Notes on Securing TCP Services
Managing access to administrative services like SSH, RDP, and Kubernetes
- Updated on Apr 28, 2021
- MTLS Flows
- Banyan Desktop App vs. VPN Clients
- Desktop App Proxy Capabilities
- Admin-defined TCP Services
- List of TCP Services
- Configuring TCP Clients
With the Banyan Access Tier you can easily create a Zero Trust policy for TCP services so a user can conveniently yet securely connect to an internal service using their existing client, without needing to rely on a VPN.
This article details a few advanced concepts related to securing TCP services, such as Banyan Desktop App proxy capabilities and configuring TCP clients (such as OpenSSH, PuTTY, RDP, and cURL).
Banyan uses Mutually Authenticated TLS (MTLS) flows to provide your end users secure Zero Trust access to TCP services. Banyan’s security mechanism is designed to be completely transparent to both the user and the service it is securing.
For TCP Services, Banyan Netagent checks for a short-lived X.509 client certificate (a.k.a TrustCert) in the TLS handshake. Every connection from the user’s device to a Banyan-protected service is authenticated and wrapped in Mutual-Auth TLS encryption. Netagent unwraps the encryption and forwards the connection to the upstream service.
Mutual-Auth TLS requires both parties to provide certificates as proof of identity - the Banyan Desktop App procures the TrustCert on behalf of the user.
For details on the Zero Trust policy mechanism and cryptographic properties of the TrustCert, refer to Policy Enforcement.
Banyan Desktop App vs. VPN Clients
The Banyan Desktop App is required on your users’ devices in order for them to access TCP Services.
For Zero Trust access to Web Services only, the Banyan App is optional. Banyan utilizes browser capabilities with OpenID Connect and therefore does not require any agent on the device to intercept traffic. For web access, the Banyan App is optional and only needed for device registration and trust scoring - scenarios where you use a Device Manager or permit access from Unregistered Devices do not require the Banyan App.
Banyan allows you to extend the same convenient Zero Trust techniques from Web Services to TCP Services. However, because a browser cannot be used to access TCP services, the lightweight Banyan Desktop App is mandatory for TCP access. The user only needs to install the Desktop App on their device to intercept traffic on behalf of their non-browser TCP client.
Although the Banyan Desktop App can intercept traffic, it functions very differently from traditional Virtual Private Networking (VPN) products.
Unlike VPNs, Banyan is designed from the ground-up for the usability and security needs of modern enterprise environments. Virtual Private Networking (VPN) clients authenticate once, funnel all traffic from the device through a VPN Gateway, and allow the user complete unfettered network access. VPNs pose serious security risks as well as operational scaling issues. Banyan, instead, works on the concept of zero-trust networking, as first espoused by Google (in their BeyondCorp whitepapers), where the user is given secure access to only a specific service.
Desktop App Proxy Capabilities
Since every Mutual-Auth TLS connection must begin with certificate exchange, the user’s TCP client must use the TrustCert to access the Banyan-secured TCP service. Some TCP clients (typically CLI tools like
vault) can do this natively. Other TCP clients (such as
Git) do not.
For TCP clients that do not natively support X.509 client certificates, Banyan provides a user-space local TLS proxy called
banyanproxy that runs on the user’s device. Read more in our article on Desktop App and
Admin-defined TCP Services
When registering a TCP Service for Users in the Banyan Command Center, you can pre-configure all parameters your end users to streamline their access to TCP Services via the Banyan Desktop App. Your end users simply launch the Banyan Desktop App on their device, locate the TCP service, connect via
banyanproxy (without any additional port configurations), and use their preferred TCP client.
Optionally, you can configure the TCP Service so that the Banyan Desktop App allows or denies your end users from overriding your configuration.
List of TCP Services
The Banyan App lists all the services you have made available for your end users via its Services tab.
When a user clicks into a given Service, they can set the parameters needed to connect to a specific TCP Service. Setting the parameter will launch the
banyanproxy in one of the Modes listed above. The user can also launch
banyanproxy directly from a Terminal or PowerShell.
Configuring TCP Clients
Any TCP client on the device can use the provisioned short-lived X.509 certificate to set up a secure Mutual-Auth TLS connection to the Banyan Netagent, and then access the TCP service.
|RDP Client||TCP Mode||
In the Banyan Command Center, create a TCP Service of Service Type “RDP”.
When the user clicks Connect in the Desktop App, the
banyanproxy will launch in TCP Mode, on some user-specified listen port (such as
Now, the user can open the “Remote Desktop Connection” application and connect to
127.0.0.1:8081. RDP traffic is automatically tunneled over the Mutual-Auth TLS channel set up by Banyan.
We plan to support Remote Desktop Gateway protocol so we can use the native proxy capability built into the RDP Client.
Curl is typically used to connect to HTTP services, and has built-in support for client certificate authentication.
Since HTTP is just a TCP protocol, you can follow the same steps for other TCP clients and create a TCP Service of Service Type “Generic TCP”.
Users can connect to an HTTP service exposed at
my-http-api.example.com:443 using the cURL clients and it
1. Set the
BANYAN_CERTS environment variable, depending on your platform
2. Login via the Banyan Desktop App to procure the short-lived client cert
3. Issue the Curl command referencing the client cert
curl -v --cacert $BANYAN_CERTS/login-cacert.pem --key $BANYAN_CERTS/login-key.pem --cert $BANYAN_CERTS/login-cert.pem https://my-http-service.example.com/api/v1/
The connection uses Mutual-Auth TLS and the
curl client can access the service.