What, Why, and How of Zero-Trust Networking

Transcript

1. What, Why, and How of Zero-Trust Networking

2. Armon Dadgar Founder and CTO @armon

3. PROVISION, SECURE AND RUN ANY INFRASTRUCTURE Nomad Consul Vault Vagrant

   Packer Terraform Consul Enterprise Terraform Enterprise Vault Enterprise PRODUCT SUITE OSS TOOL SUITE RUN Applications SECURE Application Infrastructure PROVISION Infrastructure FOR INDIVIDUALS FOR TEAMS Nomad Enterprise

4. Traditional Networking

5. A B C D Network Perimeter

6. A B C D Network Perimeter Firewalls Web Application Firewall

   Intrusion Detection Intrusion Prevention SIEM Systems …

7. A B C D Network Perimeter

8. A B C D Network Perimeter

9. A B C D Network Perimeter

10. Defining Segmentation Splitting network into sub-networks Restricting communication between sub-networks

    Virtual LAN, Firewalls, Software Defined Networks Coarse Grained, Many Services Segment A Segment B Network

11. Problems with Traditional Networking

12. Attacker A B C D

13. Attacker A C D

14. A B C D

15. A C D B A C D B A C

    D B

16. A C D B A C D B A C

    D Attacker

17. Target Breached via HVAC HVAC connected to store network with

    WiFi Store network connected to Corporate network Production databases on Corporate network Attacker pivoted from network to network

18. Weakness of Perimeter Security Insider threat is a major omission

    Multiple entry points, lots of firewall rules Cloud makes this harder, with API driven changes All-or-nothing security

19. Learning to Trust Again

20. None

21. A -> B C -> D D -> C A

    B C D

22. B -> D A -> C A B C D

23. Re-asserting Trust Software Defined Networking Software Defined Firewall Beyond Corp

    / Zero Trust

24. Software Defined Network Untrusted physical network Smaller trusted virtual networks

    Challenging to deploy, operate, and debug Performance penalty of traffic encapsulation Administration of complex network rules Requires highly available and scalable control plane

25. Software Defined Firewall Untrusted physical network Firewall rules imposed at

    the edge Performance penalty for stateful firewalls Identity tied to source IP address Schedulers (Nomad or K8S) put multiple apps per IP Middleware (VPN, LB, NAT) re-write source IP

26. Zero Trust Networking Untrusted physical network Identity based access imposed

    at the edge Assigning Application Identity Distribution of Certificates Enforcing Access Controls

27. Implementing Zero Trust

28. Assigning Identity Web DB Cert: web.foo.com Cert: db.foo.com

29. Establishing Mutual TLS Web DB Mutual TLS Cert: web.foo.com Cert:

    db.foo.com

30. Authorization of Traffic Web DB Mutual TLS Cert: web.foo.com Cert:

    db.foo.com Allow?
31. None

32. Service Mesh for Microservices Service Discovery. Connect services with a

    dynamic registry Service Configuration. Configure services with runtime configs Service Segmentation. Secure services based on identity

33. Consul Usage Launched in 2014 12K+ GitHub Stars 1M+ Downloads

    monthly Customers running 50,000+ agents

34. Public Users

35. Service Discovery Registry of Nodes, Services, Checks DNS API HTTP

    API Web UI
36. None

37. Service Configuration Hierarchical Key/Value Store HTTP API Long-polling / Edge

    trigger Locking

38. Consul Connect

39. Consul Connect Service Access Graph Certificate Distribution Application Integration

40. Service Access Graph Intentions to Allow/Deny Communication Source and Destination

    Service Scale Independent Managed with CLI, API, UI, Terraform

41. T E R M I N A L $ consul

    intention create -deny web '*' Created: web => * (deny) $ consul intention create -allow web db Created: web => db (allow)
42. None

43. Certificate Distribution Transport Layer Security (TLS) Service Identity Encryption of

    all traffic

44. Certificate Generation Automatic Generation & Rotation Server Client Certificate Signing

    Request Generate Key Pair Sign Certificate

45. Certificate Format X.509 Certificate SPIFFE Compatible

46. Application Integration Consul Client for Service Graph and Certificates Sidecar

    Proxies Native Integrations

47. Sidecar Proxy Integration No Code Modification Minimal Performance Overhead Operational

    Flexibility

48. Sidecar Proxies Client Proxy App Configure Connect Proxy Client App

    Configure Connect

49. Pluggable Proxies Client App Configure Connect Client App Configure Connect

50. { "service": "web", "connect": { "proxy": { "config": { "upstreams":

    [{ "destination_name": "redis", "local_bind_port": 1234 }] } } } } C O D E E D I T O R

51. Proxy Client App Configure Connect localhost:1234 Connect to upstream redis

52. T E R M I N A L $ consul

    connect proxy \ -service web \ -upstream postgresql:8181 $ psql -h 127.0.0.1 -p 8181 -U mitchellh mydb >

53. Native Integration Standard TLS Negligible Performance Overhead Requires Code Modification

54. // Create a Consul API client client, _ := api.NewClient(api.DefaultConfig())

    // Create an instance representing this service. svc, _ := connect.NewService("my-service", client) defer svc.Close() // Creating an HTTP server that serves via Connect server := &http.Server{ Addr: ":8080", TLSConfig: svc.ServerTLSConfig(), // ... other standard fields } // Serve! server.ListenAndServerTLS("", "") C O D E E D I T O R

55. Consul Connect Service Access Graph. Intentions allow or deny communication

    of logical services. Certificate Distribution. Standard TLS certificates with SPIFFE compatibility. Application Integration. Native integrations or side car proxies.

56. Conclusion

57. Challenges of Traditional Networking Inside Threat Too many entry points,

    especially with Cloud All-or-nothing security

58. Zero Trust Networking Network access or IP does not grant

    access Identity based access controls Mutual TLS / PKI approaches like public Internet

59. Consul for Service Mesh Service Discovery. Connect services with a

    dynamic registry Service Configuration. Configure services with runtime configs Service Segmentation. Secure services based on identity

60. Thanks! Consul: https://consul.io @armon