What's mtLS? @ Docker London

Transcript

1. WHAT'S MTLS? Oh and wait, how does that relate to

   Docker? wott.io @vpetersson

2. OUTLINE What's mTLS? Our use case/scenario Demo (all praise thy

   mighty demo gods) Recap @vpetersson wott.io

3. @vpetersson wott.io

4. WHAT'S WOTT? @vpetersson wott.io Security tool for developers Provides cryptographic

   identity (x509) Ongoing security audit of fleet A security dashboard Workflow integrations (Github, Slack etc) (DevSecOps)

5. THE SCENARIO We got clients (workstation/server/container) That needs to talk

   to our API securely We don't want to use regular credentials @vpetersson wott.io

6. THE SCENARIO Nginx App App Client Client @vpetersson wott.io

7. CONCEPTS OVERVIEW TLS vs Mutual TLS Zero Trust Networking vs

   Perimeter based security Public Key Infrastructure (PKI) and root of trust @vpetersson wott.io

8. HOW TLS WORKS @vpetersson wott.io

9. HOW MUTUAL TLS WORKS @vpetersson wott.io

10. PERIMETER SECURITY VS ZERO TRUST Perimeter based security Defend the

    moat with firewall(s) Example: Infra from the 90s Zero Trust Networking Assume everything is hostile (even internal traffic) Encrypt and verify everything Example: Istio and BeyondCorp Read "Zero Trust Networks" by Doug Barth and Evan Gilman for more details @vpetersson wott.io

11. PUBLIC KEY INFRASTRUCTURE (PKI) Where you get your SSL certificates

    Let's Encrypt, Commodo, Verisign Browsers trust "public CAs"* The CA is your "root of trust" Roll your own or use an existing CA (like WoTT) @vpetersson wott.io * This is a bit complicated and out of scope

12. @vpetersson wott.io

13. TODAY'S GOAL Use Mutual TLS (mTLS) for transport layer Rotate

    the keys periodically in an automated fashion* Access control using cryptographic identity No use of API keys or username+password @vpetersson wott.io * Performed automatically by the WoTT Agent

14. INFRA SETUP Preparation before the talk Spun up a small

    VM on GCE Docker Compose for setting up containers Nginx App server (Django App) SSL cert from Let's Encrypt We will use WoTT's PKI, but you can also roll your own @vpetersson wott.io

15. APP OVERVIEW Python/Django app Uses HTTP headers from Nginx for

    access control This is a PoC with known attack vectors, so don't blindly use this in production as-is @vpetersson wott.io

16. ACCESS CONTROL OVERVIEW @vpetersson wott.io

17. DEPLOYING OUR APP @vpetersson wott.io

18. DEPLOYING OUR APP $ docker-compose up [...] @vpetersson wott.io We're

    going to use dockerlon.vpetersson.com

19. CURL ALL DA THINGZ $ curl -I https://dockerlon.vpetersson.com/api/ HTTP/2 403

    [...] @vpetersson wott.io

20. @vpetersson wott.io

21. ACCESS CONTROL OVERVIEW @vpetersson wott.io

22. NGINX MAGIC @vpetersson wott.io

23. ONTO THE CLIENT (DEMO) @vpetersson wott.io

24. @vpetersson wott.io DEMO GOD

25. @vpetersson wott.io

26. CURL ALL DA THINGZ $ sudo curl -s \ --key

    /opt/wott/certs/client.key \ --cert /opt/wott/certs/client.crt \ https://dockerlon.vpetersson.com/api/ | jq { "msg": "You shall not pass!" } @vpetersson wott.io

27. @vpetersson wott.io

28. ACCESS CONTROL OVERVIEW @vpetersson wott.io

29. APP MAGIC @vpetersson wott.io THIS IS A PROOF OF CONCEPT.

    DON'T USE IN PRODUCTION.

30. WHITELIST THE DEVICE @vpetersson wott.io

31. WHO AM I? $ sudo wott-agent whoami x.d.wott.local @vpetersson wott.io

32. @vpetersson wott.io

33. CURL ALL DA THINGZ $ sudo curl \ --key /opt/wott/certs/client.key

    \ --cert /opt/wott/certs/client.crt \ https://dockerlon.vpetersson.com/api/ | jq { "msg": "Welcome x.d.wott.local. We've been expecting you." } @vpetersson wott.io

34. ACCESS CONTROL OVERVIEW @vpetersson wott.io

35. @vpetersson wott.io

36. CONCLUSION mTLS doesn't have to be scary Easier and more

    secure than passwords Credential rotation built-in The foundation of Zero Trust Networking @vpetersson wott.io

37. GET IN TOUCH Check out our agent mTLS and CVE

    audit of your nodes Ping us at [email protected] or visit wott.io @vpetersson wott.io

38. REFERENCES https://github.com/vpetersson/django-mtls https://wott.io/blog/tutorials/2019/07/15/mtls-with-nginx https://tools.ietf.org/html/draft-ietf-oauth-mtls-17 @vpetersson wott.io

39. @vpetersson wott.io Where's the bar?