What, Why, and How of Zero-Trust Networking

Transcript

1. What, Why, and How of Zero-Trust Networking
   

   View Slide

2. Armon Dadgar
   Founder and CTO
   @armon
   

   View Slide

3. PROVISION, SECURE AND RUN ANY INFRASTRUCTURE
   Nomad Consul
   Vault
   Vagrant Packer Terraform
   Consul Enterprise
   Terraform Enterprise
   Vault Enterprise
   PRODUCT SUITE
   OSS TOOL SUITE
   RUN
   Applications
   SECURE
   Application Infrastructure
   PROVISION
   Infrastructure
   FOR INDIVIDUALS FOR TEAMS
   Nomad Enterprise
   

   View Slide

4. Traditional Networking
   

   View Slide

5. A B
   C D
   Network Perimeter
   

   View Slide

6. A B
   C D
   Network Perimeter Firewalls
   Web Application Firewall
   Intrusion Detection
   Intrusion Prevention
   SIEM Systems
   …
   

   View Slide

7. A B
   C D
   Network Perimeter
   

   View Slide

8. A B
   C D
   Network Perimeter
   

   View Slide

9. A B
   C D
   Network Perimeter
   

   View Slide

10. Defining Segmentation
    Splitting network into sub-networks
    Restricting communication between sub-networks
    Virtual LAN, Firewalls, Software Defined Networks
    Coarse Grained, Many Services
    Segment
    A
    Segment
    B
    Network
    

    View Slide

11. Problems with
    Traditional Networking
    

    View Slide

12. Attacker A B
    C D
    

    View Slide

13. Attacker
    A
    C D
    

    View Slide

14. A B
    C D
    

    View Slide

15. A
    C D
    B A
    C D
    B A
    C D
    B
    

    View Slide

16. A
    C D
    B A
    C D
    B A
    C D
    Attacker
    

    View Slide

17. Target Breached via HVAC
    HVAC connected to store network with WiFi
    Store network connected to Corporate network
    Production databases on Corporate network
    Attacker pivoted from network to network
    

    View Slide

18. Weakness of Perimeter Security
    Insider threat is a major omission
    Multiple entry points, lots of firewall rules
    Cloud makes this harder, with API driven changes
    All-or-nothing security
    

    View Slide

19. Learning to Trust Again
    

    View Slide

20. View Slide

21. A -> B
    C -> D
    D -> C
    A B
    C D
    

    View Slide

22. B -> D
    A -> C
    A B
    C D
    

    View Slide

23. Re-asserting Trust
    Software Defined Networking
    Software Defined Firewall
    Beyond Corp / Zero Trust
    

    View Slide

24. Software Defined Network
    Untrusted physical network
    Smaller trusted virtual networks
    Challenging to deploy, operate, and debug
    Performance penalty of traffic encapsulation
    Administration of complex network rules
    Requires highly available and scalable control plane
    

    View Slide

25. Software Defined Firewall
    Untrusted physical network
    Firewall rules imposed at the edge
    Performance penalty for stateful firewalls
    Identity tied to source IP address
    Schedulers (Nomad or K8S) put multiple apps per IP
    Middleware (VPN, LB, NAT) re-write source IP
    

    View Slide

26. Zero Trust Networking
    Untrusted physical network
    Identity based access imposed at the edge
    Assigning Application Identity
    Distribution of Certificates
    Enforcing Access Controls
    

    View Slide

27. Implementing Zero Trust
    

    View Slide

28. Assigning Identity
    Web DB
    Cert: web.foo.com Cert: db.foo.com
    

    View Slide

29. Establishing Mutual TLS
    Web DB
    Mutual TLS
    Cert: web.foo.com Cert: db.foo.com
    

    View Slide

30. Authorization of Traffic
    Web DB
    Mutual TLS
    Cert: web.foo.com Cert: db.foo.com
    Allow?
    

    View Slide

31. View Slide

32. Service Mesh for Microservices
    Service Discovery. Connect services with a dynamic registry
    Service Configuration. Configure services with runtime configs
    Service Segmentation. Secure services based on identity
    

    View Slide

33. Consul Usage
    Launched in 2014
    12K+ GitHub Stars
    1M+ Downloads monthly
    Customers running 50,000+ agents
    

    View Slide

34. Public Users
    

    View Slide

35. Service Discovery
    Registry of Nodes, Services, Checks
    DNS API
    HTTP API
    Web UI
    

    View Slide

36. View Slide

37. Service Configuration
    Hierarchical Key/Value Store
    HTTP API
    Long-polling / Edge trigger
    Locking
    

    View Slide

38. Consul Connect
    

    View Slide

39. Consul Connect
    Service Access Graph
    Certificate Distribution
    Application Integration
    

    View Slide

40. Service Access Graph
    Intentions to Allow/Deny Communication
    Source and Destination Service
    Scale Independent
    Managed with CLI, API, UI, Terraform
    

    View Slide

41. T E R M I N A L
    $ consul intention create -deny web '*'
    Created: web => * (deny)
    $ consul intention create -allow web db
    Created: web => db (allow)
    

    View Slide

42. View Slide

43. Certificate Distribution
    Transport Layer Security (TLS)
    Service Identity
    Encryption of all traffic
    

    View Slide

44. Certificate Generation
    Automatic Generation & Rotation
    Server
    Client
    Certificate
    Signing Request
    Generate
    Key Pair
    Sign Certificate
    

    View Slide

45. Certificate Format
    X.509 Certificate
    SPIFFE Compatible
    

    View Slide

46. Application Integration
    Consul Client for Service Graph and Certificates
    Sidecar Proxies
    Native Integrations
    

    View Slide

47. Sidecar Proxy Integration
    No Code Modification
    Minimal Performance Overhead
    Operational Flexibility
    

    View Slide

48. Sidecar Proxies
    Client
    Proxy
    App
    Configure
    Connect
    Proxy
    Client
    App
    Configure
    Connect
    

    View Slide

49. Pluggable Proxies
    Client
    App
    Configure
    Connect
    Client
    App
    Configure
    Connect
    

    View Slide

50. {
    "service": "web",
    "connect": {
    "proxy": {
    "config": {
    "upstreams": [{
    "destination_name": "redis",
    "local_bind_port": 1234
    }]
    }
    }
    }
    }
    C O D E E D I T O R
    

    View Slide

51. Proxy
    Client
    App
    Configure
    Connect localhost:1234
    Connect to
    upstream redis
    

    View Slide

52. T E R M I N A L
    $ consul connect proxy \
    -service web \
    -upstream postgresql:8181
    $ psql -h 127.0.0.1 -p 8181 -U mitchellh mydb
    >
    

    View Slide

53. Native Integration
    Standard TLS
    Negligible Performance Overhead
    Requires Code Modification
    

    View Slide

54. // Create a Consul API client
    client, _ := api.NewClient(api.DefaultConfig())
    // Create an instance representing this service.
    svc, _ := connect.NewService("my-service", client)
    defer svc.Close()
    // Creating an HTTP server that serves via Connect
    server := &http.Server{
    Addr: ":8080",
    TLSConfig: svc.ServerTLSConfig(),
    // ... other standard fields
    }
    // Serve!
    server.ListenAndServerTLS("", "")
    C O D E E D I T O R
    

    View Slide

55. Consul Connect
    Service Access Graph. Intentions allow or deny communication of
    logical services.
    Certificate Distribution. Standard TLS certificates with SPIFFE
    compatibility.
    Application Integration. Native integrations or side car proxies.
    

    View Slide

56. Conclusion
    

    View Slide

57. Challenges of Traditional Networking
    Inside Threat
    Too many entry points, especially with Cloud
    All-or-nothing security
    

    View Slide

58. Zero Trust Networking
    Network access or IP does not grant access
    Identity based access controls
    Mutual TLS / PKI approaches like public Internet
    

    View Slide

59. Consul for Service Mesh
    Service Discovery. Connect services with a dynamic registry
    Service Configuration. Configure services with runtime configs
    Service Segmentation. Secure services based on identity
    

    View Slide

60. Thanks!
    Consul: https://consul.io
    @armon
    

    View Slide