Upgrade to Pro — share decks privately, control downloads, hide ads and more …

What's mtLS? @ Docker London

Viktor Petersson
November 27, 2019
Technology
0
350

What's mtLS? @ Docker London

Mutual TLS, or mTLS, is a widely used standard for improving the security for authentication. It's an extension of TLS, which is used for HTTPS, but in addition to the client verifying that the server, the server also verifies that the client.

mTLS is already widely used and is the cornerstone of the Zero Trust Networking movement, but how does it work? In this talk, we will go over the fundamentals of mTLS and create a simple web app that users mTLS as the authentication method. We will use technologies like Docker and Nginx to accomplish this, show the benefits over traditional authentication methods (such as API keys and passwords)

Viktor Petersson

November 27, 2019
Tweet

More Decks by Viktor Petersson

See All by Viktor Petersson
The history of how Screenly OSE became the most popular digital signage project on GitHub
vpetersson
0
110
The DevSecOps Iceberg @ Cloud Native London
vpetersson
0
230
The "S" in "IoT" stands for "Security"
vpetersson
0
140
Living on the Edge @ Kubernetes London
vpetersson
0
94
The 'S' in IoT Stands for Security (a.k.a. Internet of Shit)
vpetersson
0
240
Lessons learned from Screenly @ Linuxing in London
vpetersson
0
170
Provisioner @ Ansible London
vpetersson
0
8.9k
Screenly @ IoT London
vpetersson
1
6.9k
IoT Use Case: Screenly
vpetersson
0
140

Other Decks in Technology

See All in Technology
net/http/httptest.Server のアプローチをテスト戦略に活用する / Go Conference 2023
k1low
7
1.3k
これからのJavaのとっかかりを掴む
irof
0
3.3k
ABEMA における GKE Scale 戦略と Anthos Service Mesh 活用事例 Deep Dive
nagapad
3
160
Semantic Kernel を使って ChatGPT Plugins をアプリに組み込んでみよう
okazuki
0
150
async-profilerによるスタックトレースタイムトラベル - Kafkaのパフォーマンス問題調査での応用例
line_developers
PRO
1
160
Cluster_Extended Tokyo_WWDC 2023
clusterinc
0
490
Romi チームの OpenSearchのコスト最適化事例

mixi_engineers
PRO
0
290
AIの標準化や法規制に関する動向 (2023年版)
asei
3
310
RedMica 2.3 (2023-05) 新機能ハイライト およびRedmineの2023年5月までの半年間の主要な開発成果
vividtone
0
330
Blueskyちゃん作った話
kojira
0
120
Autonomous Database Cloud 技術詳細 / adb-s_technical_detail_jp
oracle4engineer
PRO
10
26k
GLOBIS データサイエンスチームのご紹介/ GLOBIS Data Science Team is hiring.
globis_gdp
0
2k

Featured

See All Featured
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
0
1.5k
Designing with Data
zakiwarfel
92
4.3k
Keith and Marios Guide to Fast Websites
keithpitt
407
21k
Into the Great Unknown - MozCon
thekraken
6
490
How To Stay Up To Date on Web Technology
chriscoyier
779
250k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
101
6.3k
Happy Clients
brianwarren
90
6k
Large-scale JavaScript Application Architecture
addyosmani
500
110k
Product Roadmaps are Hard
iamctodd
39
8.2k
GraphQLの誤解/rethinking-graphql
sonatard
41
8.3k
Making the Leap to Tech Lead
cromwellryan
118
7.8k
No one is an island. Learnings from fostering a developers community.
thoeni
13
1.7k

Transcript

  1. WHAT'S MTLS?
    Oh and wait, how does that relate to Docker?
    wott.io @vpetersson

    View Slide

  2. OUTLINE
    What's mTLS?
    Our use case/scenario
    Demo (all praise thy mighty demo gods)
    Recap
    @vpetersson
    wott.io

    View Slide

  3. @vpetersson
    wott.io

    View Slide

  4. WHAT'S WOTT?
    @vpetersson
    wott.io
    Security tool for developers
    Provides cryptographic identity (x509)
    Ongoing security audit of fleet
    A security dashboard
    Workflow integrations (Github, Slack
    etc)
    (DevSecOps)

    View Slide

  5. THE SCENARIO
    We got clients (workstation/server/container)
    That needs to talk to our API securely
    We don't want to use regular credentials
    @vpetersson
    wott.io

    View Slide

  6. THE SCENARIO
    Nginx
    App
    App
    Client
    Client
    @vpetersson
    wott.io

    View Slide

  7. CONCEPTS OVERVIEW
    TLS vs Mutual TLS
    Zero Trust Networking vs Perimeter based security
    Public Key Infrastructure (PKI) and root of trust
    @vpetersson
    wott.io

    View Slide

  8. HOW TLS WORKS
    @vpetersson
    wott.io

    View Slide

  9. HOW MUTUAL TLS WORKS
    @vpetersson
    wott.io

    View Slide

  10. PERIMETER SECURITY VS ZERO TRUST
    Perimeter based security
    Defend the moat with firewall(s)
    Example: Infra from the 90s
    Zero Trust Networking
    Assume everything is hostile (even internal traffic)
    Encrypt and verify everything
    Example: Istio and BeyondCorp
    Read "Zero Trust Networks" by Doug Barth and
    Evan Gilman for more details
    @vpetersson
    wott.io

    View Slide

  11. PUBLIC KEY INFRASTRUCTURE (PKI)
    Where you get your SSL certificates
    Let's Encrypt, Commodo, Verisign
    Browsers trust "public CAs"*
    The CA is your "root of trust"
    Roll your own or use an existing CA (like WoTT)
    @vpetersson
    wott.io * This is a bit complicated and out of scope

    View Slide

  12. @vpetersson
    wott.io

    View Slide

  13. TODAY'S GOAL
    Use Mutual TLS (mTLS) for transport layer
    Rotate the keys periodically in an automated fashion*
    Access control using cryptographic identity
    No use of API keys or username+password
    @vpetersson
    wott.io * Performed automatically by the WoTT Agent

    View Slide

  14. INFRA SETUP
    Preparation before the talk
    Spun up a small VM on GCE
    Docker Compose for setting up containers
    Nginx
    App server (Django App)
    SSL cert from Let's Encrypt
    We will use WoTT's PKI, but you can also roll your own
    @vpetersson
    wott.io

    View Slide

  15. APP OVERVIEW
    Python/Django app
    Uses HTTP headers from Nginx for access
    control
    This is a PoC with known attack
    vectors, so don't blindly use this in
    production as-is
    @vpetersson
    wott.io

    View Slide

  16. ACCESS CONTROL OVERVIEW
    @vpetersson
    wott.io

    View Slide

  17. DEPLOYING OUR APP
    @vpetersson
    wott.io

    View Slide

  18. DEPLOYING OUR APP
    $ docker-compose up
    [...]
    @vpetersson
    wott.io
    We're going to use dockerlon.vpetersson.com

    View Slide

  19. CURL ALL DA THINGZ
    $ curl -I https://dockerlon.vpetersson.com/api/
    HTTP/2 403
    [...]
    @vpetersson
    wott.io

    View Slide

  20. @vpetersson
    wott.io

    View Slide

  21. ACCESS CONTROL OVERVIEW
    @vpetersson
    wott.io

    View Slide

  22. NGINX MAGIC
    @vpetersson
    wott.io

    View Slide

  23. ONTO THE CLIENT
    (DEMO)
    @vpetersson
    wott.io

    View Slide

  24. @vpetersson
    wott.io
    DEMO GOD

    View Slide

  25. @vpetersson
    wott.io

    View Slide

  26. CURL ALL DA THINGZ
    $ sudo curl -s \
    --key /opt/wott/certs/client.key \
    --cert /opt/wott/certs/client.crt \
    https://dockerlon.vpetersson.com/api/ | jq
    {
    "msg": "You shall not pass!"
    }
    @vpetersson
    wott.io

    View Slide

  27. @vpetersson
    wott.io

    View Slide

  28. ACCESS CONTROL OVERVIEW
    @vpetersson
    wott.io

    View Slide

  29. APP MAGIC
    @vpetersson
    wott.io
    THIS IS A PROOF OF CONCEPT.
    DON'T USE IN PRODUCTION.

    View Slide

  30. WHITELIST THE DEVICE
    @vpetersson
    wott.io

    View Slide

  31. WHO AM I?
    $ sudo wott-agent whoami
    x.d.wott.local
    @vpetersson
    wott.io

    View Slide

  32. @vpetersson
    wott.io

    View Slide

  33. CURL ALL DA THINGZ
    $ sudo curl \
    --key /opt/wott/certs/client.key \
    --cert /opt/wott/certs/client.crt \
    https://dockerlon.vpetersson.com/api/ | jq
    {
    "msg": "Welcome x.d.wott.local. We've been expecting you."
    }
    @vpetersson
    wott.io

    View Slide

  34. ACCESS CONTROL OVERVIEW
    @vpetersson
    wott.io

    View Slide

  35. @vpetersson
    wott.io

    View Slide

  36. CONCLUSION
    mTLS doesn't have to be scary
    Easier and more secure than passwords
    Credential rotation built-in
    The foundation of Zero Trust Networking
    @vpetersson
    wott.io

    View Slide

  37. GET IN TOUCH
    Check out our agent
    mTLS and CVE audit of your nodes
    Ping us at [email protected] or visit wott.io
    @vpetersson
    wott.io

    View Slide

  38. REFERENCES
    https://github.com/vpetersson/django-mtls
    https://wott.io/blog/tutorials/2019/07/15/mtls-with-nginx
    https://tools.ietf.org/html/draft-ietf-oauth-mtls-17
    @vpetersson
    wott.io

    View Slide

  39. @vpetersson
    wott.io
    Where's the bar?

    View Slide