Attack (Internet Sourced)<\/strong><\/p>\n

\n\t\t\t <\/p>\n

Mitiga<\/strong>tion<\/strong><\/p>\n

\n\t\t\t <\/p>\n

Cust Risk<\/strong><\/p>\n

\n\t\t\t <\/p>\n

Mitigate<\/strong><\/p>\n

\n\t\t\t <\/p>\n

Attacking (to compromise or DoS) the Cloud Connector management interface using open listening services (SSH)<\/p>\n

\n\t\t\t <\/p>\n

Inbound Security Group on management interface<\/p>\n

\n\t\t\t <\/p>\n

Med<\/p>\n

\n\t\t\t <\/p>\n

Should<\/p>\n

\n\t\t\t <\/p>\n

DDoS ZPA resources through CC<\/p>\n

\n\t\t\t <\/p>\n

Inbound Security Group on service interface<\/p>\n

\n\t\t\t <\/p>\n

Med<\/p>\n

\n\t\t\t <\/p>\n

Must<\/p>\n

\n\t\t\t <\/p>\n

DDoS internet resources using CC DNS
\n\t\t\t(also incurring BW cost)<\/p>\n

\n\t\t\t <\/p>\n

Inbound Security Group on service interface<\/p>\n

\n\t\t\t <\/p>\n

High<\/p>\n

\n\t\t\t <\/p>\n

Must<\/p>\n

\n\t\t\t<\/p><\/div>\n

So, we need a number of Security Group rules to mitigate these risks by making sure that only local resources can use the CCs.\u00a0<\/p>\n

In Azure,<\/strong> this is straightforward. In fact: the Zscaler ARM and Terraform provisioning scripts create the correct Security Group rules by using Azure defined network TAGs. For the management interface only sources on \u201cVirtualNetwork\u201d should be allowed access to listening services, like SSH. Of course, if you have a specific subnet to manage workloads from (containing management systems and\/or jump hosts), then you should further limit SSH access to only those systems. Additionally, the management interface needs public outbound access towards DNS (UDP\/TCP 53), (D)TLS (UDP\/TCP 443) and NTP (UDP 123).\u00a0<\/p>\n

For the service interface, this means only sources on \u201cVirtualNetwork\u201d are allowed full TCP\/UDP access to ANY destination behind the Cloud Connector. Note that if<\/em> you have additional networks connected (through Direct Access, virtual WAN or VPN) that also want to use Cloud Connector to protect their traffic going out, you\u2019ll need to manually add policy rules for them as well.<\/p>\n

In AWS,<\/strong> this configuration is slightly less convenient; you\u2019ll have to define these ACLs using your local IP subnets manually. Again, the management interface should only allow inbound SSH from a management subnet or from specific bastion\/jump-hosts. The management also needs public outbound access towards DNS (UDP\/TCP 53),\u00a0 (D)TLS (UDP\/TCP 443) and NTP (UDP 123).<\/p>\n

For the service interface this means only your locally defined subnets (or IP ranges from other connected networks, if they want to use Cloud Connector to protect their traffic going out) should be allowed full TCP\/UDP access to ANY destination behind the Cloud Connector (including the Cloud Connector itself). Note that since AWS will protect against traffic with (spoofed) private (RFC1918) IP addresses, allowing inbound connections only from RFC1918 sources protects against all external connection attempts.<\/p>\n

\n\u00a0<\/p>\n

\u00a0\u00a0<\/p>","protected":false},"excerpt":{"rendered":"

Post Content\u00a0\u00a0 \u200b Zscaler Cloud Connector is a VM-based solution […]<\/p>\n","protected":false},"author":0,"featured_media":1464,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[],"class_list":["post-1463","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-zenith-zscaler"],"yoast_head":"\n