ntop Cloud: Security Design and Architecture

Posted · Add Comment

In late 2023 we have announced the beginning of a new project we have called ntop Cloud. The first goal of this project is to enable ntop applications to communicate regardless of the network topology where they are deployed, This in a secure way. In essence we want to create a new network overlay that allow ntop applications to communicate and share data. Some use cases:

  • Be notified when a ntop application is no longer active or more in general when it changes its status.
  • Implement a public web interface that allows administrators to supervise the operations and setup remote instances with a mouse click.
  • Share malware/attacks/alarms information among instances so that everything looks like a large distributed network, that can cross firewalls and network boundaries. For instance you can have your nprobe running on your laptop connected via 5G that delivers flow data to a collector running on a datacenter. All topologies must be supported.

ntop Cloud Architecture

A simplified overview of the architecture is depicted below.

The core of the cloud are message brokers federated on a cluster so that you can connect your instances  to the closest node (e.g. Europe if you are in France, or US is you are in Virginia) and the brokers distribute messages in a way that all your instances can communicate regardless of the node they are connected to. This way you can see from a web console (the image below is a work in progress) all the active instances and perform actions on them such as update software or restart.

In the above table, instances are running on several different networks, behind a firewall or unprotected with a public IP address and they all look similar, with the cloud hiding all differences in connectivity.

ntop Cloud Security Design

In order to implement the architecture and convince our users that the cloud has various benefits (note that enrolling on the ntop cloud is not compulsory, and you can keep using our tools as today), we decided to do our best to make it secure and based on the following principles:

  • All the communications are TLS 1.3 encrypted and authenticated.
  • Each ntop cloud user (and its application instances) is unable to talk using the cloud with other user instances.
  • As the message broker is shared among users, we want to make sure that even in the remote case that a user is able to listen to messages of other users, he is unable to  send/receive or understand the data.

In order to implement all this, every registered ntop Cloud user has a private configuration file (that will be copied into /etc/ntop/ of the sensors) that contains the user public/private keys generated using Curve25519 elliptic curve. The cloud manager has its own public/private keys, and its public key is stored in the ntop DNS.

$ host -t TXT cloud._pubkey.ntop.org
 cloud._pubkey.ntop.org descriptive text "b61aaccbf226f2095f48a7ca9d417791f71c4b37e28827cee376b4c9ff5d4c6a"

In essence every message is encrypted twice: the inner message is AES-256 end-to-end encrypted (a shared key with a random cryptographic nonce is created for every message) and is transported on top of TLS 1.3. This guarantees that:

  • When two ntop instances belonging to the same ntop cloud user communicate, their traffic can be encrypted/decrypted only by such user.
  • When a ntop instance wants to send a message to the ntop Cloud manager (for instance whenever an instance wants to share blacklist information with all cloud users, e.g. in case a new attacker IP is detected), this message is asymmetrically encrypted and it can be decrypted only by the ntop Cloud as it must know the sender identity and public key.

In order to avoid sharing user information with the cloud, when a user registers in the ntop cloud by connecting to https://cloud.ntop.org, it generates the user keys locally inside the user browser and they are NEVER stored or shared with the ntop Cloud in clear text. In other words:

  • ntop Cloud users are the only ones who are responsible for keeping data safe. The ntop Cloud is just a secure transport that allows instances to communicate.
  • There is no way that the ntop Cloud can communicate with user instances as encryption keys have not been shared with the ntop Cloud.
  • When the user connect to the ntop Cloud GUI (shown above in this post), is the web browser that encrypts/decrypts data and communicate directly with the user instances.

ntop Cloud Availability

You can start playing with the ntop Cloud if you wish, but we’re not yet ready for releasing it. Basic communications  are working, the web GUI is very basic and the network infrastructure is not the final one we plan to use for production. We have written this blog post so that you can provide us early feedback in order to address glitches before the final release.

Soon we’ll schedule a webinar where all this is described in details, so that our community can speak up and provide a feedback.

Enjoy !