On-prem networking, VPN and tunneling
On-premise networking plays by different rules than the cloud — physical and logical segments, hardware firewalls and VPN connections. Understanding segmentation and tunneling is crucial for secure access, including the model by which ZEUS connects to a customer's environment.
Segmentation: VLANs and zones
A data center network is divided into VLANs (logical segments) and security zones:
| Zone | Contents | Rule |
|---|---|---|
| DMZ | externally exposed servers | strict in/out control |
| Application | the app server tier | access only from DMZ/internal |
| Data | databases, storage | access only from the app tier |
| Management | DCs, vCenter, monitoring | access only from jump hosts |
Segmentation limits lateral movement — an attacker who takes over one host does not immediately reach critical systems. This is one of the controls ZEUS assesses in its threat model.
Site-to-site VPN
A site-to-site VPN (IPsec) connects the on-prem network to the cloud (Azure VPN Gateway, AWS VPN, GCP Cloud VPN) through an encrypted tunnel over the public internet. It is the foundation of hybrid — but it requires managing keys and encryption policies.
SSH tunneling
An SSH tunnel forwards TCP traffic through an encrypted SSH connection. Three modes:
# Local forward: lokalny port -> usługa zdalna przez bastion
ssh -L 8443:vcenter.internal:443 user@bastion.firma.pl
# Remote (reverse) forward: usługa lokalna wystawiona na zdalnym hoście
ssh -R 2222:localhost:22 user@host-zewnetrzny
# Dynamic: SSH jako proxy SOCKS
ssh -D 1080 user@bastion.firma.pl
A reverse tunnel (-R) is especially important: it lets a host behind
NAT/firewall initiate an outbound connection itself and expose a service
without opening any inbound port in the firewall.
Tip: a reverse tunnel requires only a single outbound connection on port 443/22 — there is no need to open the firewall "inward." This makes it an ideal, secure access model for external tools.
Secure access practices
- a jump host / bastion instead of direct access to servers,
- SSH keys instead of passwords, with a passphrase,
- restricting tunnels to specific ports (
PermitOpen), - logging and auditing of administrative sessions.
How ZEUS sees it
ZEUS on-prem deliberately avoids opening inbound ports in the customer's network. A lightweight agent/collector deployed inside the network establishes an outbound reverse-SSH connection to the ZEUS control point, creating an encrypted channel. Through this tunnel ZEUS queries (read-only) AD/LDAP, vCenter and Windows hosts — without modifying the customer's firewall and without exposing anything to the internet. We cover the full mechanics in lesson 06.
In the next lesson: hybrid — Azure Arc and connecting environments.