$30 off During Our Annual Pro Sale. View Details »

What, Why, and How of Zero-Trust Networking

Armon Dadgar
September 11, 2018

What, Why, and How of Zero-Trust Networking

Traditional approaches to networking and security no longer work. Applications are adopting microservices patterns and organizations are embracing public clouds, which add new challenges to operating and securing our networks. The network perimeter used to be the best and last line of defense, but high-profile compromises keep happening. Zero-trust networking is the idea of treating the private network like the public Internet: untrusted and adversarial. In this talk, we covers what zero-trust networking means, why it matters for most organizations, and how it can be implemented using Consul.

Consul is a service mesh that focuses on service discovery, service configuration, and service segmentation. Segmentation is done using a "zero trust" approach, meaning we don't depend on trusted networks or IP addresses. Applications are provided TLS certificates which provide strong cryptographic identity, using the SPIFFE standard. Mutual TLS is used to ensure application identity is verified and all traffic encrypted over the wire. Applications are integrated either using transparent sidecars or with a native SDK.

Armon Dadgar

September 11, 2018
Tweet

More Decks by Armon Dadgar

Other Decks in Technology

Transcript

  1. What, Why, and How of Zero-Trust Networking

    View Slide

  2. Armon Dadgar
    Founder and CTO
    @armon

    View Slide

  3. PROVISION, SECURE AND RUN ANY INFRASTRUCTURE
    Nomad Consul
    Vault
    Vagrant Packer Terraform
    Consul Enterprise
    Terraform Enterprise
    Vault Enterprise
    PRODUCT SUITE
    OSS TOOL SUITE
    RUN
    Applications
    SECURE
    Application Infrastructure
    PROVISION
    Infrastructure
    FOR INDIVIDUALS FOR TEAMS
    Nomad Enterprise

    View Slide

  4. Traditional Networking

    View Slide

  5. A B
    C D
    Network Perimeter

    View Slide

  6. A B
    C D
    Network Perimeter Firewalls
    Web Application Firewall
    Intrusion Detection
    Intrusion Prevention
    SIEM Systems

    View Slide

  7. A B
    C D
    Network Perimeter

    View Slide

  8. A B
    C D
    Network Perimeter

    View Slide

  9. A B
    C D
    Network Perimeter

    View Slide

  10. Defining Segmentation
    Splitting network into sub-networks
    Restricting communication between sub-networks
    Virtual LAN, Firewalls, Software Defined Networks
    Coarse Grained, Many Services
    Segment
    A
    Segment
    B
    Network

    View Slide

  11. Problems with
    Traditional Networking

    View Slide

  12. Attacker A B
    C D

    View Slide

  13. Attacker
    A
    C D

    View Slide

  14. A B
    C D

    View Slide

  15. A
    C D
    B A
    C D
    B A
    C D
    B

    View Slide

  16. A
    C D
    B A
    C D
    B A
    C D
    Attacker

    View Slide

  17. Target Breached via HVAC
    HVAC connected to store network with WiFi
    Store network connected to Corporate network
    Production databases on Corporate network
    Attacker pivoted from network to network

    View Slide

  18. Weakness of Perimeter Security
    Insider threat is a major omission
    Multiple entry points, lots of firewall rules
    Cloud makes this harder, with API driven changes
    All-or-nothing security

    View Slide

  19. Learning to Trust Again

    View Slide

  20. View Slide

  21. A -> B
    C -> D
    D -> C
    A B
    C D

    View Slide

  22. B -> D
    A -> C
    A B
    C D

    View Slide

  23. Re-asserting Trust
    Software Defined Networking
    Software Defined Firewall
    Beyond Corp / Zero Trust

    View Slide

  24. Software Defined Network
    Untrusted physical network
    Smaller trusted virtual networks
    Challenging to deploy, operate, and debug
    Performance penalty of traffic encapsulation
    Administration of complex network rules
    Requires highly available and scalable control plane

    View Slide

  25. Software Defined Firewall
    Untrusted physical network
    Firewall rules imposed at the edge
    Performance penalty for stateful firewalls
    Identity tied to source IP address
    Schedulers (Nomad or K8S) put multiple apps per IP
    Middleware (VPN, LB, NAT) re-write source IP

    View Slide

  26. Zero Trust Networking
    Untrusted physical network
    Identity based access imposed at the edge
    Assigning Application Identity
    Distribution of Certificates
    Enforcing Access Controls

    View Slide

  27. Implementing Zero Trust

    View Slide

  28. Assigning Identity
    Web DB
    Cert: web.foo.com Cert: db.foo.com

    View Slide

  29. Establishing Mutual TLS
    Web DB
    Mutual TLS
    Cert: web.foo.com Cert: db.foo.com

    View Slide

  30. Authorization of Traffic
    Web DB
    Mutual TLS
    Cert: web.foo.com Cert: db.foo.com
    Allow?

    View Slide

  31. View Slide

  32. Service Mesh for Microservices
    Service Discovery. Connect services with a dynamic registry
    Service Configuration. Configure services with runtime configs
    Service Segmentation. Secure services based on identity

    View Slide

  33. Consul Usage
    Launched in 2014
    12K+ GitHub Stars
    1M+ Downloads monthly
    Customers running 50,000+ agents

    View Slide

  34. Public Users

    View Slide

  35. Service Discovery
    Registry of Nodes, Services, Checks
    DNS API
    HTTP API
    Web UI

    View Slide

  36. View Slide

  37. Service Configuration
    Hierarchical Key/Value Store
    HTTP API
    Long-polling / Edge trigger
    Locking

    View Slide

  38. Consul Connect

    View Slide

  39. Consul Connect
    Service Access Graph
    Certificate Distribution
    Application Integration

    View Slide

  40. Service Access Graph
    Intentions to Allow/Deny Communication
    Source and Destination Service
    Scale Independent
    Managed with CLI, API, UI, Terraform

    View Slide

  41. T E R M I N A L
    $ consul intention create -deny web '*'
    Created: web => * (deny)
    $ consul intention create -allow web db
    Created: web => db (allow)

    View Slide

  42. View Slide

  43. Certificate Distribution
    Transport Layer Security (TLS)
    Service Identity
    Encryption of all traffic

    View Slide

  44. Certificate Generation
    Automatic Generation & Rotation
    Server
    Client
    Certificate
    Signing Request
    Generate
    Key Pair
    Sign Certificate

    View Slide

  45. Certificate Format
    X.509 Certificate
    SPIFFE Compatible

    View Slide

  46. Application Integration
    Consul Client for Service Graph and Certificates
    Sidecar Proxies
    Native Integrations

    View Slide

  47. Sidecar Proxy Integration
    No Code Modification
    Minimal Performance Overhead
    Operational Flexibility

    View Slide

  48. Sidecar Proxies
    Client
    Proxy
    App
    Configure
    Connect
    Proxy
    Client
    App
    Configure
    Connect

    View Slide

  49. Pluggable Proxies
    Client
    App
    Configure
    Connect
    Client
    App
    Configure
    Connect

    View Slide

  50. {
    "service": "web",
    "connect": {
    "proxy": {
    "config": {
    "upstreams": [{
    "destination_name": "redis",
    "local_bind_port": 1234
    }]
    }
    }
    }
    }
    C O D E E D I T O R

    View Slide

  51. Proxy
    Client
    App
    Configure
    Connect localhost:1234
    Connect to
    upstream redis

    View Slide

  52. T E R M I N A L
    $ consul connect proxy \
    -service web \
    -upstream postgresql:8181
    $ psql -h 127.0.0.1 -p 8181 -U mitchellh mydb
    >

    View Slide

  53. Native Integration
    Standard TLS
    Negligible Performance Overhead
    Requires Code Modification

    View Slide

  54. // Create a Consul API client
    client, _ := api.NewClient(api.DefaultConfig())
    // Create an instance representing this service.
    svc, _ := connect.NewService("my-service", client)
    defer svc.Close()
    // Creating an HTTP server that serves via Connect
    server := &http.Server{
    Addr: ":8080",
    TLSConfig: svc.ServerTLSConfig(),
    // ... other standard fields
    }
    // Serve!
    server.ListenAndServerTLS("", "")
    C O D E E D I T O R

    View Slide

  55. Consul Connect
    Service Access Graph. Intentions allow or deny communication of
    logical services.
    Certificate Distribution. Standard TLS certificates with SPIFFE
    compatibility.
    Application Integration. Native integrations or side car proxies.

    View Slide

  56. Conclusion

    View Slide

  57. Challenges of Traditional Networking
    Inside Threat
    Too many entry points, especially with Cloud
    All-or-nothing security

    View Slide

  58. Zero Trust Networking
    Network access or IP does not grant access
    Identity based access controls
    Mutual TLS / PKI approaches like public Internet

    View Slide

  59. Consul for Service Mesh
    Service Discovery. Connect services with a dynamic registry
    Service Configuration. Configure services with runtime configs
    Service Segmentation. Secure services based on identity

    View Slide

  60. Thanks!
    Consul: https://consul.io
    @armon

    View Slide