com) | rodgerd wrote: | This looks wonderful. I spend a lot of time and energy trying to | keep people from breaking modern infra with 1980s IP-based | security models, and this could be another tool in the arsenal to | help with that. | fasteo wrote: | Honest question: how is it different/better than setting up a | OpenVPN server ? | anderspitman wrote: | Search terms "BeyondCorp" and "Zero trust" will get you | started. | GNOMES wrote: | Interesting, seems similar to Cloudflare One that was announced | the other day. | | https://news.ycombinator.com/item?id=24753940 | candiddevmike wrote: | It looks like you still have to manage users on the hosts for | PAM, including SSH keys (or use Vault I suppose). It's too bad | that this can't perform all of that functionality--setup a | server, install a boundary client, and manage all of the PAM | things through Boundary. | malnick wrote: | We plan on integrating with Vault to perform transparent | credentials injection in the not so to distant future. This is | a 0.1 product after all, and we still have a lot to build! | teknopaul wrote: | This is great, I hope where I work never implementes it :) | Getting access to everything in "one hop" is mighty convenient. | Especially now that one hop involves 2fa and finding my phone | down the back of the sofa while production has a sev one. | nosequel wrote: | I think you meant to write "boundaq". | luminousbit wrote: | Personally I've been a big fan of strongDM | (https://www.strongdm.com/). | | Lightyears ahead of teleport or any of the other solutions out | there. Built for great auditing and zero trust. | | Best of all it's multi-protocol. So you can do SSH, SQL, K8s, | HTTP all with one access system. | | Had it in prod for almost two years. Gonna be a long time before | hashicorp or anyone else can catch up with the level of depth. | pferde wrote: | StrongDM does indeed look interesting. Can it be completely | self-hosted? I am asking because some of the architecture docs | mentioned "app.strongdm.com" as a necessary element, which has | a webpage behind a (customer?) login. This is an external | dependency that is not acceptable for my use case. | | I haven't found a conclusive answer in their documentation yet. | jmccarthy wrote: | Justin here, co-founder and CTO of strongDM. The policy and | audit functions of our product are hosted by us, but all the | sensitive data transit - the proxies themselves - are hosted | by you. Hope that helps! | wyck wrote: | With a name like HashiCorp I expected this to be a decentralized | blockchain identity network similar to IBM's Sovrin, still really | cool though, managing id's and permissions is such a pita. | wmf wrote: | HashiCorp predates most of the blockchain hype; it's named | after founder Mitchell Hashimoto. | latentpot wrote: | Is this very similar to cyberark, but without the logging and | recording of usage? | cbb330 wrote: | There are a few comparisons being introduced already in this | thread, and I'm tempted to ask of more, so I'd love to see | documentation on this vs. other solutions like is presented with | Terraform: | | https://www.terraform.io/intro/vs/index.html | hossi wrote: | Since you asked, we have a commercial zero-trust product very | similar to this. As a quick comparison: In our architecture, | the worker node (extender) only needs outbound direct access to | contact the master node. Unlike many of our competitors, we | promote the usage of ephemeral certificates instead of secrets | management or minting. We support a number of identity | providers and dynamic host directories. Connections can be | formed either with native clients or web browser (SSH, RDP, | HTTPS) with session recording for auditing purposes. Check it | out here https://www.ssh.com/products/privx/ | nokiasa1 wrote: | Can anyone explain if this can be used to share a linux samba | server shares? If yes, could you point me out to right direction. | Thanks | jon-wood wrote: | I'm sure it can, given at its core it just tunnels traffic from | one place to another, but to be brutally honest this is a 0.1 | release and if you can't work out how to do this from the | documentation you're going to have a really bad time working | out why it broke down the line. | faitswulff wrote: | > With Boundary, access is based on the trusted identity of the | user, rather than their network location. The user connects and | authenticates to Boundary, then based on their assigned roles | they can connect to available hosts, services, or cloud | resources. | | Is this the main idea behind BeyondCorp and CloudFlare One, as | well? If so this is the clearest explanation I've seen of it. | cratermoon wrote: | It is and it's something I noted, too. | jolux wrote: | Seems like the BeyondCorp-ish "zero trust" remote access space is | heating up. This looks similar in some ways to Cloudflare One | which was announced Monday: | https://blog.cloudflare.com/introducing-cloudflare-one/ | cavisne wrote: | Not surprising when corporate VPNs have gone from a handful of | the company working from home to the entire company working | from home. | basch wrote: | It's already pretty crowded. https://telegra.ph/ZeroTrust- | Vendors-04-23 | | Expect consolidation. That or it becomes a commodity | expectation of any other purchase, and not a selling point. | jolux wrote: | I'm expecting both. Probably a standard AWS/IAM feature | eventually. | lizhang wrote: | I'm guessing the Cloudflare One announcement forced Hashicorp | to announce this so they wouldn't lose a lot of potential | customers due to vendor lock-in. | warkdarrior wrote: | This looks like an authenticated proxy. I assume you would need | to locally reconfigure your clients (ssh, browser, whatever) to | use the Boundary server as a proxy. | parliament32 wrote: | Other way around, boundary needs to exec your client | application. They're more clear about how it works here: | https://www.boundaryproject.io/docs/getting-started/connect-... | | Boundary comes with built-in wrappers for ssh, rdp, and | postgres, but you can "boundary exec" to run some other | application inside the TCP-wrapped transport, apparently. | zokier wrote: | Some sort of LD_PRELOAD style trickery? Or are they | intercepting syscalls? | | edit: seems nothing that complicated, more like ssh-style | tunnel where Boundary has a local listening socket which you | need to point the client to. That is if I'm understanding it | correctly. | armon wrote: | That is correct! The local proxy has a listening socket and | handles all the authentication, encapsulation, and | forwarding transparently. | parliament32 wrote: | So does it intercept all connections on that port (from | the client app) and pass them along? Or do I need to | reconfigure my client application to talk to | localhost:whatever? Your only example is that curl using | a hostname, it's not really clear. | armon wrote: | You would point the application at the local port. It | operates very similarly to SSH port forwarding. No fancy | magic to intercept all traffic. | philsnow wrote: | mostly copy-pasta from an earlier comment[0] of mine: | | https://github.com/99designs/aws-vault/issues/578 was for | an issue with remote servers accessing the localhost ec2 | metadata service that aws-vault can run, that worked | exactly by using DNS rebinding. It was fixed only months | ago, so it seems like this is a developing area and if I | were on a red team or pen testing, I would play around | with more. | | I visualize the "localhost hole" problem of blindly | trusting localhost as an air gap in a pipe (like [0]); | anybody could come along and either drop poison in the | pipe, or redirect the water coming from the top to their | own bucket, or both. | | I appreciate that Boundary gives completely generic | identity-aware-authenticated TCP sockets, but I don't | know of a way, today, to make those not accessible to | browsers through dns rebinding attacks. | | This is probably much much too far in the weeds and this | is unlikely to contribute to a major breach (unlike the | aws-vault one where of course attackers would try to | access the fake metadata service on the default port, | because it's high-value and on a well-known port), but | I'm interested in the space. | | [0] https://news.ycombinator.com/item?id=23265509 [1] | https://districtsales.ca/wp-content/uploads/2019/07/tru- | gap-... | bluu00 wrote: | https://web.archive.org/web/20201014160020/https://www.hashi... | | link wasn't working for me, so. | marmaduke wrote: | This looks like an interesting alternative to k8s ingress, even | if the goal is similar, especially when the default ingress | controllers don't support e.g. SSH. | | Way too much ceremony for scientific compute sites tho | PaulWaldman wrote: | I want to give a shout out to Tailscale. It relies on Wireguard | and has been dead simple to setup and configure. Stability has | been great as well. | arcticfox wrote: | I am also a big Tailscale fan, is anyone able to do a quick | comparison on how Boundary relates? | basch wrote: | Tailscale isnt a deny first, allow based on role/condition | type product. Tailscale creates the equivalent of a wide open | lan (it has other isolation options but that kind of control | based on the identity of the person on the network, isnt its | intended goal) where everyone connected can see everyone | else. | philsnow wrote: | From what little I know of both, Tailscale provides L2 | access into a network that you might not otherwise have | access and once you're in you can get anywhere from there, | but Boundary hands out individual, already-connected TCP | sockets directly to services running on endpoints. | | If you're looking for something like a VPN and you're just | going to SSH over it, either would probably work for you, | but while Boundary can allow users to only connect to port | 22 on certain hosts, I think if you wanted to do similar | with Tailscale you'd be in iptables/ufw and "tagging / | authz-ing traffic with unix uids" territory. | lifty wrote: | Tailscale is based on wireguard, so only does L3. | t3rabytes wrote: | > When a user establishes a TCP session through Boundary, a | Boundary worker node seamlessly proxies the connection. | | Boundary sounds like the perfect mash-up of Google's bastion-less | SSH access to GCE instances and actual IAM. Exciting! | 0xFFFE wrote: | Looks like Yahoo's Athenz https://github.com/yahoo/athenz | yegle wrote: | Looks like Google's BeyondCorp: | https://cloud.google.com/beyondcorp. If you are on GCP, you can | already use it https://cloud.google.com/iap to protect your HTTP | and TCP backend. | | This is not something new. The earliest open source project that | I can recall is https://github.com/bitly/oauth2_proxy (albeit it | might be missing the part where proxy passing identity to the | backend). | | Pomerium is another open source project that's actively | maintained. I've been using it as a reverse proxy to all my | homelab websites (grafana, miniflux etc). I can now safely access | all of these internal resources from outside of my home WiFi with | automated SSL certificate configuration and renewal. | | You can theoretically protect your SSH connection via these IAP | proxies, using the Chrome SSH extension and open source SSH relay | implementation like https://github.com/zyclonite/nassh-relay (but | I personally haven't tried that). | | Disclaimer: I work for Google and am a casual contributor to the | Pomerium project. | windexh8er wrote: | Also looks very much like Gravitational Teleport [0], which has | been amazing to use. Teleport has a lot of advantages over | Boundary right now based on it's architecture. But Hashi does a | good job of iterating quickly, so I'd guess as with most of | their products, it evolves quickly. | | [0] https://gravitational.com/teleport/ | | Disclaimer: I have no affiliation with any of these companies. | francislavoie wrote: | Looks like RBAC and SSO are paid features with Teleport (but | I may be misunderstanding) | windexh8er wrote: | RBAC is paid for, but "Enterprise SSO" is different than | the SSO supported in the Community Edition - it's described | on their site as: "SSO with Enterprise Identity". They | list: Okta, Sailpoint, Active Directory, OneLogin, G Suite, | and Auth0 as examples. But, you still get SSO in Community | Edition. | francislavoie wrote: | My company self-hosts LDAP, so that's essentially a | dealbreaker for us. | res0nat0r wrote: | Also similar to Cloudflare One which was just announced: | https://blog.cloudflare.com/introducing-cloudflare-one/ | | I think moving away from VPN's is gaining more adoption and a | good thing overall. | cratermoon wrote: | I immediately thought of BeyondCorp as well, and I have only | read the papers about it. At my employer, which isn't even that | large, we have on-prem hardware running VMs and k8s, some stuff | in AWS, some stuff in Azure, and employees all over the world | with various devices coming in through a VPN. | | The old distinction of "internal network" and "external | network" doesn't make much sense. | sshahone wrote: | Since you mentioned you're a contributor to a similar project, | I invite you to check our recently released zero trust service | access control solution: https://github.com/seknox/trasa | | It's a BeyondCorp like a user identity and layer 7 aware access | proxy for RDP, SSH, Web, and Database protocols with privileged | access management, native two-factor auth agents, and device | trust policies. | | Disclaimer: I am a core maintainer of this project. | aprdm wrote: | Even if they were the same a big difference is that Hashicorp | tools usually work on prems and are OSS. | | By default I expect google to try to lock me in the GCP and do | not trust their OSS tools | look_lookatme wrote: | You can use https://github.com/cloudflare/nginx-google-oauth to | do this with nginx too. | tehalex wrote: | I've used this before & it was great - however both this and | the bitly oauth2 proxy linked about are archived. | | https://github.com/oauth2-proxy/oauth2-proxy is a maintained | fork. | throwaway873993 wrote: | I'd rather use https://userify.com/ | buzzdenver wrote: | How does your system compare to Appgate? | mitchellh wrote: | Hello HN! I'm the founder of HashiCorp. | | I'm excited to see Boundary here! I want to note a few things | about Boundary, why we made it, why it is different than other | solutions in the space, etc. | | * Boundary is free and open source. Similar to when we built | Vault, we feel like the solution-space for identity-based | security is too commercialized. We want to provide access to this | type of security to a broader set of people because we feel it's | the right way to think about access control. Note: of course as | as a company we plan on commercializing Boundary at some point, | but we'll do this similarly to Vault, the major featureset of | Boundary will remain free and open source forever. | | * Dynamic resource catalogs. Other tools in this space usually | require manually maintaining a catalog of servers, databases, | applications, etc. We're integrating Boundary closely with | Terraform, AWS/GCP/Azure, Kubernetes, etc. to give you live auto- | updating catalogs based on tags. (Note: this feature is coming in | 0.2, and not in this initial release, but is well planned at this | point) | | * Dynamic credentials. Existing tools often require static | credentials. Boundary 0.1 uses static credentials, too, but we're | already working on integrating Boundary with Vault and other | systems to provide full end-to-end dynamic credentials. You | authenticate with your identity, and instead of reusing the same | credentials on the backend, we pull dynamic per-session | credentials. | | And more! Remember this is a 0.1 release. We have a lot of vision | and roadmap laid out for this project and we are hard at work on | that now. We're really excited about what's to come here. | | Specifically, as a 0.1, Boundary focuses in on layer 3 | connections (TCP) with minimal layer 7 awareness for protocols | such as SSH. This will be expanded dramatically to support | multiple DB protocols, Microsoft Remote Desktop, and more. | | Also, we're releasing another new product tomorrow that is more | developer-focused, if security is not your cup of tea. Stay | tuned. | | The Boundary team and I will be around the comments to answer any | questions. | candiddevmike wrote: | > * Boundary is free and open source. Similar to when we built | Vault, we feel like the solution-space for identity-based | security is too commercialized. We want to provide access to | this type of security to a broader set of people because we | feel it's the right way to think about access control. Note: of | course as as a company we plan on commercializing Boundary at | some point, but we'll do this similarly to Vault, the major | featureset of Boundary will remain free and open source | forever. | | I hate this corporate speak. You're breaking into the space by | giving away (basic, as you will commercialize any advanced) | features under the guise of open source altruism. The products | HashiCorp sells are open core, and you should be more honest | about it (GitLab is!). I wish you operated more like other, | real, open source companies that use subscriptions or managed | service offerings and don't lock features behind various | obscure pricing tiers. This is Shareware 2.0. | | The difference between what HashiCorp does and what a real open | source company like Rancher does is stark: HashiCorp has | products, Rancher builds communities. Contributors to | HashiCorps stuff have to play in a very specific sandbox, lest | they implement lucrative features. Contributors to Rancher help | the community at large and have full visibility into the | codebase, empowering them to fix or add functionality without | restrictions. | nexuist wrote: | How is this corporate speak? If an indie dev said his/her | project is going to be open source initially and then newer | features would get monetized, would your first thought be | that this dev is "breaking into the space under the guise of | open source altruism"? | a1369209993 wrote: | If they started out by misleadingly[0] describing it as | "$THING is free and open source."? Yes! | | Edit: 0: It's (presumably) technically not false _now_ , | but the implication is that $THING is honestly intended to | be FOSS, immediately followed by admiting that their actual | intent is to sabotage that embrace-extend-extinguish-style | as soon as it's commercially expedient to do so. | save_ferris wrote: | > their actual intent is to sabotage that as soon as it's | commercially expedient to do so. | | Sabotage??? Wow, that's quite an accusation for a company | that's, you know, a company. You might have an argument | if they kept quiet about plans to monetize the product | later, but that allegation is laughable. | | If you're not comfortable with the terms, don't use the | product. They're being upfront about their plans. This | anti-commercial position is hypocritical. | zymhan wrote: | There are folks who would loathe subscriptions or managed | services just as equally, I hope you realize that. | taxcoder wrote: | Username checks out. | fallat wrote: | It's understandable the issue brought up, but the history of | the company we are talking about (and not just generalize!) | must be considered. | | Is HashiCorp known to do this? | | All I've heard are good things about HashiCorp from people | who use HashiCorp products. | | Second, it can't be forgotten these are companies. A company | exists to create value for itself in some way. | | It's the natural behavior of any company. | | However in my opinion, "open core" design seems to be very | very preferable amongst technologists (myself included). | Essentially we are paying for additional features which | normally we'd wait years from a sole contributor. | wmf wrote: | Some people felt burned by Vault where it looked like the | free version could be used in production but it couldn't | and then the enterprise version is very expensive. | gen220 wrote: | > it looks like the free version can be used in | production | | I think you might be confusing vault with another | product? | | We self-host vault in production, and it doesn't cost us | a dime. | | (other than the engineers we pay internally to operate | it, of course) | atonse wrote: | Err what? Vault can absolutely be used in production for | free. If you want the enterprise features, then you pay. | Diederich wrote: | Why can't the free version of Vault be used in | production? | wmf wrote: | I think the problem was that auto-unseal wasn't free (it | is now, so kudos to HashiCorp for listening). | modderation wrote: | Production-worthiness depends on your needs. The free | edition is perfectly good for most people, however there | are several features and modules that are only available | in the Enterprise Edition. Notably, some of the disaster | recovery, scaleout, and multifactor authentication | features cost extra. | | ref: https://www.hashicorp.com/products/vault/pricing | save_ferris wrote: | > I wish you operated more like other, real, open source | companies that use subscriptions or managed service offerings | and don't lock features behind various obscure pricing tiers. | | "I want all of the functionality I want without having to pay | for it." I hate how discussions around software businesses so | often descend into purity tests around how much a company | chooses to give away. Software is indeed eating the world, | but the eternal battle of who has to pay for the underlying | tools of said software continues. | fishnchips wrote: | I think it's not a fair thing to say. HashiCorp's projects | are using MPL 2.0, and please correct me if I'm wrong | (IANAL!) it would allow you to create an open source fork of | say consul, call it OpenConsul and continue development | there. That this hasn't happened yet (or if it did, it never | gained any traction) is a testament to HashiCorp being a | responsible custodian of its projects and their respective | communities. | kodah wrote: | Man, this really represents the rift in Open Source and | Corporate development right now. It seems like there are | developers who contribute to Open Source because they like | the mission, the impact, and the values. In contrast, there | are others who contribute to open source because their job | requires or mandates it. Then there's people who have a mix | of both. | | All three have wildly different values and historically | corporations aren't very good at listening to anyone that | isn't waving a check. They use reasoning like "priorities" to | close source formerly open source projects, bend project | values to reflect their own values, and wedge projects with | funding in exchange for representation or control. Corporate | controlled and born projects are often used as marketing or | for good PR, a cursory browsing of a company's Twitter page | will show how they utilize it for this type of end. | | I don't really read Mitchell's speak as corporate or double | speak, but I do think that referring to HashiCorp (and other) | projects as "open source" is a half truth. The line that I | draw here is that I don't think Mitchell is lying, rather, I | think that open source is now an umbrella term that means | very little and really terms like open core, free and open | source software, etc are more concise. We owe that outcome to | inviting our corporate friends into the fold of open source | with not enough restrictions, tracking, and accountability | but there's a piece of me that feels this outcome was largely | intentional because it's become a means to an end as I | described above. These could just be feelings but the | situation is common enough that it's relatable. | | I'd encourage corporations to be more transparent in their | verbiage, their investments, and their representation in | these projects so that it doesn't continue to confuse people | who participate in and enjoy the "free" side of open source. | When I look at an open source project I'd love to know if a | majority of the maintainers or funding comes from a | corporation. If those things are true, then as someone who | highly believes in the ideals of free software I may want to | stay far away from people who are susceptible to corporate | influence and values. On the other hand, that increased | transparency may help clear the air and prevent issues from | being perceived as non-transparent or outright | misrepresentation. | mitchellh wrote: | I'm sorry, I'm not trying to use any doublespeak here. | | Boundary is free and open source. There is no corporate speak | here. It is FOSS licensed (MPL2) and everything announced | today is completely FOSS. | | We do sell open core software and if there is any place where | you feel we aren't being honest about that please let me know | and I'll work to address that. I added that "NOTE" at the end | of the point specifically to ensure I was being honest and | show I wasn't trying to hide anything. | | We are also starting to offer managed services for folks who | prefer to consume our software that way. The managed service | offerings do unlock the typically enterprise features. | Example: https://www.hashicorp.com/blog/hcp-consul-public- | beta | A_No_Name_Mouse wrote: | Is there a simple paper that explains how this works on a | technical level? I have a hard time visualizing how a | connection to a remote host would be set up if it runs through | Boundary. Does "without requiring direct network access" mean | Boundary works as a proxy? And how does Boundary enable the | connection if the host does not have direct network access? | armon wrote: | We don't have a white paper on this yet, but we have a white | board video that explains both how it works conceptually as | well as at a more technical level of deployment architecture | and data flow. https://www.youtube.com/watch?v=tUMe7EsXYBQ&fe | ature=emb_titl... | emddudley wrote: | This is a really nice video. I appreciate the patient | walkthrough of the concepts and motivation. | A_No_Name_Mouse wrote: | Wonderful video, really clear! | jefferai wrote: | By "direct network access" we mean between the client and the | end host. The Boundary worker node (which proxies traffic) | would need to be able to make a network connection to the end | host, and the client in turn would need to be able to make a | network connection to the worker node. | | This indirection provides a way to keep your public and | private (or even private and private) networks distinct to | remove "being on the same network" as a sufficient credential | for access. At the same time, it ensures that the traffic is | only proxied if that particular session is authenticated. | A_No_Name_Mouse wrote: | I can see how that works for an internal network. How does | this work for SaaS solutions that would normally be | directly on the internet? Would they have to be "shielded" | to be on a private network and somehow be "Boundary | enabled"? | | And could this be done in a way that is completely | transparent to the user (without them having to start a | connection to the worker first, and then make a connection | to the desired service)? | jefferai wrote: | Generally speaking this is designed for accessing your | own systems, not the systems of a third party being | consumed as a SaaS. That said, any such provider that | allows you to restrict the set of IPs allowed to make | calls to the service would operate in a Boundary-friendly | mode. | pliu wrote: | It would be interesting if the networking model for the | end targets could also be inverted, so that an agent (or | something) on the end target could make an outbound | connection to establish a reverse tunnel to the proxy | that user connections could then be sent over. | | The use case I'm thinking of is for IoT or robotics, | where you have devices you want to manage being deployed | into remote networks that you don't have much control | over. It's really helpful in this situation if devices | make outbound connections only, so that network operators | don't have to configure their firewalls to port forward | or set up a VPN. | | Edit: clearer language | lifty wrote: | Hey Mitchell, congrats on the new announcements, great stuff! | Out of curiosity, how are you building and operate HCP? Are you | running it on top of Kubernetes or Nomad, or you're doing some | other custom stuff? | mitchellh wrote: | - Full HashiCorp stack (Nomad, Consul, Vault, Terraform) | - Cadence (https://temporal.io/) - Microservice | architecture over gRPC and Consul Connect - All | services written in Go - Customer clusters are | created/managed by programmatically running Terraform using | just-in-time cloud credentials from Vault - All | internal TLS certs for customer clusters dynamically created | using Vault - All external TLS certs for customer | clusters dynamically created using LetsEncrypt via Terraform | - Frontend is Ember | digitallogic wrote: | > Customer clusters are created/managed by programmatically | running Terraform | | I have soooo many questions about best practices doing | this. I run a service that needs to dynamically provision | AWS resources, and lacking a clear path to do this | programmatically, I shell out to Terraform. | | * I assume you aren't shelling out :). Do you have any | additional helper libraries on top of the Terraform code | base to make it more of a a programmatically consumable | API, as apposed to an end user application? | | * Are you still pointing at a directory with resources | defined in HCL, or are the resources defined | programmatically? | | * What are you using for state storage? | | * What is the execution environment for the programmatic | Terraform process? Since Terraform uses external processes | for plugins, I've hit some issues with resource constraints | around the max number of process sysctl's in containerized | environment where I have multiple Terraform processes | running in the same container. | | edit: formatting | zellyn wrote: | Looks great! A couple of questions: | | Can you view logs of SSH sessions after the fact? | | Can you live-view a session? | | Can you require a pairing authorization like with | https://github.com/square/sudo_pair? | mitchellh wrote: | All of the above is on the roadmap. | | Our initial focus is on making the connections easy. We have | some work to do there still. We'll then move on to more | management features like this. They're both super important | but from an initial adoption perspective we feel the latter | is moot if the former (connections) don't work easily. | zellyn wrote: | Makes sense. You should integrate TailScale too, so you | don't need to shunt traffic through the boundary nodes | mike-cardwell wrote: | Argh. I already find it a nightmare to figure out how to | combine hashicorp tools together. Now there's one more! ;) | | E.g, if I want a Consul backed Vault, whilst using Vault to | generate TLS certs or other creds for Consul. Especially if I | want to run either/both of those services using Nomad, backed | by Consul. Hopefully I wont have the option of authenticating | against any of these services using Boundary. Especially if | Boundary is backed by Consul. | mitchellh wrote: | Indeed. Our recommendation with Vault now is to use the | built-in storage[1] to break that dependency. If you must use | Consul, we recommend separate clusters. | | One way we're simplifying this a lot for people is the | introduction of our managed services[2][3]. We understand not | everyone can use a managed service though! | | Boundary will integrate fairly deeply with Consul/Vault but | these integrations will be optional. | | [1]: | https://www.vaultproject.io/docs/configuration/storage/raft | [2]: https://www.hashicorp.com/blog/hcp-consul-public-beta | [3]: https://www.hashicorp.com/blog/vault-on-the-hashicorp- | cloud-... | mike-cardwell wrote: | Thanks for the response. My comment was half in jest, but | it _has_ been a pain point for me. | jaquers wrote: | This comment resonates with me so hard. Specifically TLS | certs, private certificate authorities and Consul. Like I | wanna run my PCA out of Vault (right?), but if using Consul | as the backend how do I bootstrap? Sounds like the reply from | Michael seems to suggest running the integrated backend, | which I can get behind. | chucky_z wrote: | So I actually do this today, and I use Vault. This sounds | weird, but I spin up a "bootstrap PKI" Vault that is local- | only, and produces, e.g.: "consul.service.dc.consul" certs | with the issuer labeled as "bootstrap PKI intermediate" or | some such. I generate a full suite of these for everything | in a space, get it all up and running, then there's a 2nd | layer of automation where self-certs are issued. | | That said, I'm moving to a central distributed Vault that | is mostly going to exist as a PKI so I'll only really need | to repeat this process once more! Going to be using the | raft internal engine for this one, and spread it physically | across the globe so performance is going to be pretty | terrible by design, but it should be quite resilient! | mrweasel wrote: | Maybe you're not using Terraform. I suspect that your problem | is an insufficient usage of HCL. | ETHisso2017 wrote: | All hail Hashi-stack! | [deleted] | time0ut wrote: | Do you think there will be any synergy or potential interaction | with consul connect at some point? | mitchellh wrote: | Absolutely, 100%. This is already well discussed internally. | :) | jcims wrote: | Thinking of this as a means for privileged access management, | would it be possible for Boundary to gather artifacts (e.g. | keystroke logs and/or screen shots) from the session? | | This might trigger some folks but have you explored any options | for delivering some or all of the Boundary infrastructure | through serverless/faas? | mitchellh wrote: | Yes this is on the roadmap! | dabeeeenster wrote: | Looks interesting! Couple of things: | | 1. It's not clear to me how you actually secure the targets? Do | you just enable access to the IP address of the controller | proxy? In the video you mention a gateway but there's no | description of that in the docs? | | 2. Is it possible to proxy a web browser session? Or is it | limited to individual requests via something like curl at the | moment? | NovemberWhiskey wrote: | Hi Mitchell: what's your competitive landscape with Boundary? | | When I first looked at the product description, I thought I | might be looking at a "zero-trust identity-aware-proxy" sort of | thing, but as I read more I got more of the "privileged access | management" vibe with more of a focus on controlling access to | infrastructure for developers vs. applications for end users. | newman314 wrote: | So I've been casually doing some research into this in the | past and was just updating my list so here's what I have so | far. If I have missed any, please let me know. | | * Azure App Proxy | | * Google IAP | | * Amazon WorkLink | | * Cloudflare Access | | * Zscaler Private Access | | * Duo Beyond | | * Hashicorp Beyond | hossi wrote: | * PrivX by SSH.COM | | We provide a lean PAM solution for multi-cloud | infrastructure access. | nielsole wrote: | * Teleport https://gravitational.com/teleport/ | all_usernames wrote: | Google BeyondCorp? | [deleted] | jaquers wrote: | https://smallstep.com/ | | One example. I have been testing smallstep, which puts IDP | around ssh (with group management), and also includes a | dynamic host catalog (hosts run an agent that phones home to | your identity provider). | | However, I am very excited about Boundary as it seems to be a | much more comprehensive solution. | TheGuyWhoCodes wrote: | Are there any plans or a way to use existing tools? By existing | tools I mean winscp or any other tools that use a normal ssh | client? RDP etc. I guess for shh and rdp you can just run the | Boundary cli with a the predefined target in a terminal | embedded into the UI (MremoteNG, MobaXterm etc) but tools like | winscp are very much used for sftp file transfers. | | A desktop client with a list of services/targets would also be | great. Especially for the less technologically inclined | individuals. | | I know that people have their own opinions on port knocking but | I find it as a good tool to remove a lot of noise, some pre | built tool for that would be nice but could always just use | fwknop-2 | mitchellh wrote: | You can do this already, The `boundary connect ssh` stuff is | just a convenience. You can spin up a local boundary proxy to | anything and just connect anything that speaks TCP over it. | This allows you to use all the tools you just named. | | A desktop client is on the way, we already have an internal | build of parts of it but it requires more work and didn't | make it for 0.1. | lstamour wrote: | Given dynamic resource catalogs and dynamic credentials, any | plans to integrate dynamic policy engines, such as Open Policy | Agent? https://www.openpolicyagent.org | mitchellh wrote: | Yep. This is a little bit further out on the roadmap but yes, | we plan on integrating dynamic policy engines. | LinuxBender wrote: | Do you have a video showing a demo of managing a fleet of | servers? Does this also address machine-to-machine ssh key | trusts? Do you have a contrib repo with existing ansible, chef, | puppet scripts to build your cluster and also for deploying | agents to machines? | cratermoon wrote: | Over in another thread this was compared to Google's | BeyondCorp. Can you comment and compare/contrast Boundary with | the concepts of BeyondCorp? | mitchellh wrote: | Boundary can be viewed as an implementation of some of these | ideas! | jolux wrote: | I hope this isn't too big of a question but what do you see as | the migration path towards these newer "zero trust" access | control technologies for organizations that are all in on VPNs | and are in a hybrid cloud position? | jefferai wrote: | As you say, it's a big question. But one way to start is by | integrating this _within your VPN_ such that network access + | credentials alone are not enough. With Boundary you could do | this by setting up firewalls on the end hosts to only allow | ingress from Boundary worker nodes. | | Eventually you can migrate towards Boundary nodes (or similar | technologies) being the public ingress instead of a VPN | endpoint. | | (Edit: clarified that I meant firewalls on the end hosts, not | on the VPN or elsewhere in the network.) | talawahtech wrote: | What is used to secure/encrypt the connection between the | clients and the workers? | | I did a quick search in the GitHub repo for WireGuard and | didn't get any results so I guess you aren't using it. | sytse wrote: | This is awesome, thanks for making this. Boundary seems like | the missing open source building block to achieve Zero Trust. | | Zero Trust means authenticating per application instead of per | network. For more context see | https://about.gitlab.com/blog/2019/04/01/evolution-of-zero-t... | | Proxying connections as Boundary does seems like the most | elegant solution to achieve this in a way that doesn't require | modifying the application. ___________________________________________________________________ (page generated 2020-10-14 23:00 UTC)