Security

How can I set up a VPN connection for Splunk Cloud users?

premforsplunk
Explorer

Hi Folks,

Looking to setup a splunk cloud instance for my organization. Whether cloud version offers VPN connection? Ideally would want my colleagues to enter a vpn and then access splunk cloud.

Looking to setup more securely, please do tell me about security fares in splunk cloud version.

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Splunk Cloud doesnt support VPN. However, Splunk Cloud does support the use of ACL restrictions. So your organization can provide a list of IP addresses, or range. Once this is implemented, only hosts in that range could access the instances.

Additionally, some of the saml providers can provide 2FA authentication. You can check on http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/FAQs/FAQs

0 Karma

jkc
Engager

Hi, has this changed since the original post or does Splunk Cloud still not support use of a site to site VPN with the customer network?.  Thank you.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Since the access can be limited to a set(s) of source addresses, the web access is protected by TLS and the forwarder access can be protected by mutual TLS authentication, there is really no need for VPN as such.

If you really, really need something VPN-like, you could force your users to use an on-premise web-proxy and limit your Cloud access to that proxy only. It seems a bit pointless but it's possible.

What is the problem you're trying to solve with "VPN"?

0 Karma

jkc
Engager

Thanks for the reply.  The requirement comes from organisation securty standards.  Could you expand on how this would be configured "the forwarder access can be protected by mutual TLS authentication"? If we can limit access to specific users and devices based on client certs this may satisfy the requirement.

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Splunk inputs support TLS-level certificate authentication. If you set requireClientCert=true, you can - as the name says, require all connecting forwarders to present a valid certificate. There are additional settings which can limit access to specific SANs only. Then you configure your local forwarders to use client certs when connecting and you're set.

IP limiting is a standard feature on inputs.

One caveat - since we're talking about Cloud, you might have to contact support to set up the authentication on the Cloud's side.

WebUI access is another thing. I don't think you can authenticate users with certs here but - honestly - I don't see the point.

lfedak_splunk
Splunk Employee
Splunk Employee
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...