Connector | Fluid Attacks Help

Connector

This section provides a comprehensive guide to setting up and using the Connector connection, which enables Fluid Attacks to securely access your private resources for security testing.

Architecture

This section outlines the architecture of the Connector connection, which relies on Cloudflare. It details how Fluid Attacks utilizes a pivot agent to access your private network and highlights the minimum requirements and limitations of this approach.

High-level architecture

To access your private resources securely, Fluid Attacks employs a "pivot agent." This agent, installed within your private network on a container or server, acts as an intermediary, allowing Fluid Attacks to interact with the specific resources you grant access to.

Below is a diagram that shows how the connection works at a high level.

Understand Connector connection with Fluid AttacksConnector connection infrastructure diagram

Pivot agent minimum requirements

  1. 1 CPU
  2. 2 GiB of memory
  3. At least 5GB of free disk space
  4. A user with administrative privileges
  5. Docker, Linux, Windows, or macOS
  6. Stable access to the Internet
  7. Firewall rules:
    1. Firewall permissions for pulling the cloudflared Docker container or downloading the cloudflared agent
    2. Firewall permissions for reaching Fluid Attacks' Cloudflare network
    3. Firewall permissions for reaching the internal resources Fluid Attacks will be accessing

Limiting access for the pivot agent

Fluid Attacks uses the pivot agent for accessing your private network. To enhance security, configure your firewall to grant the pivot agent only the minimum necessary permissions. This ensures that Fluid Attacks can only access the specific resources required for the assessment, limiting potential exposure.

Service limitations

Restricted IP addresses

Certain IP addresses are reserved for internal use within the Fluid Attacks system and cannot be routed through the Connector connection:

  1. Routing within Fluid Attacks' internal network:
    1. 192.168.0.1
  2. DNS resolution within Fluid Attacks' internal network:
    1. 192.168.0.2
  3. Reserved for internal testing:
    1. 192.168.0.60 - 192.168.0.62
    2. 192.168.1.60 - 192.168.1.62
    3. 192.168.10.60 - 192.168.10.62
    4. 192.168.100.60 - 192.168.100.64
    5. 192.168.127.60 - 192.168.127.62
Ensure these IP addresses are not exposed to the pivot agent to prevent service disruptions.

Maximum hosts

In order to properly record network and HTTP logs, a maximum of 1024 hosts can be routed through a Connector connection.


Using self-signed certificates

When using self-signed SSL certificates within your private network, HTTPS traffic going through it is not inspected, reducing the log detail that can be collected. This is because the Cloudflare network, on which the connection relies, requires certificates issued by trusted Certificate Authorities (CAs) for full validation and logging. Therefore, it is recommended to use SSL certificates signed by a valid CA so navigation logs within the tunnel are fully detailed.

Installation

Set up Connector connection

Follow these steps to grant Fluid Attacks access to your application resources:

  1. Complete the connection form to provide the necessary details for setting up the Connector connection. You receive a secret token within 8 business hours to use in the following steps.

  2. Provide a container or a server within your private network that satisfies the minimum requirements. This serves as the pivot agent.

  3. Firewall rules:

    1. Firewall permissions for pulling the cloudflared Docker container or downloading the cloudflared agent
    2. Firewall permissions for reaching Fluid Attacks' Cloudflare network
    3. Firewall permissions for reaching the internal resources Fluid Attacks will be accessing.
    Warning on firewall permissionsDo not proceed to the next steps until these firewall rules are correctly configured. This is essential for a working connection (i.e., UDP permissions over port 7844 are required to ensure DNS resolution).
    If you intend to share access to several servers within the same private network, make sure your firewall rules allow the pivot agent to reach them.

  4. Install cloudflared on the pivot agent.

    Docker
    Windows
    Linux
    Docker

    On Docker, deploy a service using the cloudflared Docker container on your container runtime system (e.g., AWS ECS, AWS EKS, Azure AKS, GCP GKE, etc.) and then run the appropriate command below using the secret token provided by Fluid Attacks.

    docker run cloudflare/cloudflared:latest tunnel --no-autoupdate run --token <SECRET TOKEN>
    Windows
    On Windows Download and install cloudflared on your server and then run the appropriate command below using the secret token provided by Fluid Attacks.
    cloudflared.exe service install <SECRET TOKEN>
    Linux
    Binary
    Download binary for your architecture and execute it directly:
    cloudflared-linux-<YOUR ARCH> service install <SECRET TOKEN>

    Debian-based systems (.deb)

    Download and install cloudflared on your server and execute:
    sudo dpkg -i cloudflared-linux<YOUR ARCH>.deb
    cloudflared service install <SECRET TOKEN>

    Red Hat-based systems (.rpm)

    Download and install cloudflared on your server and execute:
    sudo rpm -i cloudflared<YOUR ARCH>.rpm
    cloudflared service install <SECRET TOKEN>
    5. Make sure you run this command as a System Administrator. If you are running a Docker container, being root within the container is enough.

Test your connection

After establishing the connection, you should verify its functionality accordingly:

  • Docker: Review the logs of your container. The specific method for accessing logs will depend on your container runtime environment (e.g., AWS ECS, AWS EKS, Azure AKS, GCP GKE, etc.).
  • Windows: Follow the official steps to test connectivity with Powershell.
  • Linux and macOS: Follow the official steps to test connectivity with dig.

Example

Below we provide a detailed example of setting up a Connector connection for securely exposing your application's resources.

Scenario

Imagine you need to provide Fluid Attacks access to three servers within your private network:

  1. Your Git repository server
  2. Your application environment server
  3. Your internal DNS server for proper name resolution

The use cases you want to allow are the following:

  1. Fluid Attacks can clone your Git repository using SSH.
  2. Fluid Attacks can test your application via HTTPS.
  3. Fluid Attacks can resolve your internal domains via DNS.

Configuration

Follow these steps:

  1. Fill out the connection form so Fluid Attacks can set up a connection for you.
  2. Install cloudflared in any of the servers you want to share. For this example, it is assumed you install it on the Git repository server.
  3. Receive a secret token from Fluid Attacks for setting up the connection.

Firewall rules

Now you should focus on creating firewall rules that allow the use cases presented previously.

For the Git repository server, set the following egress firewall rules:
  • For secure connection:
    •  Allow TCP/UDP via port 7844 to region1.v2.argotunnel.com
    • Allow TCP/UDP via port 7844 to region2.v2.argotunnel.com
    • Allow TCP via port 443 to api.cloudflare.com
    • Allow TCP via port 443 to update.argotunnel.com
  • For internal communication:
    • Allow TCP connections via port 443 (HTTPS) to application environment server
    • Allow TCP/UDP connections via port 53 (DNS) to DNS server

For the application environment server, set the following ingress firewall rule:

  • Allow TCP connections via port 443 (HTTPS) from Git repository server

For the DNS server, set the following ingress firewall rule:

  • Allow TCP/UDP connections via port 53 (DNS) from Git repository server

Turning on the connection

With cloudflared installed and the required firewall rules in place, you can proceed to enable the connection. As a System Administrator, run the registration command for the connection using the secret token provided by Fluid Attacks.


Testing the connection

Once the connection is on, you can proceed and test it as described above.

Note on Connector exampleNote: All use cases for this example scenario should be covered if you have (a) a working pivot agent and (b) minimum privilege firewall rules within your private network.

Authentication

The authentication mechanisms available for this connection are as follows:

OAuth SSH HTTPS

Frequently asked questions

What is Connector used for?

Connector enables Fluid Attacks to securely access your private resources for security testing while maintaining network isolation and security.

What are the minimum system requirements for the pivot agent?

  • 1 CPU
  • 2 GiB of memory
  • At least 5GB of free disk space
  • A user with administrative privileges
  • Docker, Linux, Windows, or macOS
  • Stable internet connection

How do I know if my firewall rules are correctly configured?

Before proceeding with the installation, ensure the following:

  • Your firewall allows pulling the cloudflared Docker container or downloading the cloudflared agent.
  • Your firewall allows connections to Fluid Attacks' Cloudflare network (for more information, refer to the official documentation on testing connectivity).
  • Your firewall permits access to the internal resources Fluid Attacks will be assessing.

What happens if firewall rules are not configured correctly?

If the firewall rules are not properly configured, the connection will fail, preventing Fluid Attacks from accessing your resources. Additionally, if UDP traffic is blocked, domain name resolution may fail, causing further disruptions in connectivity.

How do I check if the cloudflared service is correctly installed?

You can check the status of the service by running the following:

systemctl status cloudflared

How do I restart the cloudflared service if needed?

You can restart the service by executing the following:

systemctl restart cloudflared

How do I uninstall the cloudflared service?

To uninstall the service, use the following command:

cloudflared service uninstall

Support

If you require assistance with the Connector setup, send Fluid Attacks an email at help@fluidattacks.com.