What, Why, and How of Zero-Trust Networking

11ba9630c9136eef9a70d26473d355d5?s=47 Armon Dadgar
September 11, 2018

What, Why, and How of Zero-Trust Networking

Traditional approaches to networking and security no longer work. Applications are adopting microservices patterns and organizations are embracing public clouds, which add new challenges to operating and securing our networks. The network perimeter used to be the best and last line of defense, but high-profile compromises keep happening. Zero-trust networking is the idea of treating the private network like the public Internet: untrusted and adversarial. In this talk, we covers what zero-trust networking means, why it matters for most organizations, and how it can be implemented using Consul.

Consul is a service mesh that focuses on service discovery, service configuration, and service segmentation. Segmentation is done using a "zero trust" approach, meaning we don't depend on trusted networks or IP addresses. Applications are provided TLS certificates which provide strong cryptographic identity, using the SPIFFE standard. Mutual TLS is used to ensure application identity is verified and all traffic encrypted over the wire. Applications are integrated either using transparent sidecars or with a native SDK.

11ba9630c9136eef9a70d26473d355d5?s=128

Armon Dadgar

September 11, 2018
Tweet

Transcript

  1. What, Why, and How of Zero-Trust Networking

  2. Armon Dadgar Founder and CTO @armon

  3. PROVISION, SECURE AND RUN ANY INFRASTRUCTURE Nomad Consul Vault Vagrant

    Packer Terraform Consul Enterprise Terraform Enterprise Vault Enterprise PRODUCT SUITE OSS TOOL SUITE RUN Applications SECURE Application Infrastructure PROVISION Infrastructure FOR INDIVIDUALS FOR TEAMS Nomad Enterprise
  4. Traditional Networking

  5. A B C D Network Perimeter

  6. A B C D Network Perimeter Firewalls Web Application Firewall

    Intrusion Detection Intrusion Prevention SIEM Systems …
  7. A B C D Network Perimeter

  8. A B C D Network Perimeter

  9. A B C D Network Perimeter

  10. Defining Segmentation Splitting network into sub-networks Restricting communication between sub-networks

    Virtual LAN, Firewalls, Software Defined Networks Coarse Grained, Many Services Segment A Segment B Network
  11. Problems with Traditional Networking

  12. Attacker A B C D

  13. Attacker A C D

  14. A B C D

  15. A C D B A C D B A C

    D B
  16. A C D B A C D B A C

    D Attacker
  17. Target Breached via HVAC HVAC connected to store network with

    WiFi Store network connected to Corporate network Production databases on Corporate network Attacker pivoted from network to network
  18. Weakness of Perimeter Security Insider threat is a major omission

    Multiple entry points, lots of firewall rules Cloud makes this harder, with API driven changes All-or-nothing security
  19. Learning to Trust Again

  20. None
  21. A -> B C -> D D -> C A

    B C D
  22. B -> D A -> C A B C D

  23. Re-asserting Trust Software Defined Networking Software Defined Firewall Beyond Corp

    / Zero Trust
  24. Software Defined Network Untrusted physical network Smaller trusted virtual networks

    Challenging to deploy, operate, and debug Performance penalty of traffic encapsulation Administration of complex network rules Requires highly available and scalable control plane
  25. Software Defined Firewall Untrusted physical network Firewall rules imposed at

    the edge Performance penalty for stateful firewalls Identity tied to source IP address Schedulers (Nomad or K8S) put multiple apps per IP Middleware (VPN, LB, NAT) re-write source IP
  26. Zero Trust Networking Untrusted physical network Identity based access imposed

    at the edge Assigning Application Identity Distribution of Certificates Enforcing Access Controls
  27. Implementing Zero Trust

  28. Assigning Identity Web DB Cert: web.foo.com Cert: db.foo.com

  29. Establishing Mutual TLS Web DB Mutual TLS Cert: web.foo.com Cert:

    db.foo.com
  30. Authorization of Traffic Web DB Mutual TLS Cert: web.foo.com Cert:

    db.foo.com Allow?
  31. None
  32. Service Mesh for Microservices Service Discovery. Connect services with a

    dynamic registry Service Configuration. Configure services with runtime configs Service Segmentation. Secure services based on identity
  33. Consul Usage Launched in 2014 12K+ GitHub Stars 1M+ Downloads

    monthly Customers running 50,000+ agents
  34. Public Users

  35. Service Discovery Registry of Nodes, Services, Checks DNS API HTTP

    API Web UI
  36. None
  37. Service Configuration Hierarchical Key/Value Store HTTP API Long-polling / Edge

    trigger Locking
  38. Consul Connect

  39. Consul Connect Service Access Graph Certificate Distribution Application Integration

  40. Service Access Graph Intentions to Allow/Deny Communication Source and Destination

    Service Scale Independent Managed with CLI, API, UI, Terraform
  41. T E R M I N A L $ consul

    intention create -deny web '*' Created: web => * (deny) $ consul intention create -allow web db Created: web => db (allow)
  42. None
  43. Certificate Distribution Transport Layer Security (TLS) Service Identity Encryption of

    all traffic
  44. Certificate Generation Automatic Generation & Rotation Server Client Certificate Signing

    Request Generate Key Pair Sign Certificate
  45. Certificate Format X.509 Certificate SPIFFE Compatible

  46. Application Integration Consul Client for Service Graph and Certificates Sidecar

    Proxies Native Integrations
  47. Sidecar Proxy Integration No Code Modification Minimal Performance Overhead Operational

    Flexibility
  48. Sidecar Proxies Client Proxy App Configure Connect Proxy Client App

    Configure Connect
  49. Pluggable Proxies Client App Configure Connect Client App Configure Connect

  50. { "service": "web", "connect": { "proxy": { "config": { "upstreams":

    [{ "destination_name": "redis", "local_bind_port": 1234 }] } } } } C O D E E D I T O R
  51. Proxy Client App Configure Connect localhost:1234 Connect to upstream redis

  52. T E R M I N A L $ consul

    connect proxy \ -service web \ -upstream postgresql:8181 $ psql -h 127.0.0.1 -p 8181 -U mitchellh mydb >
  53. Native Integration Standard TLS Negligible Performance Overhead Requires Code Modification

  54. // Create a Consul API client client, _ := api.NewClient(api.DefaultConfig())

    // Create an instance representing this service. svc, _ := connect.NewService("my-service", client) defer svc.Close() // Creating an HTTP server that serves via Connect server := &http.Server{ Addr: ":8080", TLSConfig: svc.ServerTLSConfig(), // ... other standard fields } // Serve! server.ListenAndServerTLS("", "") C O D E E D I T O R
  55. Consul Connect Service Access Graph. Intentions allow or deny communication

    of logical services. Certificate Distribution. Standard TLS certificates with SPIFFE compatibility. Application Integration. Native integrations or side car proxies.
  56. Conclusion

  57. Challenges of Traditional Networking Inside Threat Too many entry points,

    especially with Cloud All-or-nothing security
  58. Zero Trust Networking Network access or IP does not grant

    access Identity based access controls Mutual TLS / PKI approaches like public Internet
  59. Consul for Service Mesh Service Discovery. Connect services with a

    dynamic registry Service Configuration. Configure services with runtime configs Service Segmentation. Secure services based on identity
  60. Thanks! Consul: https://consul.io @armon