Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Airlock Microgateway 2.1

Airlock Microgateway 2.1

Presentation about Airlock Microgateway 2.1.

Adrian Kosmaczewski
PRO

August 19, 2021
Tweet

More Decks by Adrian Kosmaczewski

Other Decks in Technology

Transcript

  1. VSHN – The DevOps Company
    Adrian Kosmaczewski, Developer Relations, VSHN
    Airlock Microgateway 2.1
    August 19th, 2021 – 16:00 CEST
    Welcome to this presentation about Airlock
    Microgateway! My name is Adrian Kosmaczewski, I’m in
    charge of Developer Relations at VSHN, the DevOps
    company, and I’ll be your host tonight.
    Joining me are Aarno Aukia and Sergio Nuzzo from
    VSHN, and also Stefan Dietiker and Martin Burkhart
    from Ergon, the company behind Airlock Microgateway.
    Speaker notes
    1

    View Slide

  2. VSHN – The DevOps Company
    Pronounced ˈvɪʒn – like "vision"
    The DevOps Company
    Founded 2014, 46 VSHNeers located in Zürich
    Switzerland’s leading DevOps, Docker & Kubernetes partner
    24/7 support
    ISO 27001 certi ed
    ISAE 3402 Report Type 1 veri ed
    First Swiss Kubernetes Certi ed Service Provider
    Just a few words about VSHN; that’s how you
    pronounce the name, and we’re "The DevOps
    Company". We’ve been in Zurich since 2014, we’re 46
    VSHNeers and we’re Switzerland’s leading DevOps,
    Docker & Kubernetes partner, offering 24/7 support to
    our customers. We’ve got a few certifications, and most
    importantly, we were the First Swiss Kubernetes
    Certified Service Provider back in 2016.
    Speaker notes
    2

    View Slide

  3. VSHN – The DevOps Company
    We’re partners with many companies very active in the
    Cloud Native space, you might recognize some of the
    logos on this slide.
    Speaker notes
    3

    View Slide

  4. VSHN – The DevOps Company
    We also run our own "Platform as a Service" offering
    called "APPUiO". We’ve created our own suite of tools
    to manage lots of Kubernetes services from a central
    location, called "Project Syn". Last but not least, we
    have developed our own Kubernetes operator for
    backups, called K8up, which just like Project Syn is
    100% open source on GitHub.
    Speaker notes
    4

    View Slide

  5. VSHN – The DevOps Company
    DevSecOps & Zero-Trust
    Airlock Microgateway 2.1
    Demo
    Questions & Answers
    Agenda
    Today we’re going to see how security can be
    incorporated in DevOps workflows.
    Then, how Airlock Microgateway 2.1 can be used to
    protect applications from attackers.
    Finally, we’re going to see a short live demo: an
    integration of Airlock Microgateway in a Kubernetes
    cluster.
    Please feel free to ask your questions in the Q&A box at
    the bottom of your Zoom window, and my colleagues
    and I will answer them at the end of the session.
    Let’s get started!
    Speaker notes
    5

    View Slide

  6. VSHN – The DevOps Company
    1. The Principle of Flow
    Continuously and proactively harden the security of apps
    2. The Principle of Feedback
    Keeping an eye open on threats
    3. The Principle of Continual Learning and Experimentation
    Through retrospectives and post-mortem reports
    DevSecOps
    How do the principles of DevOps apply in DevSecOps?
    Very straightforwardly, as it happens; through
    continuous monitoring, and learning of new threats,
    DevSecOps teams can increase proactively the security
    of their applications, through a flow of new security
    rules added to the system.
    The feedback loops goes to & from & with security
    specialists and developers and operators, all working
    together as a team.
    Speaker notes
    6

    View Slide

  7. VSHN – The DevOps Company
    1. Explicit Veri cation
    2. Least-privilege Access
    3. Breach assumption
    Zero-Trust
    The guiding principles of Zero Trust are the following:
    1. Always authenticate and authorize based on all
    available data points, including user identity, location,
    device health, service or workload, data
    classification, and anomalies.
    2. Limit user access with Just-In-Time and Just-Enough
    Access (JIT/JEA), risk-based adaptive polices, and
    data protection to protect both data and productivity.
    3. Minimize blast radius for breaches and prevent
    lateral movement by segmenting access by network,
    user, devices, and application awareness. Verify all
    sessions are encrypted end to end. Use analytics to
    get visibility, drive threat detection, and improve
    defenses
    Speaker notes
    7

    View Slide

  8. VSHN – The DevOps Company
    Key component for Zero-Trust security with a DevSecOps strategy
    Airlock Microgateway can be used in a DevSecOps
    strategy to implement a Zero-Trust strategy increased
    security to applications running in production, even
    when the source code of those applications is no longer
    available.
    Speaker notes
    8

    View Slide

  9. VSHN – The DevOps Company
    Protects off-the-box from a long list of attack vectors
    Including OWASP Top 10
    Designed for the cloud: containers and Kubernetes
    OpenAPI and JSON Schema protection
    Access management in combination with Airlock IAM
    Authentication check (including JWT token validation)
    Security as Code → easily stored in Git repositories
    Features
    Airlock Microgateway is a lightweight security gateway
    designed specifically for use in container environments.
    It helps DevOps engineers and application teams
    protect their services from unauthorized or malicious
    access with little effort. This increases agility and
    ensures high security in the right place and from the
    very beginning.
    Speaker notes
    9

    View Slide

  10. VSHN – The DevOps Company
    Deny Rule Group Options
    SQL or NoSQL Injection In parameter or header
    Cross-Site Scripting (XSS) In path, parameter or header
    HTML Injection In parameter or header
    Windows or Unix command
    injection
    In parameter or header
    Automated scanning –
    Full list: docs.airlock.com/microgateway/2.1/#data/defaultdenyr.html
    What can Airlock Microgateway 2.1 do for you? Turns
    out, off the box, it can do a lot.
    Just by redirecting ingress traffic to it, your application
    immediately benefits from a long list of default rules,
    ready to be used and applied.
    Speaker notes
    10

    View Slide

  11. VSHN – The DevOps Company
    Agile protection for microservices
    Zero trust for monoliths
    Integration gateway for developers
    Use Cases
    In which cases is Airlock Microgateway the best option?
    If you use microservices, you can use it to harden each
    part of your application. For those of us still stuck with
    good old monoliths, Airlock Microgateway provides a
    lightweight option to secure applications, and we’re
    precisely going to see that in this presentation.
    Finally, thanks for being so lightweight, developers can
    use it in their workflows during development and
    testing, so that they can iron out any problems early on.
    Speaker notes
    11

    View Slide

  12. VSHN – The DevOps Company
    Airlock Microgateway works together with the whole
    ecosystem of Airlock products, including Airlock IAM
    and Airlock Gateway.
    Source:
    Speaker notes
    www.airlock.com/fileadmin/content/07_Airlock-
    PDFs/Airlock_Microgateway_en.pdf
    12

    View Slide

  13. VSHN – The DevOps Company
    Editions & Support Community Premium
    DevSecOps-ready  
    Monitoring & Reporting  
    Standard Protection  
    Access Control with Airlock IAM  
    Advanced Protection (OpenAPI) Log only 
    Integrated Access Control Log only 
    Airlock Microgateway offers two tiers of licensing and
    support; in the premium version, users get advanced
    features such as:
    Advanced Application Protection: OpenAPI Schema
    Enforcement, Additional Deny- and Allow-Rules, CSRF
    Tokens, HTTP Parameter Pollution, Multipart Parser,
    URL Encryption, Strict UTF8 Encoding Enforcement (to
    be demo’d in this session)
    Integrated Access Control: Verify JWT tokens, access
    decisions based on token details
    Speaker notes
    13

    View Slide

  14. VSHN – The DevOps Company
    Securing a problematic app
    Enabling the Airlock Microgateway
    Adding a custom rule
    Enabling OpenAPI support
    Demo
    Let’s see Airlock Migrogateway in action. In this demo
    we are going to see a simple application deployed in a
    Kubernetes cluster, which has some security problems.
    First we are going to see how just by redirecting traffic
    to Airlock Microgateway we can solve lots of problems
    off-the-box. Then we’re going to add some custom rules
    to our deployment, and finally we’re going to enable
    OpenAPI support and we’ll see how it’s enforced.
    Speaker notes
    14

    View Slide

  15. VSHN – The DevOps Company
    x
    Ingress Microgateway Fortune
    Demo Architecture
    By default, the configuration of this deployment
    redirects all incoming traffic to the Fortune services;
    now we’re going to activate the Microgateway service to
    intercept all inbound unsecure requests.
    Speaker notes
    15

    View Slide

  16. VSHN – The DevOps Company
    But not even Argon’s great security team thought about
    one of the greatest and latest threats: the Smurfs; also
    known as "Die Schlümpfe" auf Deutsch, "Les
    Schtroumpfs" en Français, "Los Pitufos" en Español, or
    "I Puffi" in Italiano.
    They have a known tendency to use the verb "Smurf" to
    indicate pretty much any activity, including, of course,
    hacking, as shown in the picture of this slide. They have
    been known to infiltrate systems and whenever Clumsy
    Smurf does it, you can be sure there’s going to be a
    system failure smurfing somewhere.
    Source of the image:
    Speaker notes
    www.lulu-berlu.com/the-smurfs-
    schleich-40249-smurf-with-computer-a47195-en.html
    16

    View Slide

  17. VSHN – The DevOps Company
    Source: www.toonpool.com/user/1688/ les/brainy_2110615.jpg
    In this declassified picture from the CIA archives you
    can see Smurfs learning the arts of hacking, guided by
    the patient and wise hand of Brainy Smurf.
    Source of the image:
    Speaker notes
    www.toonpool.com/user/1688/files/brainy_2110615.jpg
    17

    View Slide

  18. VSHN – The DevOps Company
    1 Rule de nition
    2 Rule application
    apiVersion: v1
    kind: ConfigMap
    metadata:
    name: microgateway-config
    data:
    config.yaml: |
    deny_rule_groups:
    - rule_group_key: "BLOCK_SMURFS"
    deny_rules:
    - rule_key: "NO_SMURFS"
    parameter_value:
    pattern: "smurf"
    apps:
    - virtual_host:
    name: demo
    hostname: microgateway.eu.ngrok.io
    mappings:
    - deny_rule_groups:
    - enabled: true
    level: strict
    - rule_group_keys:
    - BLOCK_SMURFS
    backend:
    hosts:
    - name: fortune-svc
    port: 9090
    1
    2
    docs.airlock.com/microgateway/2.1/#data/dslreference.html
    This is how you define custom rules on your
    configuration file.
     Every time that this file is modified, the Airlock
    Microgateway pod must be killed, so that it is re-
    created with the new configuration.
    Speaker notes
    18

    View Slide

  19. VSHN – The DevOps Company
    1 OpenAPI ("Swagger") de nition
    2 Application
    apiVersion: v1
    kind: ConfigMap
    data:
    swagger.json: |
    {
    "openapi": "3.0.1",
    "info": {
    "title": "Fortune.NET",
    },
    "version": "v1"
    },
    "paths": {
    "/api": {
    # ...
    config.yaml: |
    apps:
    - virtual_host:
    hostname: microgateway.eu.ngrok.io
    mappings:
    - api_security:
    openapi:
    spec_file: /config/swagger.json
    backend:
    hosts:
    - name: fortune-svc
    port: 9090
    1
    2
    docs.airlock.com/microgateway/2.1/#data/openapispecv.html
    This slide shows how to enable OpenAPI ("Swagger")
    based security.
    Speaker notes
    19

    View Slide

  20. VSHN – The DevOps Company
    1 OpenAPI ("Swagger") le
    2 Microgateway con guration le
    apiVersion: apps/v1
    kind: Deployment
    metadata:
    name: microgateway
    spec:
    selector:
    matchLabels:
    app: microgateway
    template:
    spec:
    initContainers:
    - name: configbuilder
    image: ergon/airlock-microgateway-configbuilder:2.1.0
    imagePullPolicy: IfNotPresent
    volumeMounts:
    - name: config
    mountPath: /config/swagger.json
    subPath: swagger.json
    - name: config
    mountPath: /config/config.yaml
    subPath: config.yaml
    - name: secret
    mountPath: /secret/
    readOnly: true
    - name: config-files
    mountPath: /resources-gen
    # ...
    1
    2
    This slide shows how to use the values defined in the
    ConfigMap; this exposes the configuration and the
    OpenAPI definitions to the Microgateway service. This
    information is used by the init containers used to
    launch the Microgateway service.
    Speaker notes
    20

    View Slide

  21. VSHN – The DevOps Company
    Airlock Microgateway 2.1
    Documentation
    Community Support Forum
    Ergon
    OWASP Top Ten
    airlock.com/en/secure-access-hub/components/microgateway
    docs.airlock.com/microgateway/2.1
    forum.airlock.com
    www.ergon.ch/en
    owasp.org/www-project-top-ten
    For more information about Airlock Microgateway 2.1,
    check these links.
    Speaker notes
    21

    View Slide

  22. VSHN – The DevOps Company
    Adrian Kosmaczewski, Developer Relations, VSHN –
    VSHN AG – Neugasse 10 – CH-8005 Zürich – +41 44 545 53 00 – –
    Thanks!
    [email protected]
    vshn.ch [email protected]
    We hope that this presentation and its demo will be
    useful to you, and please do not hesitate to contact us
    if you need more information, a trial account, or a
    personalized demo for your team.
    Thanks for watching, and beware of Smurfs!
    Speaker notes
    22

    View Slide