Understanding Wireguard, TLS and Workload Identity
Signaler
Partager
•0 j'aime•270 vues
Understanding Wireguard, TLS and Workload Identity
•0 j'aime•270 vues
Signaler
Partager
Télécharger pour lire hors ligne
Zero Trust Networking has become a standard marketing buzzword but the underlying principles are critical for modern microservice-style architectures. Authentication, authorizations, policy, etc. can be difficult to implement between services and do so in a maintainable way. Google invented their own transparent encryption and authorization protocol called "ALTS" back in 2007 to serve the application layer of Google's Borg workload scheduler, but we don't see others using it outside Google. In this webinar we look at existing technology like TLS and newcomer Wireguard and see how these technologies come together to provide a secure foundation for workload identity and modern service-to-service networking.
Contenu connexe
Similaire à Understanding Wireguard, TLS and Workload Identity
Similaire à Understanding Wireguard, TLS and Workload Identity(20)
Plus de Christian Posta
Plus de Christian Posta(20)
Dernier
Dernier(20)
Understanding Wireguard, TLS and Workload Identity
- 1. 1 | Copyright © 2022 Understanding Wireguard, TLS and Workload Identity: The Backbone of Modern Service Networking
- 2. 2 | Copyright © 2022 CHRISTIAN POSTA VP, Global Field CTO, Solo.io @christianposta christian@solo.io
- 3. 3 | Copyright © 2022 01 02 03 04 05 Why do we need modern security? Case Study: Google ALTS Modern Networking Security Workload Identity Demos! Agenda
- 4. 4 | Copyright © 2022 c Application Networking Well Funded ($175M), $1B valuation Satisfied Customers (130% Renewals) Cloud-native Technology Leadership Cloud-native Education Leadership TODAY’S BUSINESS DIGITAL BUSINESS The Service Mesh and API Platform for Kubernetes | Zero-Trust | Microservices
- 5. 5 | Copyright © 2022 Service A can talk to Service B
- 6. 6 | Copyright © 2022 Long Live IP!
- 7. 7 | Copyright © 2022 Containerized Workloads
- 8. 8 | Copyright © 2022 Beware!
- 9. 9 | Copyright © 2022 Beware! https://www.theverge.com/2014/12/8/7352581/sony-pictures-hacked-storystream
- 10. 10 | Copyright © 2022 Tenets of a Modern, Secure Network • Assume a Hostile Environment - There are malicious persona both inside and outside the environment • Presume Breach - Operate and Defend resources with the assumption that an adversary has presence in your environment • Never Trust, Always Verify - Deny by default. Every resource is explicitly authorized using least privilege multiple attributes, and dynamic cybersecurity principles • Scrutinize Explicitly - Access to resources is conditional and access can dynamically change based on action and confidence levels resulting from those actions • Apply Unified Analytics - for data, applications, assets, services to include behavioristics and log each transaction
- 11. 11 | Copyright © 2022 Writing Networking Policy ● Who is calling whom ● Constraining who can call whom ● Avoid MiTM, eavesdropping ● Quota / QoS / Limits ● Logging, auditing ● Policy enforcement via fine-grained authz
- 12. 12 | Copyright © 2022 Example from Google ALTS
- 13. 13 | Copyright © 2022 Application Layer Transport Security • Built in 2007 (TLS 1.1 was the latest version at this point) • TLS 1.1 did not meet Google’s minimum security standards • A simpler, more tailored impl of TLS • More flexible workload identity model • Certs use ECDH keys, Uses DH key exchange, can provide PFS and AE • Uses Protocol Buffers to serialize certificates and protocol messages https://cloud.google.com/docs/security/encryption-in-transit/application-layer-transport-security
- 14. 14 | Copyright © 2022 ALTS Design • Transparent to applications / RPC invocations • Simplified cryptography (limited key exchange/cipher algorithms) • Authentication based on Identity NOT host machines • Identity tied to chain of trust / key distribution (transparent to application) • Authorization policies built around Identity model https://cloud.google.com/docs/security/encryption-in-transit/application-layer-transport-security
- 15. 15 | Copyright © 2022 Transparent ALTS
- 16. 16 | Copyright © 2022 Handshake / Record Protocol
- 17. 17 | Copyright © 2022 ALTS is Proven at Scale Should we build ALTS?
- 18. 18 | Copyright © 2022 No. Modern Building Blocks Exist Let’s take a look
- 19. 19 | Copyright © 2022 Modern, Secure Service Networking • Transparent to applications / RPC invocations • Transparent encryption • Simplified cryptography (limited key exchange/cipher algorithms) • Authentication based on Identity NOT host machines • Identity tied to chain of trust / key distribution (transparent to application) • Authorization policies built around Identity model
- 20. 20 | Copyright © 2022 Wireguard Transparent encryption made easy
- 21. 21 | Copyright © 2022 Wireguard
- 22. 22 | Copyright © 2022 Wireguard • A Kernel/OS module aimed at transparently encrypting IP between two nodes for VPN use cases • Simple code base (around 7k LOC vs e.g., 100K+ IPSec) • No cipher/protocol negotiation; fixed cryptography • For L3, encapsulate encrypted packets in UDP • Intended to use ciphers that afford more performance • Simplified configuration, out of band public-key exchange https://www.wireguard.com/papers/wireguard.pdf
- 23. 23 | Copyright © 2022 Configure public keys and it just works
- 24. 24 | Copyright © 2022 Opinionated Crypto (Based on the Noise Framework) • Elliptic Curve Diffie Hellman with Curve22519 • ChaCha20+Poly1305 for Authenticated Encryption • BLAKE2s for hashing • Optional Pre-Shared Key (PSK) • If a vulnerability is found, upgrade everything https://www.wireguard.com/papers/wireguard.pdf
- 25. 25 | Copyright © 2022 Downsides of Wireguard • Could be very difficult to upgrade “everything” all at once for a discovered vulnerability • Not FIPS compliant • Will not be FIPS compliant − https://twitter.com/matthew_d_green/status/1443558648878350339 • Doesn’t solve for workload Mutual Authentication, Identity, or Authorization
- 26. 26 | Copyright © 2022 Options to Layer Authentication for svc-to-svc? • Wireguard “authenticates” its peers but has no knowledge of svc identities • JWT access tokens (ie, OAuth 2.0 + Secure Token Service) • Custom mutual authentication mechanism (see Cilium) • Layer client certificates and TLS on top
- 27. 27 | Copyright © 2022 Cilium’s approach to mutual authentication
- 28. 28 | Copyright © 2022 Cilium’s approach to mutual authentication
- 29. 29 | Copyright © 2022 Cilium’s approach to mutual authentication
- 30. 30 | Copyright © 2022 Transport Layer Security TLS 1.3
- 31. 31 | Copyright © 2022 Transport Layer Security
- 32. 32 | Copyright © 2022 Transport Layer Security (TLS 1.2)
- 33. 33 | Copyright © 2022 Transport Layer Security (TLS 1.3)
- 34. 34 | Copyright © 2022 Client Authentication (mTLS)
- 35. 35 | Copyright © 2022 Why use TLS 1.3? • Faster − Handshake takes fewer round trips • Safer (drop support for unsafe cryptographic algorithms) − Remove RSA key exchange (doesn’t provide Forward Secrecy) − Remove CBC/RC4 ciphers − Restrict DH parameters to known secure params − Handshake is signed by the server, cannot be tricked into downgrade − Chose AEAD ciphers
- 36. 36 | Copyright © 2022 TLS Can do Authentication, Encryption, Integrity Checks • FIPS compliant implementations • Private keys do not get sent over the wire (like JWT tokens) • Can be terminated at the applications for end-to-end session • TLS 1.3 brings simplification for ciphers/protocol negotiation • Looks a lot more like Google ALTS!
- 37. 37 | Copyright © 2022 Downsides to TLS • No standard way to specify identity • Key issuance, revocation, rotation can be complex • How do the applications handle key material safely? • What if applications mis-configure? • Every language/framework/library is different
- 38. 38 | Copyright © 2022 Standard Workload Identity Framework with SPIFFE
- 39. 39 | Copyright © 2022 Secure Production Identity Framework (for Everyone) • Open Source Identity Specification for workloads • Intended to solve the “universal workload identity problem” • Independent of application type, network, or platform/cloud • Specified with URI strings • Verified via signed credentials (x509, JWT, etc) • API and workflow for attestation built into SPIFFE implementations • Intended to eliminate passwords, other secrets, etc
- 40. 40 | Copyright © 2022 SPIFFE
- 41. 41 | Copyright © 2022 Who is Service A?
- 42. 42 | Copyright © 2022 Identity described in SVID
- 43. 43 | Copyright © 2022 Identity for Workloads
- 44. 44 | Copyright © 2022 SPIRE is a Production Implementation of SPIFFE
- 45. 45 | Copyright © 2022 Bringing it Together Transparently TLS 1.3 + SPIFFE
- 46. 46 | Copyright © 2022 Now we know who Service A is…
- 47. 47 | Copyright © 2022 An example implementation: Istio Ambient Mesh https://istio.io/latest/blog/2022/introducing-ambient-mesh/
- 48. 48 | Copyright © 2022 Istio Ambient Mesh (w/ TLS 1.3 + SPIFFE) • Transparent to applications / RPC invocations • Transparent encryption • Simplified cryptography (limited key exchange/cipher algorithms) • Authentication based on Identity NOT host machines • Identity tied to chain of trust / key distribution (transparent to application) • Authorization policies built around Identity model
- 49. 49 | Copyright © 2022 Demo
- 50. 50 | Copyright © 2022 Additional Resources ● https://lp.solo.io/white-paper-zero-trust ● https://cloud.google.com/docs/security/encryption-in-transit/applica tion-layer-transport-security ● https://istio.io/latest/blog/2022/introducing-ambient-mesh/ ● https://www.wireguard.com/papers/wireguard.pdf ● https://www.solo.io/zero-trust/ ● https://academy.solo.io ● https://istio.io ● https://cilium.io https://lp.solo.io/istio-ambient-mesh-explained
- 51. Thank You!