Slide 1

Slide 1 text

What, Why, and How of Zero-Trust Networking

Slide 2

Slide 2 text

Armon Dadgar Founder and CTO @armon

Slide 3

Slide 3 text

PROVISION, SECURE AND RUN ANY INFRASTRUCTURE Nomad Consul Vault Vagrant Packer Terraform Consul Enterprise Terraform Enterprise Vault Enterprise PRODUCT SUITE OSS TOOL SUITE RUN Applications SECURE Application Infrastructure PROVISION Infrastructure FOR INDIVIDUALS FOR TEAMS Nomad Enterprise

Slide 4

Slide 4 text

Traditional Networking

Slide 5

Slide 5 text

A B C D Network Perimeter

Slide 6

Slide 6 text

A B C D Network Perimeter Firewalls Web Application Firewall Intrusion Detection Intrusion Prevention SIEM Systems …

Slide 7

Slide 7 text

A B C D Network Perimeter

Slide 8

Slide 8 text

A B C D Network Perimeter

Slide 9

Slide 9 text

A B C D Network Perimeter

Slide 10

Slide 10 text

Defining Segmentation Splitting network into sub-networks Restricting communication between sub-networks Virtual LAN, Firewalls, Software Defined Networks Coarse Grained, Many Services Segment A Segment B Network

Slide 11

Slide 11 text

Problems with Traditional Networking

Slide 12

Slide 12 text

Attacker A B C D

Slide 13

Slide 13 text

Attacker A C D

Slide 14

Slide 14 text

A B C D

Slide 15

Slide 15 text

A C D B A C D B A C D B

Slide 16

Slide 16 text

A C D B A C D B A C D Attacker

Slide 17

Slide 17 text

Target Breached via HVAC HVAC connected to store network with WiFi Store network connected to Corporate network Production databases on Corporate network Attacker pivoted from network to network

Slide 18

Slide 18 text

Weakness of Perimeter Security Insider threat is a major omission Multiple entry points, lots of firewall rules Cloud makes this harder, with API driven changes All-or-nothing security

Slide 19

Slide 19 text

Learning to Trust Again

Slide 20

Slide 20 text

No content

Slide 21

Slide 21 text

A -> B C -> D D -> C A B C D

Slide 22

Slide 22 text

B -> D A -> C A B C D

Slide 23

Slide 23 text

Re-asserting Trust Software Defined Networking Software Defined Firewall Beyond Corp / Zero Trust

Slide 24

Slide 24 text

Software Defined Network Untrusted physical network Smaller trusted virtual networks Challenging to deploy, operate, and debug Performance penalty of traffic encapsulation Administration of complex network rules Requires highly available and scalable control plane

Slide 25

Slide 25 text

Software Defined Firewall Untrusted physical network Firewall rules imposed at the edge Performance penalty for stateful firewalls Identity tied to source IP address Schedulers (Nomad or K8S) put multiple apps per IP Middleware (VPN, LB, NAT) re-write source IP

Slide 26

Slide 26 text

Zero Trust Networking Untrusted physical network Identity based access imposed at the edge Assigning Application Identity Distribution of Certificates Enforcing Access Controls

Slide 27

Slide 27 text

Implementing Zero Trust

Slide 28

Slide 28 text

Assigning Identity Web DB Cert: web.foo.com Cert: db.foo.com

Slide 29

Slide 29 text

Establishing Mutual TLS Web DB Mutual TLS Cert: web.foo.com Cert: db.foo.com

Slide 30

Slide 30 text

Authorization of Traffic Web DB Mutual TLS Cert: web.foo.com Cert: db.foo.com Allow?

Slide 31

Slide 31 text

No content

Slide 32

Slide 32 text

Service Mesh for Microservices Service Discovery. Connect services with a dynamic registry Service Configuration. Configure services with runtime configs Service Segmentation. Secure services based on identity

Slide 33

Slide 33 text

Consul Usage Launched in 2014 12K+ GitHub Stars 1M+ Downloads monthly Customers running 50,000+ agents

Slide 34

Slide 34 text

Public Users

Slide 35

Slide 35 text

Service Discovery Registry of Nodes, Services, Checks DNS API HTTP API Web UI

Slide 36

Slide 36 text

No content

Slide 37

Slide 37 text

Service Configuration Hierarchical Key/Value Store HTTP API Long-polling / Edge trigger Locking

Slide 38

Slide 38 text

Consul Connect

Slide 39

Slide 39 text

Consul Connect Service Access Graph Certificate Distribution Application Integration

Slide 40

Slide 40 text

Service Access Graph Intentions to Allow/Deny Communication Source and Destination Service Scale Independent Managed with CLI, API, UI, Terraform

Slide 41

Slide 41 text

T E R M I N A L $ consul intention create -deny web '*' Created: web => * (deny) $ consul intention create -allow web db Created: web => db (allow)

Slide 42

Slide 42 text

No content

Slide 43

Slide 43 text

Certificate Distribution Transport Layer Security (TLS) Service Identity Encryption of all traffic

Slide 44

Slide 44 text

Certificate Generation Automatic Generation & Rotation Server Client Certificate Signing Request Generate Key Pair Sign Certificate

Slide 45

Slide 45 text

Certificate Format X.509 Certificate SPIFFE Compatible

Slide 46

Slide 46 text

Application Integration Consul Client for Service Graph and Certificates Sidecar Proxies Native Integrations

Slide 47

Slide 47 text

Sidecar Proxy Integration No Code Modification Minimal Performance Overhead Operational Flexibility

Slide 48

Slide 48 text

Sidecar Proxies Client Proxy App Configure Connect Proxy Client App Configure Connect

Slide 49

Slide 49 text

Pluggable Proxies Client App Configure Connect Client App Configure Connect

Slide 50

Slide 50 text

{ "service": "web", "connect": { "proxy": { "config": { "upstreams": [{ "destination_name": "redis", "local_bind_port": 1234 }] } } } } C O D E E D I T O R

Slide 51

Slide 51 text

Proxy Client App Configure Connect localhost:1234 Connect to upstream redis

Slide 52

Slide 52 text

T E R M I N A L $ consul connect proxy \ -service web \ -upstream postgresql:8181 $ psql -h 127.0.0.1 -p 8181 -U mitchellh mydb >

Slide 53

Slide 53 text

Native Integration Standard TLS Negligible Performance Overhead Requires Code Modification

Slide 54

Slide 54 text

// Create a Consul API client client, _ := api.NewClient(api.DefaultConfig()) // Create an instance representing this service. svc, _ := connect.NewService("my-service", client) defer svc.Close() // Creating an HTTP server that serves via Connect server := &http.Server{ Addr: ":8080", TLSConfig: svc.ServerTLSConfig(), // ... other standard fields } // Serve! server.ListenAndServerTLS("", "") C O D E E D I T O R

Slide 55

Slide 55 text

Consul Connect Service Access Graph. Intentions allow or deny communication of logical services. Certificate Distribution. Standard TLS certificates with SPIFFE compatibility. Application Integration. Native integrations or side car proxies.

Slide 56

Slide 56 text

Conclusion

Slide 57

Slide 57 text

Challenges of Traditional Networking Inside Threat Too many entry points, especially with Cloud All-or-nothing security

Slide 58

Slide 58 text

Zero Trust Networking Network access or IP does not grant access Identity based access controls Mutual TLS / PKI approaches like public Internet

Slide 59

Slide 59 text

Consul for Service Mesh Service Discovery. Connect services with a dynamic registry Service Configuration. Configure services with runtime configs Service Segmentation. Secure services based on identity

Slide 60

Slide 60 text

Thanks! Consul: https://consul.io @armon