Connector | Fluid Attacks Help

Connector

This section provides a comprehensive guide to setting up and using the Connector connection, which enables Fluid Attacks to securely access your private resources for security testing.

Architecture

This section outlines the architecture of the Connector connection, which relies on Cloudflare. It details how Fluid Attacks utilizes a pivot agent to access your private network and highlights the minimum requirements and limitations of this approach.

High-level architecture

To access your private resources securely, Fluid Attacks employs a "pivot agent." This agent, installed within your private network on a container or server, acts as an intermediary, allowing Fluid Attacks to interact with the specific resources you grant access to.

Below is a diagram that shows how the connection works at a high level.

Understand Connector connection with Fluid AttacksConnector connection infrastructure diagram

Pivot agent minimum requirements

  1. 1 CPU
  2. 2 GiB of memory
  3. At least 5GB of free disk space
  4. A user with administrative privileges
  5. Docker, Linux, Windows, or macOS
  6. Stable access to the Internet
  7. Firewall rules:
    1. Firewall permissions for pulling the cloudflared Docker container or downloading the cloudflared agent
    2. Firewall permissions for reaching Fluid Attacks' Cloudflare network
    3. Firewall permissions for reaching the internal resources Fluid Attacks will be accessing

Limiting access for the pivot agent

Fluid Attacks uses the pivot agent for accessing your private network. To enhance security, configure your firewall to grant the pivot agent only the minimum necessary permissions. This ensures that Fluid Attacks can only access the specific resources required for the assessment, limiting potential exposure.

Service limitations

Restricted IP addresses

Certain IP addresses are reserved for internal use within the Fluid Attacks system and cannot be routed through the Connector connection:

  1. Routing within Fluid Attacks' internal network:
    1. 192.168.0.1
  2. DNS resolution within Fluid Attacks' internal network:
    1. 192.168.0.2
  3. Reserved for internal testing:
    1. 192.168.0.60
    2. 192.168.0.61
    3. 192.168.0.62
    4. 192.168.1.60
    5. 192.168.1.61
    6. 192.168.1.62
    7. 192.168.10.60
    8. 192.168.10.61
    9. 192.168.10.62
    10. 192.168.100.60
    11. 192.168.100.61
    12. 192.168.100.62
    13. 192.168.100.63
    14. 192.168.100.64
Ensure these IP addresses are not exposed to the pivot agent to prevent service disruptions.

Maximum hosts

In order to properly record network and HTTP logs, a maximum of 1024 hosts can be routed through a Connector connection.


Using self-signed certificates

When using self-signed SSL certificates within your private network, HTTPS traffic going through it is not inspected, reducing the log detail that can be collected. This is because the Cloudflare network, on which the connection relies, requires certificates issued by trusted Certificate Authorities (CAs) for full validation and logging. Therefore, it is recommended to use SSL certificates signed by a valid CA so navigation logs within the tunnel are fully detailed.

Installation

Set up Connector connection

Follow these steps to grant Fluid Attacks access to your application resources:

  1. Complete the connection form to provide the necessary details for setting up the Connector connection. You receive a secret token within 8 business hours to use in the following steps.

  2. Provide a container or a server within your private network that satisfies the minimum requirements. This serves as the pivot agent.

  3. Install cloudflared on the pivot agent. On Docker, deploy a service using the cloudflared Docker container on your container runtime system (e.g., AWS ECS, AWS EKS, Azure AKS, GCP GKE, etc.). On Windows, Linux, and macOSDownload and install cloudflared on your server.
    4. Note on pivot agent installation
    If you intend to share access to several servers within the same private network, you only need to install one pivot agent.

  4. Make sure the pivot agent has firewall egress permissions for the required traffic.
    Note on firewallIf you intend to share access to several servers within the same private network, make sure your firewall rules allow the pivot agent to reach them.

  5. Run the appropriate command below using the secret token provided by Fluid Attacks.

    Docker
    cloudflared tunnel --no-autoupdate run --token <SECRET TOKEN>

    Windows
    cloudflared.exe service install <SECRET TOKEN>

    Linux and macOS
    cloudflared service install <SECRET TOKEN>
    Alert on running the commandCaution: Make sure you run this command as a System Administrator. If you're running a Docker container, being root within the container is enough.

Test your connection

After establishing the connection, you should verify its functionality accordingly:

  • Docker: Review the logs of your container. The specific method for accessing logs will depend on your container runtime environment (e.g., AWS ECS, AWS EKS, Azure AKS, GCP GKE, etc.).
  • Windows: Follow the official steps to test connectivity with Powershell.
  • Linux and macOS: Follow the official steps to test connectivity with dig.

Example

Below we provide a detailed example of setting up a Connector connection for securely exposing your application's resources.

Scenario

Imagine you need to provide Fluid Attacks access to three servers within your private network:

  1. Your Git repository server
  2. Your application environment server
  3. Your internal DNS server for proper name resolution

The use cases you want to allow are the following:

  1. Fluid Attacks can clone your Git repository using SSH.
  2. Fluid Attacks can test your application via HTTPS.
  3. Fluid Attacks can resolve your internal domains via DNS.

Configuration

Follow these steps:

  1. Fill out the connection form so Fluid Attacks can set up a connection for you.
  2. Install cloudflared in any of the servers you want to share. For this example, it is assumed you install it on the Git repository server.
  3. Receive a secret token from Fluid Attacks for setting up the connection.

Firewall rules

Now you should focus on creating firewall rules that allow the use cases presented previously.

For the Git repository server, set the following egress firewall rules:
  • For secure connection:
    •  Allow TCP/UDP via port 7844 to region1.v2.argotunnel.com
    • Allow TCP/UDP via port 7844 to region2.v2.argotunnel.com
    • Allow TCP via port 443 to api.cloudflare.com
    • Allow TCP via port 443 to update.argotunnel.com
  • For internal communication:
    • Allow TCP connections via port 443 (HTTPS) to application environment server
    • Allow TCP/UDP connections via port 53 (DNS) to DNS server

For the application environment server, set the following ingress firewall rule:

  • Allow TCP connections via port 443 (HTTPS) from Git repository server

For the DNS server, set the following ingress firewall rule:

  • Allow TCP/UDP connections via port 53 (DNS) from Git repository server

Turning on the connection

With cloudflared installed and the required firewall rules in place, you can proceed to enable the connection. As a System Administrator, run the registration command for the connection using the secret token provided by Fluid Attacks.


Testing the connection

Once the connection is on, you can proceed and test it as described above.

Note on Connector exampleNote: All use cases for this example scenario should be covered if you have (a) a working pivot agent and (b) minimum privilege firewall rules within your private network.

Authentication

The authentication mechanisms available for this connection are as follows:

OAuth SSH HTTPS

Support

If you require assistance with the Connector setup, send Fluid Attacks an email at help@fluidattacks.com.