Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Spike Curtis
Senior Software Engineer, Tigera
Zero Trust Networks Come to Docker
Enterprise Kubernetes
Brent Salisbury
Sof...
Agenda
• Motivation for Zero Trust Networks
− Trends in application architecture
− Trends in threat landscape
− Deficienci...
Intra-Security Zone Traffic
Intra-Security Zone Traffic Hairpin
Cost Analysis
Inefficient Provisioning
Compute Provisioning
Distributing Policy Across Compute
Growing Attack Surface
Growing Attack Surface
Zero Trust Networking
The network is
always assumed to
be hostile
Zero Trust Networking
Zero Trust Networking
LAN
Zero Trust Networking
WAN
Zero Trust Networking
Internet
Zero Trust Networking
● Resilient against compromised devices,
workload, and network links
● Security is decoupled from network location
○ Simpl...
Zero Trust Networking Software
Control Plane Data PlanePlatform
Calico & Istio Architecture
NodeNode
Pod
Workload
Istio
Citadel
Envoy
Felix
Pod
Workload Envoy
Felix
Mutual Authentication...
Demo Application
customer summary database
Q&A
Upcoming SlideShare
Loading in …5
×

DCSF 19 Zero Trust Networks Come to Enterprise Kubernetes

129 views

Published on

Docker Enterprise got a big upgrade this year with Calico 3.5 for its Kubernetes networking! One of the most exciting new features is the ability to build Zero Trust Kubernetes networks with Calico Application Layer Policy in concert with Istio service mesh. Zero Trust networking is a way to build distributed applications such that they maintain security, even when containers, or the network itself, is compromised.

Starting with Docker Enterprise, they will demonstrate some common network attacks such as IP address spoofing and certificate exfiltration, then demonstrate building a Zero Trust network (by installing Istio and Application Layer Policies) for the application. They will show how this Zero Trust network repels all the demonstrated attack strategies and explain how to build and maintain a Zero Trust network for your own applications.

Published in: Technology
  • Be the first to comment

DCSF 19 Zero Trust Networks Come to Enterprise Kubernetes

  1. 1. Spike Curtis Senior Software Engineer, Tigera Zero Trust Networks Come to Docker Enterprise Kubernetes Brent Salisbury Software Alliance Engineer, Docker
  2. 2. Agenda • Motivation for Zero Trust Networks − Trends in application architecture − Trends in threat landscape − Deficiencies of the “Zone” model • Building Zero Trust with Docker Enterprise, Calico & Istio − Calico & Istio architecture − DEMO! • Conclusion, Q&A
  3. 3. Intra-Security Zone Traffic
  4. 4. Intra-Security Zone Traffic Hairpin
  5. 5. Cost Analysis
  6. 6. Inefficient Provisioning
  7. 7. Compute Provisioning
  8. 8. Distributing Policy Across Compute
  9. 9. Growing Attack Surface
  10. 10. Growing Attack Surface
  11. 11. Zero Trust Networking The network is always assumed to be hostile
  12. 12. Zero Trust Networking
  13. 13. Zero Trust Networking
  14. 14. LAN Zero Trust Networking
  15. 15. WAN Zero Trust Networking
  16. 16. Internet Zero Trust Networking
  17. 17. ● Resilient against compromised devices, workload, and network links ● Security is decoupled from network location ○ Simplified management ○ Flexible deployment ● VPNs are no longer needed Zero Trust Networking Advantages
  18. 18. Zero Trust Networking Software Control Plane Data PlanePlatform
  19. 19. Calico & Istio Architecture NodeNode Pod Workload Istio Citadel Envoy Felix Pod Workload Envoy Felix Mutual Authentication & Encryption Calico Policy Dikastes Dikastes IPTables IPTables
  20. 20. Demo Application customer summary database
  21. 21. Q&A

×