1. 36
  1.  

  2. 11

    On lobsters I’d rather see a technical deep dive explaining how all these features are achieved than a marketing page. But I’m certainly fascinated this technology exists. One SSO platform to rule them all?

    1. 4

      Here’s a little better explanation on what Boundary is and how it works: https://www.hashicorp.com/blog/hashicorp-boundary

      1. 2

        This isn’t new, you have products like BeyondCorp from Google and Gateway from Cloudflare.

        Although, that’s the first open source implementation that I see. That said, it probably would need code audit and pen-test to get reasonable adoption.

        I’m really looking forward to the future of this piece of technology, and if it could really replace VPN.

      2. 4

        In the lingo this concept is called “privileged access management,” and there are a bunch of strong competitors doing similar stuff. But HashiCorp has so much mindshare and such a great reputation, I’m sure Boundary will do well.

        1. 4

          lots of competitors but are there any that offer a product as polished as what hashicorp usually releases at no cost?

          this is a genuine question - i’m really only personally experienced with scaleFT.

        2. 2

          How is this similar or different from something like: https://smallstep.com/blog/diy-ssh-bastion-host/

          I still don’t fully understand the exact path of bits after scanning both the blog post and the marketing site.

          1. 1

            AIUI, their are 2 pieces to boundary a “controller” that handles the state, and a “worker” that does the actual proxying of traffic.

            The worker gets a connection request for TCP service X from the client, and then it opens a TCP session to the service(optionally does protocol level auth via just in time credentials out of say hashicorp Vault) and then bridges the client connection with the service connection.

            likely only some standard HTTPS protocol auth, and maybe SSH would be supported out of the box for protocol level authentication happening for you. Otherwise the Controller would , presumably, hand the auth credentials through to the client app (which will be either a CLI, a web GUI, or a desktop app)

            So the stateless worker processes handle the actual TCP traffic, as a MITM.

            Again, I’m not involved with Hashicorp, this is just my understanding after reading a bit.

            1. 1

              Kinda like a very sophisticated port knock on a haproxy in tcp mode. Cool!

          2. 1

            Boundary provides a secure way to access hosts and critical systems without having to […] expose your network

            Care to explain how Boundary gains access to the system without exposing the network?

            edit: Ah, it’s just port knocking. lol