What's mtLS? @ Docker London

Slide 1

Slide 1 text

WHAT'S MTLS? Oh and wait, how does that relate to Docker? wott.io @vpetersson

Slide 2

Slide 2 text

OUTLINE What's mTLS? Our use case/scenario Demo (all praise thy mighty demo gods) Recap @vpetersson wott.io

Slide 3

Slide 3 text

@vpetersson wott.io

Slide 4

Slide 4 text

WHAT'S WOTT? @vpetersson wott.io Security tool for developers Provides cryptographic identity (x509) Ongoing security audit of ﬂeet A security dashboard Workﬂow integrations (Github, Slack etc) (DevSecOps)

Slide 5

Slide 5 text

THE SCENARIO We got clients (workstation/server/container) That needs to talk to our API securely We don't want to use regular credentials @vpetersson wott.io

Slide 6

Slide 6 text

THE SCENARIO Nginx App App Client Client @vpetersson wott.io

Slide 7

Slide 7 text

CONCEPTS OVERVIEW TLS vs Mutual TLS Zero Trust Networking vs Perimeter based security Public Key Infrastructure (PKI) and root of trust @vpetersson wott.io

Slide 8

Slide 8 text

HOW TLS WORKS @vpetersson wott.io

Slide 9

Slide 9 text

HOW MUTUAL TLS WORKS @vpetersson wott.io

Slide 10

Slide 10 text

PERIMETER SECURITY VS ZERO TRUST Perimeter based security Defend the moat with ﬁrewall(s) Example: Infra from the 90s Zero Trust Networking Assume everything is hostile (even internal trafﬁc) Encrypt and verify everything Example: Istio and BeyondCorp Read "Zero Trust Networks" by Doug Barth and Evan Gilman for more details @vpetersson wott.io

Slide 11

Slide 11 text

PUBLIC KEY INFRASTRUCTURE (PKI) Where you get your SSL certiﬁcates Let's Encrypt, Commodo, Verisign Browsers trust "public CAs"* The CA is your "root of trust" Roll your own or use an existing CA (like WoTT) @vpetersson wott.io * This is a bit complicated and out of scope

Slide 12

Slide 12 text

@vpetersson wott.io

Slide 13

Slide 13 text

TODAY'S GOAL Use Mutual TLS (mTLS) for transport layer Rotate the keys periodically in an automated fashion* Access control using cryptographic identity No use of API keys or username+password @vpetersson wott.io * Performed automatically by the WoTT Agent

Slide 14

Slide 14 text

INFRA SETUP Preparation before the talk Spun up a small VM on GCE Docker Compose for setting up containers Nginx App server (Django App) SSL cert from Let's Encrypt We will use WoTT's PKI, but you can also roll your own @vpetersson wott.io

Slide 15

Slide 15 text

APP OVERVIEW Python/Django app Uses HTTP headers from Nginx for access control This is a PoC with known attack vectors, so don't blindly use this in production as-is @vpetersson wott.io

Slide 16

Slide 16 text

ACCESS CONTROL OVERVIEW @vpetersson wott.io

Slide 17

Slide 17 text

DEPLOYING OUR APP @vpetersson wott.io

Slide 18

Slide 18 text

DEPLOYING OUR APP $ docker-compose up [...] @vpetersson wott.io We're going to use dockerlon.vpetersson.com

Slide 19

Slide 19 text

CURL ALL DA THINGZ $ curl -I https://dockerlon.vpetersson.com/api/ HTTP/2 403 [...] @vpetersson wott.io

Slide 20

Slide 20 text

@vpetersson wott.io

Slide 21

Slide 21 text

ACCESS CONTROL OVERVIEW @vpetersson wott.io

Slide 22

Slide 22 text

NGINX MAGIC @vpetersson wott.io

Slide 23

Slide 23 text

ONTO THE CLIENT (DEMO) @vpetersson wott.io

Slide 24

Slide 24 text

@vpetersson wott.io DEMO GOD

Slide 25

Slide 25 text

@vpetersson wott.io

Slide 26

Slide 26 text

CURL ALL DA THINGZ $ sudo curl -s \ --key /opt/wott/certs/client.key \ --cert /opt/wott/certs/client.crt \ https://dockerlon.vpetersson.com/api/ | jq { "msg": "You shall not pass!" } @vpetersson wott.io

Slide 27

Slide 27 text

@vpetersson wott.io

Slide 28

Slide 28 text

ACCESS CONTROL OVERVIEW @vpetersson wott.io

Slide 29

Slide 29 text

APP MAGIC @vpetersson wott.io THIS IS A PROOF OF CONCEPT. DON'T USE IN PRODUCTION.

Slide 30

Slide 30 text

WHITELIST THE DEVICE @vpetersson wott.io

Slide 31

Slide 31 text

WHO AM I? $ sudo wott-agent whoami x.d.wott.local @vpetersson wott.io

Slide 32

Slide 32 text

@vpetersson wott.io

Slide 33

Slide 33 text

CURL ALL DA THINGZ $ sudo curl \ --key /opt/wott/certs/client.key \ --cert /opt/wott/certs/client.crt \ https://dockerlon.vpetersson.com/api/ | jq { "msg": "Welcome x.d.wott.local. We've been expecting you." } @vpetersson wott.io

Slide 34

Slide 34 text

ACCESS CONTROL OVERVIEW @vpetersson wott.io

Slide 35

Slide 35 text

@vpetersson wott.io

Slide 36

Slide 36 text

CONCLUSION mTLS doesn't have to be scary Easier and more secure than passwords Credential rotation built-in The foundation of Zero Trust Networking @vpetersson wott.io

Slide 37

Slide 37 text

GET IN TOUCH Check out our agent mTLS and CVE audit of your nodes Ping us at [email protected] or visit wott.io @vpetersson wott.io

Slide 38

Slide 38 text

REFERENCES https://github.com/vpetersson/django-mtls https://wott.io/blog/tutorials/2019/07/15/mtls-with-nginx https://tools.ietf.org/html/draft-ietf-oauth-mtls-17 @vpetersson wott.io

Slide 39

Slide 39 text

@vpetersson wott.io Where's the bar?