Upgrade to Pro — share decks privately, control downloads, hide ads and more …

What, Why, and How of Zero-Trust Networking

Armon Dadgar
September 11, 2018

What, Why, and How of Zero-Trust Networking

Traditional approaches to networking and security no longer work. Applications are adopting microservices patterns and organizations are embracing public clouds, which add new challenges to operating and securing our networks. The network perimeter used to be the best and last line of defense, but high-profile compromises keep happening. Zero-trust networking is the idea of treating the private network like the public Internet: untrusted and adversarial. In this talk, we covers what zero-trust networking means, why it matters for most organizations, and how it can be implemented using Consul.

Consul is a service mesh that focuses on service discovery, service configuration, and service segmentation. Segmentation is done using a "zero trust" approach, meaning we don't depend on trusted networks or IP addresses. Applications are provided TLS certificates which provide strong cryptographic identity, using the SPIFFE standard. Mutual TLS is used to ensure application identity is verified and all traffic encrypted over the wire. Applications are integrated either using transparent sidecars or with a native SDK.

Armon Dadgar

September 11, 2018
Tweet

More Decks by Armon Dadgar

Other Decks in Technology

Transcript

  1. PROVISION, SECURE AND RUN ANY INFRASTRUCTURE Nomad Consul Vault Vagrant

    Packer Terraform Consul Enterprise Terraform Enterprise Vault Enterprise PRODUCT SUITE OSS TOOL SUITE RUN Applications SECURE Application Infrastructure PROVISION Infrastructure FOR INDIVIDUALS FOR TEAMS Nomad Enterprise
  2. A B C D Network Perimeter Firewalls Web Application Firewall

    Intrusion Detection Intrusion Prevention SIEM Systems …
  3. Defining Segmentation Splitting network into sub-networks Restricting communication between sub-networks

    Virtual LAN, Firewalls, Software Defined Networks Coarse Grained, Many Services Segment A Segment B Network
  4. A C D B A C D B A C

    D Attacker
  5. Target Breached via HVAC HVAC connected to store network with

    WiFi Store network connected to Corporate network Production databases on Corporate network Attacker pivoted from network to network
  6. Weakness of Perimeter Security Insider threat is a major omission

    Multiple entry points, lots of firewall rules Cloud makes this harder, with API driven changes All-or-nothing security
  7. Software Defined Network Untrusted physical network Smaller trusted virtual networks

    Challenging to deploy, operate, and debug Performance penalty of traffic encapsulation Administration of complex network rules Requires highly available and scalable control plane
  8. Software Defined Firewall Untrusted physical network Firewall rules imposed at

    the edge Performance penalty for stateful firewalls Identity tied to source IP address Schedulers (Nomad or K8S) put multiple apps per IP Middleware (VPN, LB, NAT) re-write source IP
  9. Zero Trust Networking Untrusted physical network Identity based access imposed

    at the edge Assigning Application Identity Distribution of Certificates Enforcing Access Controls
  10. Service Mesh for Microservices Service Discovery. Connect services with a

    dynamic registry Service Configuration. Configure services with runtime configs Service Segmentation. Secure services based on identity
  11. Consul Usage Launched in 2014 12K+ GitHub Stars 1M+ Downloads

    monthly Customers running 50,000+ agents
  12. Service Access Graph Intentions to Allow/Deny Communication Source and Destination

    Service Scale Independent Managed with CLI, API, UI, Terraform
  13. T E R M I N A L $ consul

    intention create -deny web '*' Created: web => * (deny) $ consul intention create -allow web db Created: web => db (allow)
  14. { "service": "web", "connect": { "proxy": { "config": { "upstreams":

    [{ "destination_name": "redis", "local_bind_port": 1234 }] } } } } C O D E E D I T O R
  15. T E R M I N A L $ consul

    connect proxy \ -service web \ -upstream postgresql:8181 $ psql -h 127.0.0.1 -p 8181 -U mitchellh mydb >
  16. // Create a Consul API client client, _ := api.NewClient(api.DefaultConfig())

    // Create an instance representing this service. svc, _ := connect.NewService("my-service", client) defer svc.Close() // Creating an HTTP server that serves via Connect server := &http.Server{ Addr: ":8080", TLSConfig: svc.ServerTLSConfig(), // ... other standard fields } // Serve! server.ListenAndServerTLS("", "") C O D E E D I T O R
  17. Consul Connect Service Access Graph. Intentions allow or deny communication

    of logical services. Certificate Distribution. Standard TLS certificates with SPIFFE compatibility. Application Integration. Native integrations or side car proxies.
  18. Zero Trust Networking Network access or IP does not grant

    access Identity based access controls Mutual TLS / PKI approaches like public Internet
  19. Consul for Service Mesh Service Discovery. Connect services with a

    dynamic registry Service Configuration. Configure services with runtime configs Service Segmentation. Secure services based on identity