Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevOps Exchange London – Network Security at Monzo

DevOps Exchange London – Network Security at Monzo

Acab65d674375c233a783d1aad163528?s=128

Oliver Beattie

January 26, 2017
Tweet

More Decks by Oliver Beattie

Other Decks in Technology

Transcript

  1. Oliver Beattie @obeattie Head of Engineering, Monzo

  2. None
  3. None
  4. None
  5. None
  6. None
  7. Pre-application 9 months Application 6 months Mobilisation 4–8 months

  8. Isolation Authentication

  9. Isolation Authentication

  10. k8s-master Availability Zone A Availability Zone B Availability Zone C

    admin user data k8s-worker dmz
  11. k8s-master Availability Zone A Availability Zone B Availability Zone C

    k8s-worker dmz
  12. None
  13. None
  14. +

  15. apiVersion: extensions/v1beta1 kind: NetworkPolicy metadata: name: com.monzo.mastercard.proxy spec: podSelector: matchLabels:

    stage: prod routing-name: com.monzo.mastercard.proxy ingress: - from: - podSelector: matchLabels: stage: prod routing-name: com.monzo.mastercard.processor ports: - protocol: tcp port: 80
  16. “Cluster-aware” netfilter/iptables under the hood Filtering at “both ends” No

    control over egress Only understands TCP/UDP Proxies
  17. Isolation Authentication

  18. Host A Host B Service A linkerd Service B linkerd

  19. Host A Host B Service A linkerd Service B linkerd

  20. Host A Host B Service A linkerd Service B linkerd

    CA CA CA Vault
  21. Secret management Message signing Transaction authorisation Secure build Audit logging

    WAN tunnels
  22. IPSec StrongSwan (IPSec) Hardware VPN device Services Services Services AWS

    Co-location Third parties
  23. monzo.com/careers

  24. & Questions

  25. @obeattie