Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Security for Microservices in GCP

214 visualizaciones

Publicado el

This presentation focuses on the secure deployment of microservices in Google Kubernetes Engine (GKE) and the proper security monitorization of the platform and deployed services.

DEMOS:
SSH_Bastion: https://vimeo.com/327701140
One_Ring_Attack: https://vimeo.com/327701078
Monitoring_Falco: https://vimeo.com/327701057
Network_Policies: https://vimeo.com/327701125
Cloud_IDS: https://vimeo.com/327701111

SPEAKERS:
Germán Arranz Cobos
Juan Gordo Ara
José Moyano Gutierrez

Publicado en: Tecnología
  • Sé el primero en comentar

Security for Microservices in GCP

  1. 1. Cloud Security Ateneu Barcelonés, March 28th 6:30pm https://www.meetup.com/Barcelona-Cybersecurity/events/259902770/
  2. 2. We build confidence
  3. 3. Agenda (50’) Security for Microservices in CLOUD by Germán Arranz, Juan Gordo and Jose Moyano (10’) Q&A (60’) Drinks and networking ●Place: Bar & Terrace at Principal floor. We build confidence (7pm) (8pm)
  4. 4. #A2Meetup meet-up@a2secure.com BCN Cybersec Monthly - March Security for Microservices in Google Cloud Platform Arranz Cobos, Germán Gordo Ara, Juan Moyano Gutierrez, Jose
  5. 5. #A2Meetup meet-up@a2secure.com Germán Arranz Cobos ● Security Project Manager ● Responsible of Google Cloud Platform Layer Juan Gordo Ara ● Security Analyst ● Responsible of Host Attack and Monitoring Layer Jose Moyano Gutierrez ● Security Technical Officer ● Responsible of K8s Network Layer The crew
  6. 6. #A2Meetup meet-up@a2secure.com Content IAM Firewall Rules Monitoring Attack vectors
  7. 7. #A2Meetup meet-up@a2secure.com Understanding of IAM hierarchy in GCP
  8. 8. #A2Meetup meet-up@a2secure.com GCP Architecture
  9. 9. #A2Meetup meet-up@a2secure.com IAM hierarchy in GCP
  10. 10. #A2Meetup meet-up@a2secure.com Example: IAM hierarchy in GCP Organization Folder Project
  11. 11. #A2Meetup meet-up@a2secure.com Example: IAM hierarchy in GCP
  12. 12. #A2Meetup meet-up@a2secure.com Example: IAM hierarchy in GCP
  13. 13. #A2Meetup meet-up@a2secure.com Relationship of GCP roles and GKE roles
  14. 14. #A2Meetup meet-up@a2secure.com Relationship of GCP roles and GKE roles Kubernetes Engine Cluster Admin Kubernetes Engine Admin Kubernetes Engine Developer Kubernetes Engine Viewer Cluster Admin Admin Edit View
  15. 15. #A2Meetup meet-up@a2secure.com Relationship of GCP roles and GKE roles Kubernetes Engine Cluster Admin Kubernetes Engine Admin Kubernetes Engine Developer Kubernetes Engine Viewer Cluster Admin Admin Edit View
  16. 16. #A2Meetup meet-up@a2secure.com Firewall Rules in GCP
  17. 17. #A2Meetup meet-up@a2secure.com Firewall rules by default Default-allow-internal Allows network connections of any protocol and port between instances on the network. Default-allow-ssh Allows SSH connections from any source to any instance on the network over TCP port 22. Default-allow-rdp Allows RDP connections from any source to any instance on the network over TCP port 3389. Default-allow-icmp Allows ICMP traffic from any source to any instance on the network
  18. 18. #A2Meetup meet-up@a2secure.com Firewall Rules Key points when using GKE
  19. 19. #A2Meetup meet-up@a2secure.com Firewall Rules Key points using GKE Auto-generation of firewall rules when you deploy a service inside the cluster.
  20. 20. #A2Meetup meet-up@a2secure.com Firewall Rules Key points using GKE Define the Authorized Network to restrict the access to the master.
  21. 21. #A2Meetup meet-up@a2secure.com Apply SSH restrictions to connect to the GKE nodes
  22. 22. #A2Meetup meet-up@a2secure.com Our scenario Tag: shelob Tag: shelob
  23. 23. #A2Meetup meet-up@a2secure.com SSH Bastion “Minas Tirith” architecture Tag: shelob Tag: shelob Tag: bastion
  24. 24. #A2Meetup meet-up@a2secure.com DEMO
  25. 25. #A2Meetup meet-up@a2secure.com GKE basic WebApp “DevOps ready to play”
  26. 26. #A2Meetup meet-up@a2secure.com Our scenario
  27. 27. #A2Meetup meet-up@a2secure.com Web App
  28. 28. #A2Meetup meet-up@a2secure.com Service
  29. 29. #A2Meetup meet-up@a2secure.com Deployment
  30. 30. #A2Meetup meet-up@a2secure.com Dockerfile
  31. 31. #A2Meetup meet-up@a2secure.com Web App
  32. 32. #A2Meetup meet-up@a2secure.com Elevation of privileges && Back Door “ One Ring to rule them all, One Ring to find them, One Ring to bring them all and in the darkness bind them”
  33. 33. #A2Meetup meet-up@a2secure.com Web App
  34. 34. #A2Meetup meet-up@a2secure.com OneRing
  35. 35. #A2Meetup meet-up@a2secure.com Deployment
  36. 36. #A2Meetup meet-up@a2secure.com Dockerfile
  37. 37. #A2Meetup meet-up@a2secure.com BackDoor
  38. 38. #A2Meetup meet-up@a2secure.com BackDoor
  39. 39. #A2Meetup meet-up@a2secure.com DEMO
  40. 40. #A2Meetup meet-up@a2secure.com GKE - Falco Runtime monitoring
  41. 41. #A2Meetup meet-up@a2secure.com What is Falco?
  42. 42. #A2Meetup meet-up@a2secure.com Falco
  43. 43. #A2Meetup meet-up@a2secure.com Service
  44. 44. #A2Meetup meet-up@a2secure.com Daemonset
  45. 45. #A2Meetup meet-up@a2secure.com BackDoor - Monitoring
  46. 46. #A2Meetup meet-up@a2secure.com BackDoor - Monitoring
  47. 47. #A2Meetup meet-up@a2secure.com Alerts
  48. 48. #A2Meetup meet-up@a2secure.com DEMO
  49. 49. #A2Meetup meet-up@a2secure.com References ● OneRing repo: https://github.com/ilcapone/OneRing ● Install falco in k8: https://github.com/falcosecurity/falco/tree/dev/integrations/k8s-using- daemonset ● Deploying a containerized web application in GKE: https://cloud.google.com/kubernetes-engine/docs/tutorials/hello-app
  50. 50. #A2Meetup meet-up@a2secure.com K8s Network
  51. 51. #A2Meetup meet-up@a2secure.com K8s Network The problems What happens with Pod 2 Pod connectivity? Are the VPC rules enough? How can I monitor the network traffic?
  52. 52. #A2Meetup meet-up@a2secure.com Network Policies What are they? K8s resource that allows to define allowed traffic flows. How do they work? ● NP are Namespace resources ● Assigned to Groups of Pods selected by labels ● Applied to Pod level. Like iptables =) ● Policies are “stateful” ● Default K8s Policy is to allow all
  53. 53. #A2Meetup meet-up@a2secure.com Network Policies What are they? K8s resource that allows to define allowed traffic. How do they work? ● NP are Namespace resources ● Assigned to Groups of Pods selected by labels ● Applied to Pod level. Like iptables =) ● Policies are “stateful” ● Default K8s Policy is ALLOW ALL
  54. 54. #A2Meetup meet-up@a2secure.com Network Policies Ingress Policy
  55. 55. #A2Meetup meet-up@a2secure.com Network Policies Deny by Default
  56. 56. #A2Meetup meet-up@a2secure.com Network Policies ● Demo - Deny by default
  57. 57. #A2Meetup meet-up@a2secure.com Network Policies ● Demo - Deny by default
  58. 58. #A2Meetup meet-up@a2secure.com Network Policies Security Policies are not enabled by default! Network policies are a key security point Deny By Default always! NP can enforce our security or let an user compromise your cluster! ● Control by RBAC who can manage Network Policies ● Control by RBAC who can create Namespaces
  59. 59. #A2Meetup meet-up@a2secure.com IDS on GKE
  60. 60. #A2Meetup meet-up@a2secure.com IDS on GKE Why an IDS? ● Allows us to detect attacks even before they succeed ● Can monitor all kind of traffic ● Forensic Handicaps ● There is no port mirroring in GKE/GCP, but we still need a way to detect attacks against our microservices ● K8s nodes are managed and volatile
  61. 61. #A2Meetup meet-up@a2secure.com IDS on GKE - Scenario
  62. 62. #A2Meetup meet-up@a2secure.com IDS on GKE - GKE Node TCPDUMP on each node /usr/sbin/tcpdump -i ${IFACE} -w - "($PCAP_FILTER) and not (dst host $SOCAT_HOST and dst port $SOCAT_PORT)"| socat - openssl:"$SOCAT_HOST":"$SOCAT_PORT",verify=0,ignoreeof TCPDUMP on IDS server $ socat openssl-listen:58888,cert=/etc/suricata/cert.pem,key=/etc/s uricata/cert.key,reuseaddr,pf=ip4,fork,verify=0 SYSTEM:tcpdump -n - s0 -r - -W 5 -G 30 -w /var/lib/topo/unread/tcpdump_%Y%m%d%H%M%S.pcap
  63. 63. #A2Meetup meet-up@a2secure.com IDS on GKE ● Demo
  64. 64. #A2Meetup meet-up@a2secure.com IDS on GKE References ● Topo repo: https://github.com/gum0x/topo ● Install Suricata in Centos7 https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentO S_Installation ● Special thanks to: https://github.com/xme/fpc - Socat concept extracted from here https://github.com/owlh/owlhmaster/ - Server concept extracted from here
  65. 65. #A2Meetup meet-up@a2secure.com Wrap up
  66. 66. #A2Meetup meet-up@a2secure.com BCN Cybersec Monthly - March Thanks for the attention. Any question? Arranz Cobos, Germán Gordo Ara, Juan Moyano Gutierrez, Jose
  67. 67. #A2Meetup meet-up@a2secure.com BCN Cybersec Monthly - March Arranz Cobos, Germán Gordo Ara, Juan Moyano Gutierrez, Jose
  68. 68. Si quieres más información de quiénes somos: meet-up@a2secure.com ¿Networking - Drinks? Meet with us at Bar – Ateneu (principal)
  69. 69. BARCELONA Avd. Francesc Cambó 21, planta 10 08003 Barcelona +34 933 945 600 Info@a2secure.com MADRID Paseo de la Castellana 210, planta 10, puerta 7 28046 Madrid +34 910 585 349 Info@a2secure.com

×