Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Advanced Security on Kubernetes with Istio

Advanced Security on Kubernetes with Istio

This is a slide as announced at Open Source Summit Japan(https://events.linuxfoundation.jp/events/open-source-summit-japan-2018/program/schedule/)

Shunsuke Miyoshi

June 20, 2018
Tweet

More Decks by Shunsuke Miyoshi

Other Decks in Technology

Transcript

  1. Advanced Security on Kubernetes with Istio 20 June 2018 Shunsuke

    Miyoshi ([email protected]) Fujitsu Limited. Copyright 2018 FUJITSU LIMITED 0
  2. Outline  Backgrounds  Recent Cyber Attack Trends  Conventional

    Network  Zero Trust Network Model  Zero Trust Network in Kubernetes with Istio  Demo  Summary Copyright 2018 FUJITSU LIMITED 1
  3. Recent Cyber Attack Trends  Increasing the number of cyber

    attacks  Advancing of Attacks  APT(Advanced Persistent Threat) Attack • continuously attack to special target with long period of time Copyright 2018 FUJITSU LIMITED 2 The number of Targeted e-mail attack in Japan 1009 492 1723 3828 4046 6027 2012 2013 2014 2015 2016 2017 # of Targeted e-mail attack Year *) data from National Police Agency(http://www.npa.go.jp/)
  4. Recent Cyber Attack Trends  Increasing the number of cyber

    attacks  Advancing of Attacks  APT(Advanced Persistent Threat) Attack • continuously attack to special target with long period of time Copyright 2018 FUJITSU LIMITED 3 The number of Targeted e-mail attack in Japan 1009 492 1723 3828 4046 6027 2012 2013 2014 2015 2016 2017 # of Targeted e-mail attack Year *) data from National Police Agency(http://www.npa.go.jp/)
  5. Advancing of Targeted e-Mail Attack Copyright 2018 FUJITSU LIMITED 4

    Previous Now e-Mail From: [email protected] To: [email protected] Title: You won the prize money! Dear member, You won the prize money! Please click http://mysite.com Target: Anyone Target: Individually e-Mail From: [email protected] To: your-address@travel_egency.com Title: Notification of attachment of e-ticket receipt Attach: e-Ticket.pdf Please check attached e-Ticket, and replay me.
  6. Advancing of Targeted e-Mail Attack Copyright 2018 FUJITSU LIMITED 5

    Previous Now e-Mail From: [email protected] To: [email protected] Title: You won the prize money! Dear member, You won the prize money! Please click http://mysite.com Target: Anyone Target: Individually Free Address Easy to find this is fake e-Mail From: [email protected] To: your-address@travel_egency.com Title: Notification of attachment of e-ticket receipt Attach: e-Ticket.pdf Please check attached e-Ticket, and replay me.
  7. Advancing of Targeted e-Mail Attack Copyright 2018 FUJITSU LIMITED 6

    Previous Now e-Mail From: [email protected] To: [email protected] Title: You won the prize money! Dear member, You won the prize money! Please click http://mysite.com Target: Anyone Target: Individually e-Mail From: [email protected] To: your-address@travel_egency.com Title: Notification of attachment of e-ticket receipt Attach: e-Ticket.pdf Please check attached e-Ticket, and replay me. Forge to <name>@<company's addr> individually targeted Too difficult to find this is business e-Mail or not Forge to PDF file
  8. Conventional Network  Firewall-based Security  Policy: Inside a local

    network is safety Copyright 2018 FUJITSU LIMITED 7 local network public network Once Attacked ・・・ Damage greatly expands Service Attacked Service
  9. Zero Trust Network Model  Zero Trust Network Model 

    Concept: Never Trust, Always verify Ex. Service 'X' is really Service 'X' ?, Data is not wiretapped?, Authorized? Copyright 2018 FUJITSU LIMITED 8 Previous System ・Inside a local network is safety → Firewall based system Next Generation System we never know where the enemy is → Zero Trust Network Model protecting-line
  10. Zero Trust Network in Kubernetes  Image of Kubernetes Copyright

    2018 FUJITSU LIMITED 9 Intra network Kubernetes Cluster User kubectl ・・・ Service
  11. Zero Trust Network in Kubernetes  Role Based Access Control(RBAC)

     Access Control: User → Cluster Ex. allow get/edit resources(Pod, Service, …) of Namespace 'A' → Unsafe yet  Wiretap from other Service  Spoofing of Regular Service Copyright 2018 FUJITSU LIMITED 10 User kubectl ・・・ Secured by RBAC Kubernetes Cluster
  12. Zero Trust Network in Kubernetes  Security of Communication between

    Services  Encryption of Communication Channel  Authentication of Destination Service • Is the destination service really correct? • Do you really receive from the correct service? Copyright 2018 FUJITSU LIMITED 11 User kubectl ・・・ Secured by RBAC Kubernetes Cluster
  13. Zero Trust Network in Kubernetes  Security of Communication between

    Services  Encryption of Communication Channel  Authentication of Destination Service • Is the destination service really correct? • Do you really receive from the correct service? Copyright 2018 FUJITSU LIMITED 12 User kubectl ・・・ Secured by RBAC Kubernetes Cluster Install certificate to all application change application code to encrypt data ※ Any Programming Language and Any Framework For realization
  14. Information that Service Owner Must Manage Copyright 2018 FUJITSU LIMITED

    13 Service X Destination Certificate Path Expiration date Service A /etc/certs/svc_a.crt 2018/12 Service F /etc/certs/new/svc_f.crt 2019/05 Service Y /etc/certs/v2/svc_y.crt 2019/01 ・ ・ ・ ・ ・ ・ ・ ・ ・ How to install certificate in Ruby on Rails How to install certificate in Apache Web Server ・・・
  15. Information that Service Owner Must Manage Copyright 2018 FUJITSU LIMITED

    14 Service X Destination Certificate Expiration date Service A /etc/certs/svc_a.crt 2018/12 Service F /etc/certs/new/svc_f.crt 2019/05 Service Y /etc/certs/v2/svc_y.crt 2019/01 ・ ・ ・ ・ ・ ・ ・ ・ ・ How to install certificate in Ruby on Rails How to install certificate in Apache Web Server ・・・ All service owner must manage them Too hard … Istio as a Manager of Service Communication Security
  16. Overview of Istio  What's Istio?  Network Infrastructure for

    services communication  Improve services communication without application code changing  Features  Traffic Management  Policy Enforcement  Observability  Security Copyright 2018 FUJITSU LIMITED 16 Application communication Istio(Service Mesh) Kubernetes Network (Container Connection) Network Layer Stack
  17. Istio Architecture Copyright 2018 FUJITSU LIMITED 17 17 Control Plane

    Pilot Mixer Citadel Envoy Application Container Pod Data Plane Service X Service Y https, gRPC, … TLS certs to Envoys Policy checks, telemetry Config data to Envoys Envoy Application Container Pod
  18. Security of Istio  How Istio secures communication between services

    1. Distribute Certificate to Envoy from Citadel 2. Secure Communication with the Certificate ※ Citadel manage certificate • Automate key and certificate generation, distribution, rotation, and revocation Copyright 2018 FUJITSU LIMITED 18 Service X Envoy Application Pod Service Y Citadel Envoy Application Pod
  19. Istio Role Based Access Control(RBAC)  Authorize  Service to

    Service  End User to Service Copyright 2018 FUJITSU LIMITED 19 Service Y Service X Svc 1 Svc 2 Svc 3 Namespace T User A ◦ ◦ × deny allow allow Istio RBAC Policy Service X allow User A allow Namespace T deny
  20. Zero Trust Network Kubernetes with Istio Copyright 2018 FUJITSU LIMITED

    20 Service Attacked Service k8s RBAC controls user access *) Istio internally uses k8s RBAC Never Expand! k8s RBAC only k8s RBAC + Istio
  21. Demo  Contents  Wiretap  Spoofing1(Already Password Leaked) 

    Spoofing2(Already Password and Certificate Leaked)  Configuration of Demo Copyright 2018 FUJITSU LIMITED 22 Internet User Frontend Web Server Backend API Server MySQL DB Web API request JSON response Kubernetes Cluster with https
  22. Demo 1  Wiretap  Overview of attack • Web

    Server communicate to API Server via http(not encrypt) • Attacker is trying to wiretap the communication  Countermeasure • All communication use https Copyright 2018 FUJITSU LIMITED 23 Frontend Web Server Backend API Server MySQL DB name, pw with http attacker with https User Ingress with http Kubernetes Cluster
  23. Demo 2  Spoofing1(Already Password Leaked)  Overview of attack

    • Password of DB was already leaked. (e.g. leaked by other service)  Countermeasure • Mutual Authentication • Authenticate Frontend ⇔ Backend Copyright 2018 FUJITSU LIMITED 24 Frontend Web Server Backend API Server MySQL DB I have password! Please send secret info
  24. Demo 3  Spoofing2(Already Password and Certificate Leaked)  Overview

    of attack • Password and Istio certificate are leaked due to sloppy management.  Countermeasure • Setting Access Policy to Service • default: deny • allow: only from Service 'Frontend' Copyright 2018 FUJITSU LIMITED 25 Frontend Web Server Backend API Server MySQL DB I am legitimate service. Because I have certificate. I need secret info
  25. Summary  Introduction of Zero Trust Network Model  Attacks

    become more sophisticated  Serious damage to your business when attacked → Never increase the damage  Kubernetes + Istio  Become more secure without application code changing Copyright 2018 FUJITSU LIMITED 26 Istio