I'm excited to see Boundary here! I want to note a few things about Boundary, why we made it, why it is different than other solutions in the space, etc.
* Boundary is free and open source. Similar to when we built Vault, we feel like the solution-space for identity-based security is too commercialized. We want to provide access to this type of security to a broader set of people because we feel it's the right way to think about access control. Note: of course as as a company we plan on commercializing Boundary at some point, but we'll do this similarly to Vault, the major featureset of Boundary will remain free and open source forever.
* Dynamic resource catalogs. Other tools in this space usually require manually maintaining a catalog of servers, databases, applications, etc. We're integrating Boundary closely with Terraform, AWS/GCP/Azure, Kubernetes, etc. to give you live auto-updating catalogs based on tags. (Note: this feature is coming in 0.2, and not in this initial release, but is well planned at this point)
* Dynamic credentials. Existing tools often require static credentials. Boundary 0.1 uses static credentials, too, but we're already working on integrating Boundary with Vault and other systems to provide full end-to-end dynamic credentials. You authenticate with your identity, and instead of reusing the same credentials on the backend, we pull dynamic per-session credentials.
And more! Remember this is a 0.1 release. We have a lot of vision and roadmap laid out for this project and we are hard at work on that now. We're really excited about what's to come here.
Specifically, as a 0.1, Boundary focuses in on layer 3 connections (TCP) with minimal layer 7 awareness for protocols such as SSH. This will be expanded dramatically to support multiple DB protocols, Microsoft Remote Desktop, and more.
Also, we're releasing another new product tomorrow that is more developer-focused, if security is not your cup of tea. Stay tuned.
The Boundary team and I will be around the comments to answer any questions.
Thanks a lot for the great products, but please give us managed Nomad already. Or even better: a Heroku like app platform. I want to give you money, but I really dislike your companies' enterprise offerings.
BTW I believe there's a great opportunity for Hashicorp right now. Cloud providers are good at selling building blocks, but are terrible at selling a vision of how you should build your applications. On the other hand, low code / enterprise application platforms are a disgrace as always. IMO a coherent stack of managed Nomad + Consul + Vault could provide a solid middle ground for those who want to build apps without the burden of managing K8s or navigating through the incomprehensible maze of products offered by public clouds.
Argh. I already find it a nightmare to figure out how to combine hashicorp tools together. Now there's one more! ;)
E.g, if I want a Consul backed Vault, whilst using Vault to generate TLS certs or other creds for Consul. Especially if I want to run either/both of those services using Nomad, backed by Consul. Hopefully I wont have the option of authenticating against any of these services using Boundary. Especially if Boundary is backed by Consul.
Do you have a video showing a demo of managing a fleet of servers? Does this also address machine-to-machine ssh key trusts? Do you have a contrib repo with existing ansible, chef, puppet scripts to build your cluster and also for deploying agents to machines?
Hi Mitchell: what's your competitive landscape with Boundary?
When I first looked at the product description, I thought I might be looking at a "zero-trust identity-aware-proxy" sort of thing, but as I read more I got more of the "privileged access management" vibe with more of a focus on controlling access to infrastructure for developers vs. applications for end users.
I hope this isn’t too big of a question but what do you see as the migration path towards these newer “zero trust” access control technologies for organizations that are all in on VPNs and are in a hybrid cloud position?
Is there a simple paper that explains how this works on a technical level? I have a hard time visualizing how a connection to a remote host would be set up if it runs through Boundary. Does "without requiring direct network access" mean Boundary works as a proxy? And how does Boundary enable the connection if the host does not have direct network access?
Thinking of this as a means for privileged access management, would it be possible for Boundary to gather artifacts (e.g. keystroke logs and/or screen shots) from the session?
This might trigger some folks but have you explored any options for delivering some or all of the Boundary infrastructure through serverless/faas?
From a first look this is really exciting. And cool to see you here on HN! I live your positioning and how you’re first and foremost building FOSS software and tools that you leverage on, as opposed to building a commercial offering that you then release software for. It’s a vital distinction that sets you apart from eg Google.
Let’s say you have an org that’s doing the whole Consul/Nomad/Vault thing, and starting to have their Nomad jobs using Consul Connect (and it’s proxies/gateways for external).. that’s already a proxy sidecar used for all service ports. How does Boundary fit here? Is it put before/after Connect, is the plan to integrate them, or are they supposed to not be used together?
Are there any plans or a way to use existing tools?
By existing tools I mean winscp or any other tools that use a normal ssh client? RDP etc.
I guess for shh and rdp you can just run the Boundary cli with a the predefined target in a terminal embedded into the UI (MremoteNG, MobaXterm etc) but tools like winscp are very much used for sftp file transfers.
A desktop client with a list of services/targets would also be great. Especially for the less technologically inclined individuals.
I know that people have their own opinions on port knocking but I find it as a good tool to remove a lot of noise, some pre built tool for that would be nice but could always just use fwknop-2
Given dynamic resource catalogs and dynamic credentials, any plans to integrate dynamic policy engines, such as Open Policy Agent? https://www.openpolicyagent.org
Hey Mitchell, congrats on the new announcements, great stuff! Out of curiosity, how are you building and operate HCP? Are you running it on top of Kubernetes or Nomad, or you're doing some other custom stuff?
1. It's not clear to me how you actually secure the targets? Do you just enable access to the IP address of the controller proxy? In the video you mention a gateway but there's no description of that in the docs?
2. Is it possible to proxy a web browser session? Or is it limited to individual requests via something like curl at the moment?
> * Boundary is free and open source. Similar to when we built Vault, we feel like the solution-space for identity-based security is too commercialized. We want to provide access to this type of security to a broader set of people because we feel it's the right way to think about access control. Note: of course as as a company we plan on commercializing Boundary at some point, but we'll do this similarly to Vault, the major featureset of Boundary will remain free and open source forever.
I hate this corporate speak. You're breaking into the space by giving away (basic, as you will commercialize any advanced) features under the guise of open source altruism. The products HashiCorp sells are open core, and you should be more honest about it (GitLab is!). I wish you operated more like other, real, open source companies that use subscriptions or managed service offerings and don't lock features behind various obscure pricing tiers. This is Shareware 2.0.
The difference between what HashiCorp does and what a real open source company like Rancher does is stark: HashiCorp has products, Rancher builds communities. Contributors to HashiCorps stuff have to play in a very specific sandbox, lest they implement lucrative features. Contributors to Rancher help the community at large and have full visibility into the codebase, empowering them to fix or add functionality without restrictions.
This is not something new. The earliest open source project that I can recall is https://github.com/bitly/oauth2_proxy (albeit it might be missing the part where proxy passing identity to the backend).
Pomerium is another open source project that's actively maintained. I've been using it as a reverse proxy to all my homelab websites (grafana, miniflux etc). I can now safely access all of these internal resources from outside of my home WiFi with automated SSL certificate configuration and renewal.
You can theoretically protect your SSH connection via these IAP proxies, using the Chrome SSH extension and open source SSH relay implementation like https://github.com/zyclonite/nassh-relay (but I personally haven't tried that).
Disclaimer: I work for Google and am a casual contributor to the Pomerium project.
Also looks very much like Gravitational Teleport [0], which has been amazing to use. Teleport has a lot of advantages over Boundary right now based on it's architecture. But Hashi does a good job of iterating quickly, so I'd guess as with most of their products, it evolves quickly.
Since you mentioned you're a contributor to a similar project, I invite you to check our recently released zero trust service access control solution: https://github.com/seknox/trasa
It's a BeyondCorp like a user identity and layer 7 aware access proxy for RDP, SSH, Web, and Database protocols with privileged access management, native two-factor auth agents, and device trust policies.
Disclaimer: I am a core maintainer of this project.
I immediately thought of BeyondCorp as well, and I have only read the papers about it. At my employer, which isn't even that large, we have on-prem hardware running VMs and k8s, some stuff in AWS, some stuff in Azure, and employees all over the world with various devices coming in through a VPN.
The old distinction of "internal network" and "external network" doesn't make much sense.
Is using IAM with managed serverless products (Run, Functions) effectively same as using IAP+VMs? Curious if there is a world in which managed Cloud Run + IAP makes sense.
StrongDM does indeed look interesting. Can it be completely self-hosted? I am asking because some of the architecture docs mentioned "app.strongdm.com" as a necessary element, which has a webpage behind a (customer?) login. This is an external dependency that is not acceptable for my use case.
I haven't found a conclusive answer in their documentation yet.
> With Boundary, access is based on the trusted identity of the user, rather than their network location. The user connects and authenticates to Boundary, then based on their assigned roles they can connect to available hosts, services, or cloud resources.
Is this the main idea behind BeyondCorp and CloudFlare One, as well? If so this is the clearest explanation I've seen of it.
This looks like an authenticated proxy. I assume you would need to locally reconfigure your clients (ssh, browser, whatever) to use the Boundary server as a proxy.
Boundary comes with built-in wrappers for ssh, rdp, and postgres, but you can "boundary exec" to run some other application inside the TCP-wrapped transport, apparently.
Any example snippets of what the connection setup looks like on the server side?
e.g. something like a docker-compose sidecar exposing an nginx container to users via boundary would really help me understand how this is supposed to be used in practice.
There are a few comparisons being introduced already in this thread, and I'm tempted to ask of more, so I'd love to see documentation on this vs. other solutions like is presented with Terraform:
I'm looking for more clarification on how i can fit this into my Cloudflare ecosystem. Assuming many of your clients are consuming Cloudflare and all of their backbone, security, networking, and remote work services.
Would I just have Boundary authenticate via Cloudflare Access and whatever identity provider Cloudflare One is integrated with and move to the RBAC policy phase of the authentication - is this where i am seeing that additional value from Boundary by having that additional on demand credential rotation to various internal Apps and DBs once i am past the SSO stage? CF One is more of a vertically integrated all in one service addressing all of my other networking and security needs so it's not really going anywhere.
I think you guys could do well to release a Cloudflare integration paper, it might help with traction on on-boarding customers.
It looks like you still have to manage users on the hosts for PAM, including SSH keys (or use Vault I suppose). It's too bad that this can't perform all of that functionality--setup a server, install a boundary client, and manage all of the PAM things through Boundary.
This looks awesome, great job! One thing that will slow me down from using this is I've not settled on an ID or Access Management system. Being a small company, we occasionally need to grant system access to contractors or other dev teams. The problem is we don't want to grant the access too wide and specifying fine grained controls takes a lot of time.
Armon mentions Okta and Ping, does anyone have any recommendations in this space that would work for managing a small team with occasional on/off boarding of contractors?
This looks pretty interesting both for some projects at work and for my homelab. I'm a data scientist with an amateur interest in devops so apologies if this is a silly question, but I'm trying to get a sense of the use cases.
Would it make sense to use boundary as a way to manage access to web-based developer environments using an IDP for authentication (e.g. Github, Google, Okta, etc). I'm thinking of tools like JupyterLab/Hub, RStudio Server, etc. Or is that outside the intended scope of Boundary?
What is it this exactly adds on top of an authenticating reverse proxy like nginx? Is it the rbac to grant access to specific resources based on their labels instead of per hostname/servicename auth?
[+] [-] mitchellh|5 years ago|reply
I'm excited to see Boundary here! I want to note a few things about Boundary, why we made it, why it is different than other solutions in the space, etc.
* Boundary is free and open source. Similar to when we built Vault, we feel like the solution-space for identity-based security is too commercialized. We want to provide access to this type of security to a broader set of people because we feel it's the right way to think about access control. Note: of course as as a company we plan on commercializing Boundary at some point, but we'll do this similarly to Vault, the major featureset of Boundary will remain free and open source forever.
* Dynamic resource catalogs. Other tools in this space usually require manually maintaining a catalog of servers, databases, applications, etc. We're integrating Boundary closely with Terraform, AWS/GCP/Azure, Kubernetes, etc. to give you live auto-updating catalogs based on tags. (Note: this feature is coming in 0.2, and not in this initial release, but is well planned at this point)
* Dynamic credentials. Existing tools often require static credentials. Boundary 0.1 uses static credentials, too, but we're already working on integrating Boundary with Vault and other systems to provide full end-to-end dynamic credentials. You authenticate with your identity, and instead of reusing the same credentials on the backend, we pull dynamic per-session credentials.
And more! Remember this is a 0.1 release. We have a lot of vision and roadmap laid out for this project and we are hard at work on that now. We're really excited about what's to come here.
Specifically, as a 0.1, Boundary focuses in on layer 3 connections (TCP) with minimal layer 7 awareness for protocols such as SSH. This will be expanded dramatically to support multiple DB protocols, Microsoft Remote Desktop, and more.
Also, we're releasing another new product tomorrow that is more developer-focused, if security is not your cup of tea. Stay tuned.
The Boundary team and I will be around the comments to answer any questions.
[+] [-] carlosf|5 years ago|reply
Thanks a lot for the great products, but please give us managed Nomad already. Or even better: a Heroku like app platform. I want to give you money, but I really dislike your companies' enterprise offerings.
BTW I believe there's a great opportunity for Hashicorp right now. Cloud providers are good at selling building blocks, but are terrible at selling a vision of how you should build your applications. On the other hand, low code / enterprise application platforms are a disgrace as always. IMO a coherent stack of managed Nomad + Consul + Vault could provide a solid middle ground for those who want to build apps without the burden of managing K8s or navigating through the incomprehensible maze of products offered by public clouds.
[+] [-] mike-cardwell|5 years ago|reply
E.g, if I want a Consul backed Vault, whilst using Vault to generate TLS certs or other creds for Consul. Especially if I want to run either/both of those services using Nomad, backed by Consul. Hopefully I wont have the option of authenticating against any of these services using Boundary. Especially if Boundary is backed by Consul.
[+] [-] talawahtech|5 years ago|reply
I did a quick search in the GitHub repo for WireGuard and didn't get any results so I guess you aren't using it.
[+] [-] LinuxBender|5 years ago|reply
[+] [-] NovemberWhiskey|5 years ago|reply
When I first looked at the product description, I thought I might be looking at a "zero-trust identity-aware-proxy" sort of thing, but as I read more I got more of the "privileged access management" vibe with more of a focus on controlling access to infrastructure for developers vs. applications for end users.
[+] [-] jolux|5 years ago|reply
[+] [-] sytse|5 years ago|reply
Zero Trust means authenticating per application instead of per network. For more context see https://about.gitlab.com/blog/2019/04/01/evolution-of-zero-t...
Proxying connections as Boundary does seems like the most elegant solution to achieve this in a way that doesn't require modifying the application.
[+] [-] cratermoon|5 years ago|reply
[+] [-] A_No_Name_Mouse|5 years ago|reply
[+] [-] jcims|5 years ago|reply
This might trigger some folks but have you explored any options for delivering some or all of the Boundary infrastructure through serverless/faas?
[+] [-] 3np|5 years ago|reply
Let’s say you have an org that’s doing the whole Consul/Nomad/Vault thing, and starting to have their Nomad jobs using Consul Connect (and it’s proxies/gateways for external).. that’s already a proxy sidecar used for all service ports. How does Boundary fit here? Is it put before/after Connect, is the plan to integrate them, or are they supposed to not be used together?
[+] [-] TheGuyWhoCodes|5 years ago|reply
A desktop client with a list of services/targets would also be great. Especially for the less technologically inclined individuals.
I know that people have their own opinions on port knocking but I find it as a good tool to remove a lot of noise, some pre built tool for that would be nice but could always just use fwknop-2
[+] [-] lstamour|5 years ago|reply
[+] [-] lifty|5 years ago|reply
[+] [-] dabeeeenster|5 years ago|reply
1. It's not clear to me how you actually secure the targets? Do you just enable access to the IP address of the controller proxy? In the video you mention a gateway but there's no description of that in the docs?
2. Is it possible to proxy a web browser session? Or is it limited to individual requests via something like curl at the moment?
[+] [-] time0ut|5 years ago|reply
[+] [-] zellyn|5 years ago|reply
Can you view logs of SSH sessions after the fact?
Can you live-view a session?
Can you require a pairing authorization like with https://github.com/square/sudo_pair?
[+] [-] traceroute66|5 years ago|reply
I'm sorry, but please cut the corporate-speak.
Reality is that your statements are different from your actions.
"similarly to Vault, the major featureset of Boundary will remain free"
Sounds great doesn't it.
Except Hashicorp decide to hide Multi-factor authentication in Vault behind the paywall.
I mean, I'll forgive you putting a lot of the Vault features behind the paywall (e.g. replication).
But for a security product. Putting a core component of 21st century security (MFA) behind the paywall ?
Pretty unforgivable.
[+] [-] candiddevmike|5 years ago|reply
I hate this corporate speak. You're breaking into the space by giving away (basic, as you will commercialize any advanced) features under the guise of open source altruism. The products HashiCorp sells are open core, and you should be more honest about it (GitLab is!). I wish you operated more like other, real, open source companies that use subscriptions or managed service offerings and don't lock features behind various obscure pricing tiers. This is Shareware 2.0.
The difference between what HashiCorp does and what a real open source company like Rancher does is stark: HashiCorp has products, Rancher builds communities. Contributors to HashiCorps stuff have to play in a very specific sandbox, lest they implement lucrative features. Contributors to Rancher help the community at large and have full visibility into the codebase, empowering them to fix or add functionality without restrictions.
[+] [-] yegle|5 years ago|reply
This is not something new. The earliest open source project that I can recall is https://github.com/bitly/oauth2_proxy (albeit it might be missing the part where proxy passing identity to the backend).
Pomerium is another open source project that's actively maintained. I've been using it as a reverse proxy to all my homelab websites (grafana, miniflux etc). I can now safely access all of these internal resources from outside of my home WiFi with automated SSL certificate configuration and renewal.
You can theoretically protect your SSH connection via these IAP proxies, using the Chrome SSH extension and open source SSH relay implementation like https://github.com/zyclonite/nassh-relay (but I personally haven't tried that).
Disclaimer: I work for Google and am a casual contributor to the Pomerium project.
[+] [-] windexh8er|5 years ago|reply
[0] https://gravitational.com/teleport/
Disclaimer: I have no affiliation with any of these companies.
[+] [-] aprdm|5 years ago|reply
By default I expect google to try to lock me in the GCP and do not trust their OSS tools
[+] [-] sshahone|5 years ago|reply
It's a BeyondCorp like a user identity and layer 7 aware access proxy for RDP, SSH, Web, and Database protocols with privileged access management, native two-factor auth agents, and device trust policies.
Disclaimer: I am a core maintainer of this project.
[+] [-] cratermoon|5 years ago|reply
The old distinction of "internal network" and "external network" doesn't make much sense.
[+] [-] ko5ta|5 years ago|reply
[+] [-] cbsmith|5 years ago|reply
[+] [-] jolux|5 years ago|reply
[+] [-] luminousbit|5 years ago|reply
Lightyears ahead of teleport or any of the other solutions out there. Built for great auditing and zero trust.
Best of all it’s multi-protocol. So you can do SSH, SQL, K8s, HTTP all with one access system.
Had it in prod for almost two years. Gonna be a long time before hashicorp or anyone else can catch up with the level of depth.
[+] [-] pferde|5 years ago|reply
I haven't found a conclusive answer in their documentation yet.
[+] [-] outworlder|5 years ago|reply
Teleport is SSH based so you can tunnel other protocols.
[+] [-] GNOMES|5 years ago|reply
https://news.ycombinator.com/item?id=24753940
[+] [-] mmettler|5 years ago|reply
https://tailscale.com/
(disclosure: small Tailscale investor)
[+] [-] btgeekboy|5 years ago|reply
[+] [-] tonymet|5 years ago|reply
[+] [-] t3rabytes|5 years ago|reply
Boundary sounds like the perfect mash-up of Google's bastion-less SSH access to GCE instances and actual IAM. Exciting!
[+] [-] faitswulff|5 years ago|reply
Is this the main idea behind BeyondCorp and CloudFlare One, as well? If so this is the clearest explanation I've seen of it.
[+] [-] PaulWaldman|5 years ago|reply
[+] [-] warkdarrior|5 years ago|reply
[+] [-] parliament32|5 years ago|reply
Boundary comes with built-in wrappers for ssh, rdp, and postgres, but you can "boundary exec" to run some other application inside the TCP-wrapped transport, apparently.
[+] [-] nikisweeting|5 years ago|reply
e.g. something like a docker-compose sidecar exposing an nginx container to users via boundary would really help me understand how this is supposed to be used in practice.
Looking for an example like my comparison here between argo, wireguard, tailscale, letsencrypt, caddy, and ssh ingress: https://gist.github.com/pirate/1996d3ed6c5872b1b7afded250772...
[+] [-] cbb330|5 years ago|reply
https://www.terraform.io/intro/vs/index.html
[+] [-] jzjzjz|5 years ago|reply
Would I just have Boundary authenticate via Cloudflare Access and whatever identity provider Cloudflare One is integrated with and move to the RBAC policy phase of the authentication - is this where i am seeing that additional value from Boundary by having that additional on demand credential rotation to various internal Apps and DBs once i am past the SSO stage? CF One is more of a vertically integrated all in one service addressing all of my other networking and security needs so it's not really going anywhere.
I think you guys could do well to release a Cloudflare integration paper, it might help with traction on on-boarding customers.
Thanks!
[+] [-] bluu00|5 years ago|reply
link wasn't working for me, so.
[+] [-] candiddevmike|5 years ago|reply
[+] [-] fasteo|5 years ago|reply
[+] [-] clafferty|5 years ago|reply
Armon mentions Okta and Ping, does anyone have any recommendations in this space that would work for managing a small team with occasional on/off boarding of contractors?
[+] [-] sterlinm|5 years ago|reply
Would it make sense to use boundary as a way to manage access to web-based developer environments using an IDP for authentication (e.g. Github, Google, Okta, etc). I'm thinking of tools like JupyterLab/Hub, RStudio Server, etc. Or is that outside the intended scope of Boundary?
[+] [-] 0xFFFE|5 years ago|reply
[+] [-] spockz|5 years ago|reply