Security

How can I set up a VPN connection for Splunk Cloud users?

premforsplunk
Explorer

Hi Folks,

Looking to setup a splunk cloud instance for my organization. Whether cloud version offers VPN connection? Ideally would want my colleagues to enter a vpn and then access splunk cloud.

Looking to setup more securely, please do tell me about security fares in splunk cloud version.

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Splunk Cloud doesnt support VPN. However, Splunk Cloud does support the use of ACL restrictions. So your organization can provide a list of IP addresses, or range. Once this is implemented, only hosts in that range could access the instances.

Additionally, some of the saml providers can provide 2FA authentication. You can check on http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/FAQs/FAQs

0 Karma

jkc
Engager

Hi, has this changed since the original post or does Splunk Cloud still not support use of a site to site VPN with the customer network?.  Thank you.

0 Karma

PickleRick
Ultra Champion

Since the access can be limited to a set(s) of source addresses, the web access is protected by TLS and the forwarder access can be protected by mutual TLS authentication, there is really no need for VPN as such.

If you really, really need something VPN-like, you could force your users to use an on-premise web-proxy and limit your Cloud access to that proxy only. It seems a bit pointless but it's possible.

What is the problem you're trying to solve with "VPN"?

0 Karma

jkc
Engager

Thanks for the reply.  The requirement comes from organisation securty standards.  Could you expand on how this would be configured "the forwarder access can be protected by mutual TLS authentication"? If we can limit access to specific users and devices based on client certs this may satisfy the requirement.

 

0 Karma

PickleRick
Ultra Champion

Splunk inputs support TLS-level certificate authentication. If you set requireClientCert=true, you can - as the name says, require all connecting forwarders to present a valid certificate. There are additional settings which can limit access to specific SANs only. Then you configure your local forwarders to use client certs when connecting and you're set.

IP limiting is a standard feature on inputs.

One caveat - since we're talking about Cloud, you might have to contact support to set up the authentication on the Cloud's side.

WebUI access is another thing. I don't think you can authenticate users with certs here but - honestly - I don't see the point.

lfedak_splunk
Splunk Employee
Splunk Employee
0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...