Upgrade to Pro — share decks privately, control downloads, hide ads and more …

What's mtLS? @ Docker London

What's mtLS? @ Docker London

Mutual TLS, or mTLS, is a widely used standard for improving the security for authentication. It's an extension of TLS, which is used for HTTPS, but in addition to the client verifying that the server, the server also verifies that the client.

mTLS is already widely used and is the cornerstone of the Zero Trust Networking movement, but how does it work? In this talk, we will go over the fundamentals of mTLS and create a simple web app that users mTLS as the authentication method. We will use technologies like Docker and Nginx to accomplish this, show the benefits over traditional authentication methods (such as API keys and passwords)

Viktor Petersson

November 27, 2019
Tweet

More Decks by Viktor Petersson

Other Decks in Technology

Transcript

  1. WHAT'S MTLS?
    Oh and wait, how does that relate to Docker?
    wott.io @vpetersson

    View full-size slide

  2. OUTLINE
    What's mTLS?
    Our use case/scenario
    Demo (all praise thy mighty demo gods)
    Recap
    @vpetersson
    wott.io

    View full-size slide

  3. @vpetersson
    wott.io

    View full-size slide

  4. WHAT'S WOTT?
    @vpetersson
    wott.io
    Security tool for developers
    Provides cryptographic identity (x509)
    Ongoing security audit of fleet
    A security dashboard
    Workflow integrations (Github, Slack
    etc)
    (DevSecOps)

    View full-size slide

  5. THE SCENARIO
    We got clients (workstation/server/container)
    That needs to talk to our API securely
    We don't want to use regular credentials
    @vpetersson
    wott.io

    View full-size slide

  6. THE SCENARIO
    Nginx
    App
    App
    Client
    Client
    @vpetersson
    wott.io

    View full-size slide

  7. CONCEPTS OVERVIEW
    TLS vs Mutual TLS
    Zero Trust Networking vs Perimeter based security
    Public Key Infrastructure (PKI) and root of trust
    @vpetersson
    wott.io

    View full-size slide

  8. HOW TLS WORKS
    @vpetersson
    wott.io

    View full-size slide

  9. HOW MUTUAL TLS WORKS
    @vpetersson
    wott.io

    View full-size slide

  10. PERIMETER SECURITY VS ZERO TRUST
    Perimeter based security
    Defend the moat with firewall(s)
    Example: Infra from the 90s
    Zero Trust Networking
    Assume everything is hostile (even internal traffic)
    Encrypt and verify everything
    Example: Istio and BeyondCorp
    Read "Zero Trust Networks" by Doug Barth and
    Evan Gilman for more details
    @vpetersson
    wott.io

    View full-size slide

  11. PUBLIC KEY INFRASTRUCTURE (PKI)
    Where you get your SSL certificates
    Let's Encrypt, Commodo, Verisign
    Browsers trust "public CAs"*
    The CA is your "root of trust"
    Roll your own or use an existing CA (like WoTT)
    @vpetersson
    wott.io * This is a bit complicated and out of scope

    View full-size slide

  12. @vpetersson
    wott.io

    View full-size slide

  13. TODAY'S GOAL
    Use Mutual TLS (mTLS) for transport layer
    Rotate the keys periodically in an automated fashion*
    Access control using cryptographic identity
    No use of API keys or username+password
    @vpetersson
    wott.io * Performed automatically by the WoTT Agent

    View full-size slide

  14. INFRA SETUP
    Preparation before the talk
    Spun up a small VM on GCE
    Docker Compose for setting up containers
    Nginx
    App server (Django App)
    SSL cert from Let's Encrypt
    We will use WoTT's PKI, but you can also roll your own
    @vpetersson
    wott.io

    View full-size slide

  15. APP OVERVIEW
    Python/Django app
    Uses HTTP headers from Nginx for access
    control
    This is a PoC with known attack
    vectors, so don't blindly use this in
    production as-is
    @vpetersson
    wott.io

    View full-size slide

  16. ACCESS CONTROL OVERVIEW
    @vpetersson
    wott.io

    View full-size slide

  17. DEPLOYING OUR APP
    @vpetersson
    wott.io

    View full-size slide

  18. DEPLOYING OUR APP
    $ docker-compose up
    [...]
    @vpetersson
    wott.io
    We're going to use dockerlon.vpetersson.com

    View full-size slide

  19. CURL ALL DA THINGZ
    $ curl -I https://dockerlon.vpetersson.com/api/
    HTTP/2 403
    [...]
    @vpetersson
    wott.io

    View full-size slide

  20. @vpetersson
    wott.io

    View full-size slide

  21. ACCESS CONTROL OVERVIEW
    @vpetersson
    wott.io

    View full-size slide

  22. NGINX MAGIC
    @vpetersson
    wott.io

    View full-size slide

  23. ONTO THE CLIENT
    (DEMO)
    @vpetersson
    wott.io

    View full-size slide

  24. @vpetersson
    wott.io
    DEMO GOD

    View full-size slide

  25. @vpetersson
    wott.io

    View full-size slide

  26. CURL ALL DA THINGZ
    $ sudo curl -s \
    --key /opt/wott/certs/client.key \
    --cert /opt/wott/certs/client.crt \
    https://dockerlon.vpetersson.com/api/ | jq
    {
    "msg": "You shall not pass!"
    }
    @vpetersson
    wott.io

    View full-size slide

  27. @vpetersson
    wott.io

    View full-size slide

  28. ACCESS CONTROL OVERVIEW
    @vpetersson
    wott.io

    View full-size slide

  29. APP MAGIC
    @vpetersson
    wott.io
    THIS IS A PROOF OF CONCEPT.
    DON'T USE IN PRODUCTION.

    View full-size slide

  30. WHITELIST THE DEVICE
    @vpetersson
    wott.io

    View full-size slide

  31. WHO AM I?
    $ sudo wott-agent whoami
    x.d.wott.local
    @vpetersson
    wott.io

    View full-size slide

  32. @vpetersson
    wott.io

    View full-size slide

  33. CURL ALL DA THINGZ
    $ sudo curl \
    --key /opt/wott/certs/client.key \
    --cert /opt/wott/certs/client.crt \
    https://dockerlon.vpetersson.com/api/ | jq
    {
    "msg": "Welcome x.d.wott.local. We've been expecting you."
    }
    @vpetersson
    wott.io

    View full-size slide

  34. ACCESS CONTROL OVERVIEW
    @vpetersson
    wott.io

    View full-size slide

  35. @vpetersson
    wott.io

    View full-size slide

  36. CONCLUSION
    mTLS doesn't have to be scary
    Easier and more secure than passwords
    Credential rotation built-in
    The foundation of Zero Trust Networking
    @vpetersson
    wott.io

    View full-size slide

  37. GET IN TOUCH
    Check out our agent
    mTLS and CVE audit of your nodes
    Ping us at [email protected] or visit wott.io
    @vpetersson
    wott.io

    View full-size slide

  38. REFERENCES
    https://github.com/vpetersson/django-mtls
    https://wott.io/blog/tutorials/2019/07/15/mtls-with-nginx
    https://tools.ietf.org/html/draft-ietf-oauth-mtls-17
    @vpetersson
    wott.io

    View full-size slide

  39. @vpetersson
    wott.io
    Where's the bar?

    View full-size slide