Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

In Search of Segmentation

262,565 views

Published on

There are many ways to manage whether a service can talk to another service. It can be tempting to over-use one segmentation mechanism to implement policy when the real problem is how to coordinate and manage many mechanisms in the physical, cloud and container spaces. This talk summarizes the problem space and opportunities rather than offers solutions.

Presented at the Docker Palo Alto meetup Feb 16th 2016 http://www.meetup.com/Docker-Palo-Alto/events/228277181/

Published in: Technology
  • Be the first to comment

In Search of Segmentation

  1. 1. In Search of Segmentation Adrian Cockcroft @adrianco Technology Fellow - Battery Ventures February 2016
  2. 2. What does @adrianco do? @adrianco Technology Due Diligence on Deals Presentations at Conferences Presentations at Companies Technical Advice for Portfolio Companies Program Committee for Conferences Networking with Interesting PeopleTinkering with Technologies Maintain Relationship with Cloud Vendors http://www.slideshare.net/adriancockcroft
  3. 3. Segmentation
  4. 4. Industry Trends
  5. 5. Airgaps closing Industrial IoT Security blanket perimeter firewalls Datacenter to cloud transitions New systems of engagement http://peanuts.wikia.com/wiki/Linus'_security_blanket
  6. 6. Policy
  7. 7. A can talk to B B can talk to C A must not talk to C A B C
  8. 8. Y and Z failure modes must be independent so X can always succeed Y X Z
  9. 9. Availability requirements drive a need for distributed segmentation
  10. 10. Choices?
  11. 11. Too many choices!
  12. 12. Over-reliance on one mechanism leads to abuse…
  13. 13. Lack of coordination across many mechanisms leads to fragility
  14. 14. Example segmentation mechanisms
  15. 15. Disclaimer: I’m not a developer, I don’t have hands-on experience with any of these mechanisms, I’m looking for input where I’m wrong or missed something. Also, apologies if I didn’t namecheck your favorite project/product.
  16. 16. Datacenters/AWS Accounts IAM/AD/LDAP Roles VPC/VLAN Networks Security Groups/Hypervisor IPtables/Calico Policy Docker Links/Weave Overlay Ops Dev
  17. 17. B Accounts and Roles Who can set policy for what? Needs distributed policy management A C
  18. 18. Network Segmentation Who controls the network? A B C
  19. 19. Network Segmentation Datacenter policies are based on separation of duties. Tickets, Network admins and VLANs
  20. 20. Network Segmentation AWS VPC networking uses developer-driven automation, loses separation of duties…
  21. 21. VPC Abuse Antipattern Lots of small VPC networks for microservices, end up in IP address space capacity management hell…
  22. 22. Hypervisor and Security Group Segmentation Distributed firewall rules A B CA B
  23. 23. Security Group Abuse Antipattern Too many microservices need to be in the same group, overloads configuration limitations
  24. 24. Kernel eBPF & Calico IPtables Segmentation Distributed firewall rules A B CA B
  25. 25. IPtables Segmentation Can use IP Sets to scale Managed in the container host OS Separates routing reachability from access policy
  26. 26. Docker & Weave Segmentation Docker daemon manages connections B CA B C
  27. 27. proxy: build: ./proxy ports: - "8080:8080" links: - app app: build: ./app links: - db db: image: postgres Docker Compose V1 proxy app db 8080
  28. 28. version: '2' services: proxy: build: ./proxy ports: - "8080:8080" networks: - front app: build: ./app networks: - front - back db: image: postgres networks: - back networks: front: back: Docker Compose V2 proxy app db 8080 front backfront
  29. 29. Docker Segmentation Overlay network created and managed by Docker or Weave. DNS based lookups.
  30. 30. Segmentation Scalability Real world microservices architectures have hundreds to thousands of distinct microservices
  31. 31. Segmentation Scalability There’s often a few very popular microservices that everyone else wants to talk to
  32. 32. Datacenters/AWS Accounts IAM/AD/LDAP Roles VPC/VLAN Networks Security Groups/Hypervisor IPtables/Calico Policy Docker Links/Weave Overlay How to coordinate across all these layers? How to scale to 1000+ segments?
  33. 33. Hierarchical Segmentation Enforced by IAM roles at every level B CA B C E FD E F Security Group X Security Group Y VPC Z - Manage a reasonable number of large network spaces D X An AWS oriented example… AWS Account - Manage across multiple accounts
  34. 34. Policy Specification Options Docker Compose V2 Kubernetes/Mesos policy Calico/Cisco Contiv AWS IAM/AD Policies How to coordinate any/all of these?
  35. 35. Comments and Questions? Adrian Cockcroft @adrianco http://slideshare.com/adriancockcroft Technology Fellow - Battery Ventures See www.battery.com for a list of portfolio investments
  36. 36. Security Visit http://www.battery.com/our-companies/ for a full list of all portfolio companies in which all Battery Funds have invested. Palo Alto Networks Enterprise IT Operations & Management Big DataCompute Networking Storage

×