Hacker News new | ask | show | jobs
by simpaticoder 665 days ago
How does the threat model change when exposing grafana to the public? Apart from vulnerabilities in grafana itself? Perhaps hackers will be extra motivated to cause blips in those graphs? Exposing grafana publically is unusual, but I don't see an obvious error-mode.
1 comments
linuxdude314 665 days ago
It’s really not abnormal. GrafanaLabs does this all the time with their IaaS product.

There’s nothing wrong with exposing Grafana as long as you’re following security best practices.

It’s 2024, zero trust networking is where you want to be. Real zero trust networking is NOT adding a VPN to access internal services. It’s doing away with the notion of internal services all together and securing them for exposure on the internet.

link
faizshah 664 days ago
I mean this is true but the key part is “securing them for exposure on the internet.” Adding a simple 2FA layer (I think google calls this the Access Proxy or Identity Aware Proxy) on top is usually the way you secure zero trust services.

I don’t think it is advisable to directly expose your Grafana to the public internet where you can hit it with dictionary attacks.

link
Fripplebubby 665 days ago
Really? So in 2024, folks are only deploying services that have excellent security, and not anything else? This seems like a high bar to clear but I'm curious to learn.
link
e28eta 665 days ago
Article and discussion from earlier today that’s relevant: https://news.ycombinator.com/item?id=41274932

It’s about zero trust, includes the claim “VPNs are Deprecated!”

link
quectophoton 664 days ago
Those companies can afford letting people try "Denial of Wallet" attacks on them, though.

I, for one, will still keep using VPNs as an additional layer of security and expose only a single UDP port (WireGuard), to at least reduce the chances of that happening.

link
Fripplebubby 664 days ago
Thanks!
link
faizshah 664 days ago
The implementations of zero trust that I have seen involve exposing your service to the public internet with an Authenticating Proxy on top. So instead of trusting the network implicitly you trust the caller’s auth token before they can connect to the server.

So you might have an internal service that has passed a minimal security bar that you can only establish an https connection with if you have a valid SSO token.

link