The repository contains test cases demonstrating the application of Zero Trust (ZT) architecture in an IoT-Edge-Cloud continuum. The test cases represent a simulated CCTV monitoring system that utilizes edge computing for image processing (object detection) before securely transmitting the data to a cloud-based database for storage and analysis.
The test environment consists of:
-
IoT Device: A CCTV camera acting as a client that sends images to the edge microservices for processing.
-
Edge System: Composed of several microservices that perform image processing tasks (e.g., object detection).
-
Cloud System: A cloud-based database that stores the processed images for further analysis.
-
Objective: To demonstrate Bthe application of ZT architecture in an IoT-Edge-Cloud environment.
-
Components:
- Windows machine: Functions as the IoT device, communicating with the edge system.
- Ubuntu machine:
- Runs the OpenZiti overlay network.
- Acts as the edge system, processing the images received from the IoT device.
-
ZT implementation:
- Utilizes the OpenZiti framework to create a secure overlay network between the IoT device and the edge system.
-
Stakeholders:
- Security company: Owns and operates image processing microservices on the Edge
- Client: Owns the CCTV camera and cloud DB where observed data is stored
-
Setup the overlay network on the Ubuntu machine according to the Local - No Docker.
-
Also on the Ubuntu machine, follow the Your First Service guide as below:
- Create an identity for the HTTP client and assign an attribute "http-clients". We'll use this attribute when authorizing the clients to access the HTTP service
- Create an identity for the HTTP server if you are not using an edge-router with the tunneling option enabled. Also note that if you are using the docker-compose quickstart or just plan to use an edge-router with tunneling enabled you can also skip this step.
- Create an
intercept.v1config. This config is used to instruct the client-side tunneler how to correctly intercept the targeted traffic and put it onto the overlay. - Create a
host.v1config. This config is used to instruct the server-side tunneler how to offload the traffic from the overlay, back to the underlay. - Create a service to associate the two configs created previously into a service.
- Create a service-policy to authorize "HTTP Clients" to "dial" the service representing the HTTP server.
- Create a service-policy to authorize the "HTTP Server" to "bind" the service representing the HTTP server.
- Start the server-side tunneler with the HTTP server identity, providing access to the HTTP server.
- Start the client-side tunneler from the Windows machine using the HTTP client identity by:
- Copy the
http.client.jwtfrom step 1 to the Windows machine. - Enroll the client identity using
ziti-edge-tunnelbinary. - Run the
ziti-edge-tunnelfor the client.
- Copy the
- Access the HTTP server securely over the OpenZiti zero trust overlay
-
Problem: "CONTROLLER_UNAVAILABLE" error when trying to enroll the client identity on the Windows machine.
- Cause: DNS issue - The Windows machine could not resolve the host name of the Ubuntu machine.
- Solution: Added a new entry (the Ubuntu machine's IP address and hostname) in the
/etc/hostson the Windows machine side.
-
Problem: Unauthorized computer can still access the HTTP server.
- Cause: Incorrect configuration at step 3 and 4?
-
Problem: Ziti Admin Console (ZAC) not discovering the controller.