$30 off During Our Annual Pro Sale. View Details »

The Top 10 List of Istio Security Risks and Mitigation Strategies

José Carlos Chávez
April 21, 2023
Programming
0
140

The Top 10 List of Istio Security Risks and Mitigation Strategies

CNCF is developing its first ever Top 10 list of security risks facing Istio deployments. As a community-driven effort, it draws on the expertise of a wide range of security professionals and cloud native computing experts to ensure the list reflects the most current and relevant security risks facing cloud native applications.

The Top 10 will help organizations prioritize their security efforts and focus on the most significant security risks that they may face. By understanding and addressing these risks, organizations can better protect against malicious attacks, data breaches, and other security incidents.

In this talk we'll cover what's in the list, the selection criteria for it, and discuss strategies organizations should take to mitigate these critical risks to cloud native computing security.

José Carlos Chávez

April 21, 2023
Tweet

More Decks by José Carlos Chávez

See All by José Carlos Chávez
Web Application Firewalls Revisited
jcchavezs
0
11
Coraza Web Application Firewall
jcchavezs
0
23
Fine-Grained Policies are back with NGAC
jcchavezs
0
17
Securing Modern Apps with Zero Trust and Next-Gen Web Application Firewall
jcchavezs
0
35
CGO journey: from using to understanding it
jcchavezs
0
93
Sistemas Distribuidos
jcchavezs
2
76
What do users get out of Observability
jcchavezs
0
130
Distributed Tracing: Understand how your components work together - BuildStuffUA 2019
jcchavezs
1
140
Observability of Distributed Systems
jcchavezs
1
110

Other Decks in Programming

See All in Programming
ニフティ開発インターンで使うAWS環境をできるだけ楽に構築した話 (LT) - NIFTY Tech Day 2023
niftycorp
0
100
君たちはどうプログラミングするか
tanakahisateru
7
880
B2B SaaSでSpringSecurityによる Roleを用いたユーザー権限設定の 実装について
rakus_dev
1
180
文系出身・開発未経験エンジニアが 入社から5年間で実践した学習法 〜エンジニアの世界で圧倒的に成長するために〜 (LT) - NIFTY Tech Day 2023
niftycorp
1
120
第42回ロボティクス勉強会:実環境を手軽にシミュレータ環境に持ってくるpointcloud2gazebo
atinfinity
0
910
機械学習ソフトウェアにおけるテスト手法
hitsuji1991
PRO
2
960
ニジエチューニング2023-12
nijieinfra
0
130
ちょうぜつ本の紹介 (クリーンアーキテクチャとパッケージ原則)
suzukimar
0
270
OpenTelemetry の Trace を中心としたパフォーマンス改善
rmatsuoka
0
440
Visually experience the beauty of mathematics with p5.js
clown0082
0
1.6k
From Spring Boot 2 to Spring Boot 3 with Java 21 and Jakarta EE
ivargrimstad
0
720
Intro to Stateful Services or How to get 1 million RPS from a single node
antyadev
0
130

Featured

See All Featured
Designing on Purpose - Digital PM Summit 2013
jponch
108
6.2k
GitHub's CSS Performance
jonrohan
1021
440k
A Tale of Four Properties
chriscoyier
150
22k
How GitHub (no longer) Works
holman
299
140k
Gamification - CAS2011
davidbonilla
75
4.4k
The Illustrated Children's Guide to Kubernetes
chrisshort
26
45k
Faster Mobile Websites
deanohume
296
29k
Automating Front-end Workflow
addyosmani
1354
200k
VelocityConf: Rendering Performance Case Studies
addyosmani
319
23k
The World Runs on Bad Software
bkeepers
PRO
59
6.2k
Atom: Resistance is Futile
akmur
257
24k
Building Applications with DynamoDB
mza
87
5.3k

Transcript

  1. TOP TEN ISTIO SECURITY
    RISKS AND MITIGATION
    STRATEGIES

    View Slide

  2. SOFTWARE ENGINEER @ TETRATE
    José Carlos
    Chávez
    ● Open source enthusiast
    ● OWASP Coraza Co-leader
    ● Zipkin core member
    ● Loving father
    @jcchavezs

    View Slide

  3. SECURITY RISKS AND
    MITIGATION STRATEGIES
    MITIGATION STRATEGIES: Dealing with risks
    1. assume and accept risk
    2. avoidance of risk
    3. controlling risk
    4. transference of risk
    5. watch and monitor risk
    SECURITY RISKS: Likelihood + Impact
    ● how easy is it for attackers to carry out an
    attack? Does it take a skilled adversary?
    how cheap it is to launch attacks?
    ● how sensitive are the systems likely to be
    affected, how valuable and sensitive is the
    target data? is it hard to recover the data?
    @jcchavezs

    View Slide


  4. Isn’t Istio secure by default?
    @jcchavezs

    View Slide

  5. Security is a combination of multiple
    protection mechanism on multiple levels
    Security layers
    Underlying
    infrastructure
    Kubernetes platform Istio service mesh Applications
    @jcchavezs

    View Slide

  6. THREAT
    ACTORS
    INTERNAL ATTACKER
    An entity with some level of
    privilege that would seek to
    exceed one or more trust
    boundaries.
    CONTRIBUTORS TO ISTIO
    Contributors could harm Istio by
    attempting to intentionally
    introduce vulnerable code and
    subsequently exploit it.
    CONTRIBUTORS TO 3RD-PARTY DEPS
    Istio's dependencies may be used
    by malicious attackers to exceed
    their trust boundaries in Istio.
    UNTRUSTED USERS
    Users with the lowest level of
    privilege of Istio's threat actors
    and may seek to cause harm by
    exceeding their trust boundaries.
    6
    @jcchavezs

    View Slide

  7. View Slide

  8. I01: INSECURE
    COMMUNICATION
    Insecure communication can pose a significant security
    threat: on-path attacks, spoofing, credential stuffing, brute
    force, phishing, malicious API requests, etc.
    ● The Istio permissive security setting is useful but
    insecure as it accepts plaintext and encrypted traffic.
    ● A strict security setting would force all
    communication to be secure
    Mitigation:
    ● Enable mTLS through a PeerAuthentication policy on
    namespace or wide mesh (istio-system namespace).
    ● If permissive mode is required, use
    AuthorizationPolicy to restrict traffic on plaintext.
    @jcchavezs

    View Slide

  9. I02: UNSAFE
    AUTHORIZATION
    PATTERNS
    Istio allows fine-grained authn policies to connections
    between workloads using the AuthorizationPolicy
    ...
    spec:
    action: ALLOW
    rules:
    - to:
    - operation:
    notPaths: ["/private"]
    Mitigation
    ● Use default-deny patterns: your system denies all
    requests by default
    ● Use ALLOW-with-positive-matching and
    DENY-with-negative-match patterns
    @jcchavezs

    View Slide

  10. I03: WEAK
    SERVICE
    ACCOUNT AUTHN
    @jcchavezs
    One of the most important principles of computer security
    is the least privilege principle: A user should have no more
    access privileges than what is necessary for their task.
    ● init_container has permissions to create network
    policies
    ● Bypass outboundTrafficPolicy by impersonating
    the istio-proxy user (UID 1337)
    ● Usage of first-party-jwt.
    Mitigation
    - Use Istio CNI plugin to avoid requiring privileges like
    NET_ADMIN capability.
    - Require containers inside pods to run as non root using
    MustRunAsNonRoot
    - Use third-party-jwt to restrict its usage to sidecar

    View Slide

  11. I04: BROKEN
    OBJECT LEVEL
    AUTHZ (BOLA)
    Istio provides AuthorizationPolicy to perform checks
    on HTTP headers and the path, Kubernetes metadata (origin
    and destination services) as well as validating JWTs.
    ● Can’t access to al JWT’s fields
    ● Policies get out of sync with architecture
    Mitigation
    ● All access decisions have to be based on least-privilege
    principles, per-request, context-based, and on
    identities.
    ● Use rich model policies like NGAC or OPA for
    declarative, domain-compatible policies.
    @jcchavezs

    View Slide

  12. I05: SUPPLY
    CHAIN
    VULNERABILITIES
    Istio itself uses several open-source components and
    third-party code (e.g. Envoy and Prometheus) but a typical
    istio deployment include several images from different
    sources. Some of the risk are:
    ● Image Integrity
    ● Image Composition
    ● Known Software Vulnerabilities
    Mitigation
    ● Image scanning
    ● Image Composition & Software Bill of Materials (SBOM)
    ● Image Signing
    ● Curated registry
    ● Web Application Firewall
    @jcchavezs

    View Slide

  13. I06: INGRESS
    TRAFFIC
    CAPTURE
    LIMITATIONS
    Istio sidecar is supposed to hook inbound and outbound
    traffic in the pod, however:
    ● It does not support UDP traffic, so traffic will be passed
    to services inside the Pod.
    ● Inbound capture is disabled on ports used by the
    sidecar (including port 22)
    Mitigation
    ● For control of UDP traffic, use Kubernetes
    NetworkPolicy at ingress.
    @jcchavezs

    View Slide

  14. I07: EGRESS
    TRAFFIC
    CAPTURE
    LIMITATIONS
    Istio cannot securely enforce that all egress traffic actually
    flows through the egress gateways, meaning that it can not
    enforce calls to be done to known destinations.
    Mitigation
    ● Kubernetes NetworkPolicy for egress
    ● Istio’s egress restrictions (e.g.
    outboundTrafficPolicy: REGISTRY_ONLY),
    ● Runtime checks on linux system calls (e.g. falco)
    @jcchavezs

    View Slide

  15. I08: SECURITY
    OBSERVABILITY
    AND MONITORING
    FAILURES
    Security observability and monitoring are critical
    components, however, incorrect collection, processing or
    reporting of such data can pose significant risks to the
    security.
    ● Log level paradox
    ● Insufficient or inadequate audit logs
    ● Lack of context
    Mitigation
    ● Ensure access logs and error logs are emitted.
    ● Implement a org-wide log format
    ● Log data should be encoded/redacted correctly
    ● Ensure high-value transactions have an audit trail
    ● Establish an incident response and recovery plan
    @jcchavezs

    View Slide

  16. I09: VULNERABLE
    ISTIO VERSIONS
    Using an outdated Istio version can pose significant
    security risks, as older versions may contain known
    vulnerabilities that have been addressed in later versions.
    Some of the disclosed attacks are:
    ● (DoS) attacks
    ● CVEs
    ● Bypass of Istio policies
    ● Cryptographic
    Mitigation
    ● Use compliant Istio distributions e.g. Tetrate Istio Distro
    ● Track CVE databases and Istio Security Bulletins
    ● Web Application Firewall
    @jcchavezs

    View Slide

  17. I10: WHAT IS
    YOUR SECURITY
    RISK?
    Come by and participate
    https://forms.gle/6vmLq5LkjKYXcQVz8
    @jcchavezs

    View Slide

  18. CONCLUSIONS
    ● Most of the security risks are related to configuration
    mistakes.
    ● Prefer being explicit over relying on default, sometimes
    “auto” capabilities.
    ● No single component or function will be sufficient to
    achieve a good level of security alone, but collectively
    they need to enforce security patterns across all layers
    in the infrastructure.
    ● Policies have to be defined based on the assumption
    that the attacker is already inside the network.
    @jcchavezs

    View Slide

  19. For any further queries, feel free to contact me at [email protected]
    Thank you everyone.
    jcchavezs jcchavezs www.tetrate.io
    Gracias, mamá.

    View Slide

  20. References
    Sysdig 2023 Cloud‑Native
    Security and Usage Report
    Istio Security Audit - Ada
    Logics 2022
    https://istio.io/latest/blog/2023/ada-logics-security-assessment/
    NIST SP 800-207A: A Zero Trust Architecture (ZTA) Model for Access Control in Cloud Native Applications in
    Multi-Location Environments
    State of Service Mesh
    Market 2022 - Tetrate
    https://tetrate.io/tetrate-service-mesh-survey-2022/
    https://sysdig.com/blog/2023-cloud-native-security-usage-report/
    @jcchavezs

    View Slide

  21. References
    2022 Service Mesh
    Adoption Survey
    State of Kubernetes
    security report - Redhat,
    2022
    https://www.redhat.com/en/resources/state-kubernetes-security-report
    https://www.solo.io/resources/report/2022-service-mesh-adoption-survey/
    @jcchavezs

    View Slide

  22. TOP TEN ISTIO SECURITY
    RISKS AND MITIGATION
    STRATEGIES

    View Slide