Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source

4,114 views

Published on

The latest version of the TLS protocol, TLS 1.3, was just released in August 2018. TLS 1.3 is faster and more secure than TLS 1.2. In this webinar, we cover what’s new in TLS 1.3 and how to use it with NGINX, plus other new features in NGINX Open Source and NGINX Plus.

Join this webinar to learn:
- What’s new in TLS 1.3 and why it's faster and more secure than TLS 1.2
- How to use TLS 1.3 with NGINX Plus and NGINX Open Source
- About two-stage rate limiting, simplified OpenID Connect, and 2x faster NGINX and ModSecurity WAF performance
- More with a live demo of TLS 1.3 in action

Watch On-demand: https://www.nginx.com/resources/webinars/tls-1-3-new-features-nginx-plus-r17-nginx-open-source/

Published in: Software
  • Be the first to comment

TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source

  1. 1. TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source
  2. 2. Faisal Memon Product Marketing Manager, NGINX Formerly: • Sr. Technical Marketing Engineer, Riverbed • Technical Marketing Engineer, Cisco • Software Engineer, Cisco Who am I?
  3. 3. What is NGINX? Internet Web Server Serve content from disk Reverse Proxy FastCGI, uWSGI, gRPC… Load Balancer Caching, SSL termination… HTTP traffic - Basic load balancer - Content Cache - Web Server - Reverse Proxy - SSL termination - Rate limiting - Basic authentication - 7 metrics NGINX Open Source NGINX Plus + Advanced load balancer + Health checks + Session persistence + Least time alg + Cache purging + HA/Clustering + JWT Authentication + OpenID Connect SSO + NGINX Plus API + Dynamic modules + 90+ metrics
  4. 4. Previously on… • Global rate limiting * • Cluster-aware key-value store * • Random with Two Choices algorithm • Enhanced UDP load balancing • PROXY Protocol v2 • AWS PrivateLink Support * * NGINX Plus Exclusive feature 4
  5. 5. Agenda • TLS 1.3 • Two Stage Rate Limiting • Easier OpenID Connect Configuration • 2x Faster ModSecurity Performance • NGINX Ingress Controller for Kubernetes 1.4.0 • Demo • Summary and Q&A
  6. 6. TLS 1.3 Overview • Ratified in October 2018, RFC 8446 • Ten years since TLS 1.2. Numerous vulnerabilities: ◦ FREAK ◦ Heartbleed ◦ Poodle ◦ ROBOT ◦ SLOTH • TLS 1.3 is faster and more secure than TLS 1.2 • Not supported by F5 BIG-IP 6
  7. 7. FREAK • With FREAK, a man-in-the-middle could downgrade the cipher to something weaker • TLS 1.3 removes all the weaker Export ciphers and signs the entire key exchange7
  8. 8. TLS 1.3: Addition by Subtraction Removed in TLS 1.3: • AES-CBC • Arbitrary Diffie-Hellman groups • Export ciphers • DES/3DES • MD5 • PKCS#1 v1.5 padding • RC4 • RSA key transport (DH mandatory) • SHA-1 8 5 supported ciphers in TLS 1.3: • TLS_AES_256_GCM_SHA384 • TLS_CHACHA20_POLY1305_SHA256 • TLS_AES_128_GCM_SHA256 • TLS_AES_128_CCM_8_SHA256 • TLS_AES_128_CCM_SHA256
  9. 9. TLS 1.3: Improved Handshake TLS 1.3 improves performance by reducing the number of round trips to set up a secure connection 9
  10. 10. TLS 1.3: 0-RTT Mode TLS 1.3 enables fast resumption of TLS sessions 10
  11. 11. TLS 1.3: 0-RTT Mode TLS 1.3 Potential replay attack 11
  12. 12. TLS 1.3 Support • Requires Open SSL 1.1.1 • Supported OS: Ubuntu 18.10, FreeBSD 12.0, Alpine 3.9 ◦ Debian 10 will have OpenSSL 1.1.1 when released later this year • Supported browsers: Chrome 70, Firefox 63 ◦ Not supported by Safari yet ◦ Latest status info: caniuse.com/#feat=tls1-3 12
  13. 13. TLS 1.3 NGINX Config • We recommend to include TLSv1.2 because not all browsers support TLS 1.3 • NGINX uses TLS 1.3 if client supports it, and TLS 1.2 if not. • ssl_early_data enables 0- RTT mode • Use $ssl_early_data to have backend server drop potential replay packets 13 server { listen 443 ssl; ssl_certificate /etc/ssl/my_site_cert.pem; ssl_certificate_key /etc/ssl/my_site_key.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_early_data on; # Enable 0-RTT (TLS 1.3) location / { proxy_pass http://my_backend; proxy_set_header Early-Data $ssl_early_data; } }
  14. 14. Agenda • TLS 1.3 • Two Stage Rate Limiting • Easier OpenID Connect Configuration • 2x Faster ModSecurity Performance • NGINX Ingress Controller for Kubernetes 1.4.0 • Demo • Summary and Q&A
  15. 15. Rate Limiting in NGINX • Follows the leaky bucket algorithm • If the rate at which water is poured in exceeds the rate at which it leaks, the bucket overflows • What to do with excessive requests? • More info: nginx.com/blog/rate- limiting-nginx/ 15
  16. 16. Rate Limiting in NGINX • Choices: ◦ Drop them immediately ◦ Queue and service them later ◦ Queue but service immediately ◦ Queue, service immediately up to a point, then delay and service later 16
  17. 17. Two Stage Rate Limiting 17 limit_req_zone $binary_remote_addr zone=ip:10m rate=5r/s; server { listen 80; location / { limit_req zone=ip burst=12 delay=8; proxy_pass http://website; } }
  18. 18. Agenda • TLS 1.3 • Two Stage Rate Limiting • Easier OpenID Connect Configuration • 2x Faster ModSecurity Performance • NGINX Ingress Controller for Kubernetes 1.4.0 • Demo • Summary and Q&A
  19. 19. NGINX Plus JWT Authentication Support timeline: • R10 -- Initial support for native JWT authentication added • R12 -- Support for custom fields • R14 -- Support for nested claims • R15 -- Support for OpenID Connect SSO. Link to Okta, OneLogin, PingIdentity, etc. • R17 -- Support for fetching JWK from URL JWTAuthentication and OpenID Connect SSO are exclusive to NGINX Plus
  20. 20. NGINX Plus JWT Config • auth_jwt_key_request initiates a subrequest to fetch the JWKs from the server. • Responses are cached. • You can use NGINX cache tuning tricks such as proxy_cache_use_stale, overring expiration headers, etc. 20 # Create directory to cache keys from IdP proxy_cache_path /var/cache/nginx/jwk levels=1 keys_zone=jwk:1m max_size=10m; server { listen 80; # Use SSL/TLS in production location / { auth_jwt "closed site"; auth_jwt_key_request /_jwks_uri; proxy_pass http://my_backend; } location = /_jwks_uri { internal; proxy_cache jwk; # Cache responses proxy_pass https://idp.example.com/oauth2/keys; } }
  21. 21. Agenda • TLS 1.3 • Two Stage Rate Limiting • Easier OpenID Connect Configuration • 2x Faster ModSecurity Performance • NGINX Ingress Controller for Kubernetes 1.4.0 • Demo • Summary and Q&A
  22. 22. NGINX WAF and ModSecurity 3.0 Layer 7 attack protection: • SQL Injection • Remote Code Execution • Local File Include • Remote File Include • Cross—Site Scripting • Cross Site Request Forgery NGINX WAF and ModSecurity 3.0 are now 2x faster
  23. 23. Agenda • TLS 1.3 • Two Stage Rate Limiting • Easier OpenID Connect Configuration • 2x Faster ModSecurity Performance • NGINX Ingress Controller for Kubernetes 1.4.0 • Demo • Summary and Q&A
  24. 24. NGINX Ingress Controller for Kubernetes 1.4.0 New features: • TCP/UDP load balancing • Extended Prometheus support • Easy development of custom annotations • Random with Two Choices load balancing algorithm Enterprise-grade application delivery for Kubernetes
  25. 25. Additional features • TCP Keepalives to Upstreams -- New proxy_socket_keepalive directive toggles TCP keepalives between NGINX and proxied server. • Upstream HTTP Keepalive Timeout and Request Cap -- New keepalive_timeout directive sets max idle time for keepalive connection between NGINX and proxied server. • Finite Upstream UDP Session Size -- New proxy_requests directive sets max number of UDP packets sent from NGINX to proxied server before new UDP “session” created. • Enhancement to Cluster State Sharing -- When using state sharing in cluster, can now do server name verification, using SNI to pass the server name when connecting to cluster nodes. (NGINX Plus exclusive) 25
  26. 26. Agenda • TLS 1.3 • Two Stage Rate Limiting • Easier OpenID Connect Configuration • 2x Faster ModSecurity Performance • NGINX Ingress Controller for Kubernetes 1.4.0 • Demo • Summary and Q&A
  27. 27. Agenda • TLS 1.3 • Two Stage Rate Limiting • Easier OpenID Connect Configuration • 2x Faster ModSecurity Performance • NGINX Ingress Controller for Kubernetes 1.4.0 • Demo • Summary and Q&A
  28. 28. Summary • New support for TLS 1.3 improves security and performance • TLS 1.3 currently supported in Ubuntu 18.10, FreeBSD 12.0, Alpine 3.9. • New two-stage rate limiting allows burst packets to be serviced with no delay up to a point, then delayed, then dropped. • NGINX Plus can now fetch JSON Web Keys from iDP making for easier OpenID Connect configuration. • NGINX WAF and ModSecurity 3.0 2x faster performance • NGINX Ingress Controller for Kubernetes 1.4.0 adds TCP/UDP load balancing, extended Prometheus support and additional new features.
  29. 29. Q & ATry NGINX Plus and NGINX WAF free for 30 days: nginx.com/free-trial-request

×