SlideShare a Scribd company logo

Understanding Wireguard, TLS and Workload Identity

Christian Posta
Christian Posta

Zero Trust Networking has become a standard marketing buzzword but the underlying principles are critical for modern microservice-style architectures. Authentication, authorizations, policy, etc. can be difficult to implement between services and do so in a maintainable way. Google invented their own transparent encryption and authorization protocol called "ALTS" back in 2007 to serve the application layer of Google's Borg workload scheduler, but we don't see others using it outside Google. In this webinar we look at existing technology like TLS and newcomer Wireguard and see how these technologies come together to provide a secure foundation for workload identity and modern service-to-service networking.

Technology
1 of 51
Download to read offline
1 | Copyright © 2022 Understanding Wireguard, TLS and Workload Identity: The Backbone of Modern Service Networking
2 | Copyright © 2022 CHRISTIAN POSTA VP, Global Field CTO, Solo.io @christianposta christian@solo.io
3 | Copyright © 2022 01 02 03 04 05 Why do we need modern security? Case Study: Google ALTS Modern Networking Security Workload Identity Demos! Agenda
4 | Copyright © 2022 c Application Networking Well Funded ($175M), $1B valuation Satisfied Customers (130% Renewals) Cloud-native Technology Leadership Cloud-native Education Leadership TODAY’S BUSINESS DIGITAL BUSINESS The Service Mesh and API Platform for Kubernetes | Zero-Trust | Microservices
5 | Copyright © 2022 Service A can talk to Service B
6 | Copyright © 2022 Long Live IP!
7 | Copyright © 2022 Containerized Workloads
8 | Copyright © 2022 Beware!
9 | Copyright © 2022 Beware! https://www.theverge.com/2014/12/8/7352581/sony-pictures-hacked-storystream
10 | Copyright © 2022 Tenets of a Modern, Secure Network • Assume a Hostile Environment - There are malicious persona both inside and outside the environment • Presume Breach - Operate and Defend resources with the assumption that an adversary has presence in your environment • Never Trust, Always Verify - Deny by default. Every resource is explicitly authorized using least privilege multiple attributes, and dynamic cybersecurity principles • Scrutinize Explicitly - Access to resources is conditional and access can dynamically change based on action and confidence levels resulting from those actions • Apply Unified Analytics - for data, applications, assets, services to include behavioristics and log each transaction
11 | Copyright © 2022 Writing Networking Policy ● Who is calling whom ● Constraining who can call whom ● Avoid MiTM, eavesdropping ● Quota / QoS / Limits ● Logging, auditing ● Policy enforcement via fine-grained authz
12 | Copyright © 2022 Example from Google ALTS
13 | Copyright © 2022 Application Layer Transport Security • Built in 2007 (TLS 1.1 was the latest version at this point) • TLS 1.1 did not meet Google’s minimum security standards • A simpler, more tailored impl of TLS • More flexible workload identity model • Certs use ECDH keys, Uses DH key exchange, can provide PFS and AE • Uses Protocol Buffers to serialize certificates and protocol messages https://cloud.google.com/docs/security/encryption-in-transit/application-layer-transport-security
14 | Copyright © 2022 ALTS Design • Transparent to applications / RPC invocations • Simplified cryptography (limited key exchange/cipher algorithms) • Authentication based on Identity NOT host machines • Identity tied to chain of trust / key distribution (transparent to application) • Authorization policies built around Identity model https://cloud.google.com/docs/security/encryption-in-transit/application-layer-transport-security
15 | Copyright © 2022 Transparent ALTS
16 | Copyright © 2022 Handshake / Record Protocol
17 | Copyright © 2022 ALTS is Proven at Scale Should we build ALTS?
18 | Copyright © 2022 No. Modern Building Blocks Exist Let’s take a look
19 | Copyright © 2022 Modern, Secure Service Networking • Transparent to applications / RPC invocations • Transparent encryption • Simplified cryptography (limited key exchange/cipher algorithms) • Authentication based on Identity NOT host machines • Identity tied to chain of trust / key distribution (transparent to application) • Authorization policies built around Identity model
20 | Copyright © 2022 Wireguard Transparent encryption made easy
21 | Copyright © 2022 Wireguard
22 | Copyright © 2022 Wireguard • A Kernel/OS module aimed at transparently encrypting IP between two nodes for VPN use cases • Simple code base (around 7k LOC vs e.g., 100K+ IPSec) • No cipher/protocol negotiation; fixed cryptography • For L3, encapsulate encrypted packets in UDP • Intended to use ciphers that afford more performance • Simplified configuration, out of band public-key exchange https://www.wireguard.com/papers/wireguard.pdf
23 | Copyright © 2022 Configure public keys and it just works
24 | Copyright © 2022 Opinionated Crypto (Based on the Noise Framework) • Elliptic Curve Diffie Hellman with Curve22519 • ChaCha20+Poly1305 for Authenticated Encryption • BLAKE2s for hashing • Optional Pre-Shared Key (PSK) • If a vulnerability is found, upgrade everything https://www.wireguard.com/papers/wireguard.pdf
25 | Copyright © 2022 Downsides of Wireguard • Could be very difficult to upgrade “everything” all at once for a discovered vulnerability • Not FIPS compliant • Will not be FIPS compliant − https://twitter.com/matthew_d_green/status/1443558648878350339 • Doesn’t solve for workload Mutual Authentication, Identity, or Authorization
26 | Copyright © 2022 Options to Layer Authentication for svc-to-svc? • Wireguard “authenticates” its peers but has no knowledge of svc identities • JWT access tokens (ie, OAuth 2.0 + Secure Token Service) • Custom mutual authentication mechanism (see Cilium) • Layer client certificates and TLS on top
27 | Copyright © 2022 Cilium’s approach to mutual authentication
28 | Copyright © 2022 Cilium’s approach to mutual authentication
29 | Copyright © 2022 Cilium’s approach to mutual authentication
30 | Copyright © 2022 Transport Layer Security TLS 1.3
31 | Copyright © 2022 Transport Layer Security
32 | Copyright © 2022 Transport Layer Security (TLS 1.2)
33 | Copyright © 2022 Transport Layer Security (TLS 1.3)
34 | Copyright © 2022 Client Authentication (mTLS)
35 | Copyright © 2022 Why use TLS 1.3? • Faster − Handshake takes fewer round trips • Safer (drop support for unsafe cryptographic algorithms) − Remove RSA key exchange (doesn’t provide Forward Secrecy) − Remove CBC/RC4 ciphers − Restrict DH parameters to known secure params − Handshake is signed by the server, cannot be tricked into downgrade − Chose AEAD ciphers
36 | Copyright © 2022 TLS Can do Authentication, Encryption, Integrity Checks • FIPS compliant implementations • Private keys do not get sent over the wire (like JWT tokens) • Can be terminated at the applications for end-to-end session • TLS 1.3 brings simplification for ciphers/protocol negotiation • Looks a lot more like Google ALTS!
37 | Copyright © 2022 Downsides to TLS • No standard way to specify identity • Key issuance, revocation, rotation can be complex • How do the applications handle key material safely? • What if applications mis-configure? • Every language/framework/library is different
38 | Copyright © 2022 Standard Workload Identity Framework with SPIFFE
39 | Copyright © 2022 Secure Production Identity Framework (for Everyone) • Open Source Identity Specification for workloads • Intended to solve the “universal workload identity problem” • Independent of application type, network, or platform/cloud • Specified with URI strings • Verified via signed credentials (x509, JWT, etc) • API and workflow for attestation built into SPIFFE implementations • Intended to eliminate passwords, other secrets, etc
40 | Copyright © 2022 SPIFFE
41 | Copyright © 2022 Who is Service A?
42 | Copyright © 2022 Identity described in SVID
43 | Copyright © 2022 Identity for Workloads
44 | Copyright © 2022 SPIRE is a Production Implementation of SPIFFE
45 | Copyright © 2022 Bringing it Together Transparently TLS 1.3 + SPIFFE
46 | Copyright © 2022 Now we know who Service A is…
47 | Copyright © 2022 An example implementation: Istio Ambient Mesh https://istio.io/latest/blog/2022/introducing-ambient-mesh/
48 | Copyright © 2022 Istio Ambient Mesh (w/ TLS 1.3 + SPIFFE) • Transparent to applications / RPC invocations • Transparent encryption • Simplified cryptography (limited key exchange/cipher algorithms) • Authentication based on Identity NOT host machines • Identity tied to chain of trust / key distribution (transparent to application) • Authorization policies built around Identity model
49 | Copyright © 2022 Demo
50 | Copyright © 2022 Additional Resources ● https://lp.solo.io/white-paper-zero-trust ● https://cloud.google.com/docs/security/encryption-in-transit/applica tion-layer-transport-security ● https://istio.io/latest/blog/2022/introducing-ambient-mesh/ ● https://www.wireguard.com/papers/wireguard.pdf ● https://www.solo.io/zero-trust/ ● https://academy.solo.io ● https://istio.io ● https://cilium.io https://lp.solo.io/istio-ambient-mesh-explained
Thank You!

Recommended

BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEEBKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEELinaro
 
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3Linaro
 
LCU14-103: How to create and run Trusted Applications on OP-TEE
LCU14-103: How to create and run Trusted Applications on OP-TEELCU14-103: How to create and run Trusted Applications on OP-TEE
LCU14-103: How to create and run Trusted Applications on OP-TEELinaro
 
Introduction to Optee (26 may 2016)
Introduction to Optee (26 may 2016)Introduction to Optee (26 may 2016)
Introduction to Optee (26 may 2016)Yannick Gicquel
 
LCU14 302- How to port OP-TEE to another platform
LCU14 302- How to port OP-TEE to another platformLCU14 302- How to port OP-TEE to another platform
LCU14 302- How to port OP-TEE to another platformLinaro
 
Trusted firmware deep_dive_v1.0_
Trusted firmware deep_dive_v1.0_Trusted firmware deep_dive_v1.0_
Trusted firmware deep_dive_v1.0_Linaro
 
Linux device drivers
Linux device drivers Linux device drivers
Linux device drivers Emertxe Information Technologies Pvt Ltd
 
Dockerと外部ルータを連携させる仕組みを作ってみた
Dockerと外部ルータを連携させる仕組みを作ってみたDockerと外部ルータを連携させる仕組みを作ってみた
Dockerと外部ルータを連携させる仕組みを作ってみたnpsg
 

Recommended

BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEEBKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEELinaro
 
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3Linaro
 
LCU14-103: How to create and run Trusted Applications on OP-TEE
LCU14-103: How to create and run Trusted Applications on OP-TEELCU14-103: How to create and run Trusted Applications on OP-TEE
LCU14-103: How to create and run Trusted Applications on OP-TEELinaro
 
Introduction to Optee (26 may 2016)
Introduction to Optee (26 may 2016)Introduction to Optee (26 may 2016)
Introduction to Optee (26 may 2016)Yannick Gicquel
 
LCU14 302- How to port OP-TEE to another platform
LCU14 302- How to port OP-TEE to another platformLCU14 302- How to port OP-TEE to another platform
LCU14 302- How to port OP-TEE to another platformLinaro
 
Trusted firmware deep_dive_v1.0_
Trusted firmware deep_dive_v1.0_Trusted firmware deep_dive_v1.0_
Trusted firmware deep_dive_v1.0_Linaro
 
Linux device drivers
Linux device drivers Linux device drivers
Linux device drivers Emertxe Information Technologies Pvt Ltd
 
Dockerと外部ルータを連携させる仕組みを作ってみた
Dockerと外部ルータを連携させる仕組みを作ってみたDockerと外部ルータを連携させる仕組みを作ってみた
Dockerと外部ルータを連携させる仕組みを作ってみたnpsg
 
TEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source securityTEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source securityLinaro
 
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...Maximilan Wilhelm
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Linaro
 
OVS v OVS-DPDK
OVS v OVS-DPDKOVS v OVS-DPDK
OVS v OVS-DPDKMd Safiyat Reza
 
Geep networking stack-linuxkernel
Geep networking stack-linuxkernelGeep networking stack-linuxkernel
Geep networking stack-linuxkernelKiran Divekar
 
Mypy pycon-fi-2012
Mypy pycon-fi-2012Mypy pycon-fi-2012
Mypy pycon-fi-2012jukkaleh
 
HKG15-311: OP-TEE for Beginners and Porting Review
HKG15-311: OP-TEE for Beginners and Porting ReviewHKG15-311: OP-TEE for Beginners and Porting Review
HKG15-311: OP-TEE for Beginners and Porting ReviewLinaro
 
Eclipse Iceoryx Overview
Eclipse Iceoryx OverviewEclipse Iceoryx Overview
Eclipse Iceoryx OverviewTomoya Fujita
 
Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8Linaro
 
BKK16-201 Play Ready OPTEE Integration with Secure Video Path lhg-1
BKK16-201 Play Ready OPTEE Integration with Secure Video Path lhg-1BKK16-201 Play Ready OPTEE Integration with Secure Video Path lhg-1
BKK16-201 Play Ready OPTEE Integration with Secure Video Path lhg-1Linaro
 
Understanding DPDK
Understanding DPDKUnderstanding DPDK
Understanding DPDKDenys Haryachyy
 
Fosdem 18: Securing embedded Systems using Virtualization
Fosdem 18: Securing embedded Systems using VirtualizationFosdem 18: Securing embedded Systems using Virtualization
Fosdem 18: Securing embedded Systems using VirtualizationThe Linux Foundation
 
SFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARM
SFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARMSFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARM
SFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARMLinaro
 
Secure storage updates - SFO17-309
Secure storage updates - SFO17-309Secure storage updates - SFO17-309
Secure storage updates - SFO17-309Linaro
 
The 8 Layers of the OSI.pdf
The 8 Layers of the OSI.pdfThe 8 Layers of the OSI.pdf
The 8 Layers of the OSI.pdfssuserd67eb9
 
HKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEEHKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEELinaro
 
LCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted FirmwareLCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted FirmwareLinaro
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network StackAdrien Mahieux
 
Wireguard VPN
Wireguard VPNWireguard VPN
Wireguard VPNAll Things Open
 
Linux Device Tree
Linux Device TreeLinux Device Tree
Linux Device Tree艾鍗科技
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitToni de la Fuente
 
The Current And Future State Of Service Mesh
The Current And Future State Of Service MeshThe Current And Future State Of Service Mesh
The Current And Future State Of Service MeshRam Vennam
 

More Related Content

What's hot

TEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source securityTEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source securityLinaro
 
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...Maximilan Wilhelm
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Linaro
 
Geep networking stack-linuxkernel
Geep networking stack-linuxkernelGeep networking stack-linuxkernel
Geep networking stack-linuxkernelKiran Divekar
 
Mypy pycon-fi-2012
Mypy pycon-fi-2012Mypy pycon-fi-2012
Mypy pycon-fi-2012jukkaleh
 
HKG15-311: OP-TEE for Beginners and Porting Review
HKG15-311: OP-TEE for Beginners and Porting ReviewHKG15-311: OP-TEE for Beginners and Porting Review
HKG15-311: OP-TEE for Beginners and Porting ReviewLinaro
 
Eclipse Iceoryx Overview
Eclipse Iceoryx OverviewEclipse Iceoryx Overview
Eclipse Iceoryx OverviewTomoya Fujita
 
Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8Linaro
 
BKK16-201 Play Ready OPTEE Integration with Secure Video Path lhg-1
BKK16-201 Play Ready OPTEE Integration with Secure Video Path lhg-1BKK16-201 Play Ready OPTEE Integration with Secure Video Path lhg-1
BKK16-201 Play Ready OPTEE Integration with Secure Video Path lhg-1Linaro
 
Fosdem 18: Securing embedded Systems using Virtualization
Fosdem 18: Securing embedded Systems using VirtualizationFosdem 18: Securing embedded Systems using Virtualization
Fosdem 18: Securing embedded Systems using VirtualizationThe Linux Foundation
 
SFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARM
SFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARMSFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARM
SFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARMLinaro
 
Secure storage updates - SFO17-309
Secure storage updates - SFO17-309Secure storage updates - SFO17-309
Secure storage updates - SFO17-309Linaro
 
The 8 Layers of the OSI.pdf
The 8 Layers of the OSI.pdfThe 8 Layers of the OSI.pdf
The 8 Layers of the OSI.pdfssuserd67eb9
 
HKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEEHKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEELinaro
 
LCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted FirmwareLCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted FirmwareLinaro
 

What's hot (20)

TEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source securityTEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source security
 
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
 
OVS v OVS-DPDK
OVS v OVS-DPDKOVS v OVS-DPDK
OVS v OVS-DPDK
 
Geep networking stack-linuxkernel
Geep networking stack-linuxkernelGeep networking stack-linuxkernel
Geep networking stack-linuxkernel
 
Mypy pycon-fi-2012
Mypy pycon-fi-2012Mypy pycon-fi-2012
Mypy pycon-fi-2012
 
HKG15-311: OP-TEE for Beginners and Porting Review
HKG15-311: OP-TEE for Beginners and Porting ReviewHKG15-311: OP-TEE for Beginners and Porting Review
HKG15-311: OP-TEE for Beginners and Porting Review
 
Eclipse Iceoryx Overview
Eclipse Iceoryx OverviewEclipse Iceoryx Overview
Eclipse Iceoryx Overview
 
Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8
 
BKK16-201 Play Ready OPTEE Integration with Secure Video Path lhg-1
BKK16-201 Play Ready OPTEE Integration with Secure Video Path lhg-1BKK16-201 Play Ready OPTEE Integration with Secure Video Path lhg-1
BKK16-201 Play Ready OPTEE Integration with Secure Video Path lhg-1
 
Understanding DPDK
Understanding DPDKUnderstanding DPDK
Understanding DPDK
 
Fosdem 18: Securing embedded Systems using Virtualization
Fosdem 18: Securing embedded Systems using VirtualizationFosdem 18: Securing embedded Systems using Virtualization
Fosdem 18: Securing embedded Systems using Virtualization
 
SFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARM
SFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARMSFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARM
SFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARM
 
Secure storage updates - SFO17-309
Secure storage updates - SFO17-309Secure storage updates - SFO17-309
Secure storage updates - SFO17-309
 
The 8 Layers of the OSI.pdf
The 8 Layers of the OSI.pdfThe 8 Layers of the OSI.pdf
The 8 Layers of the OSI.pdf
 
HKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEEHKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEE
 
LCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted FirmwareLCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted Firmware
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network Stack
 
Wireguard VPN
Wireguard VPNWireguard VPN
Wireguard VPN
 
Linux Device Tree
Linux Device TreeLinux Device Tree
Linux Device Tree
 

Similar to Understanding Wireguard, TLS and Workload Identity

Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitToni de la Fuente
 
The Current And Future State Of Service Mesh
The Current And Future State Of Service MeshThe Current And Future State Of Service Mesh
The Current And Future State Of Service MeshRam Vennam
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021lior mazor
 
Wwc developing hyperledger applications v4
Wwc developing hyperledger applications v4Wwc developing hyperledger applications v4
Wwc developing hyperledger applications v4LennartF
 
How to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedHow to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl
 
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...OnBoard Security, Inc. - a Qualcomm Company
 
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHansFarroCastillo1
 
Kaleido Platform Overview and Full-stack Blockchain Services
Kaleido Platform Overview and Full-stack Blockchain ServicesKaleido Platform Overview and Full-stack Blockchain Services
Kaleido Platform Overview and Full-stack Blockchain ServicesPeter Broadhurst
 
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...DATA SECURITY SOLUTIONS
 
Service Mesh and Serverless Chatbots with Linkerd, K8s and OpenFaaS
Service Mesh and Serverless Chatbots with Linkerd, K8s and OpenFaaSService Mesh and Serverless Chatbots with Linkerd, K8s and OpenFaaS
Service Mesh and Serverless Chatbots with Linkerd, K8s and OpenFaaSSoftware Guru
 
Cloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlow
Cloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlowCloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlow
Cloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlowCohesive Networks
 
Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?
Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?
Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?Hacken_Ecosystem
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxVasiliy Fomichev
 
Centralized TLS Certificates Management Using Vault PKI + Cert-Manager
Centralized TLS Certificates Management Using Vault PKI + Cert-ManagerCentralized TLS Certificates Management Using Vault PKI + Cert-Manager
Centralized TLS Certificates Management Using Vault PKI + Cert-ManagerSaiLinnThu2
 
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedKCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl
 
Introducing ConnectGuard™ Cloud
Introducing ConnectGuard™ Cloud Introducing ConnectGuard™ Cloud
Introducing ConnectGuard™ Cloud ADVA
 
Implementing zero trust in IBM Cloud Pak for Integration
Implementing zero trust in IBM Cloud Pak for IntegrationImplementing zero trust in IBM Cloud Pak for Integration
Implementing zero trust in IBM Cloud Pak for IntegrationKim Clark
 

Similar to Understanding Wireguard, TLS and Workload Identity (20)

Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
 
The Current And Future State Of Service Mesh
The Current And Future State Of Service MeshThe Current And Future State Of Service Mesh
The Current And Future State Of Service Mesh
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
 
Wwc developing hyperledger applications v4
Wwc developing hyperledger applications v4Wwc developing hyperledger applications v4
Wwc developing hyperledger applications v4
 
How to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedHow to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being Hacked
 
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
 
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptx
 
Kaleido Platform Overview and Full-stack Blockchain Services
Kaleido Platform Overview and Full-stack Blockchain ServicesKaleido Platform Overview and Full-stack Blockchain Services
Kaleido Platform Overview and Full-stack Blockchain Services
 
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
 
Service Mesh and Serverless Chatbots with Linkerd, K8s and OpenFaaS
Service Mesh and Serverless Chatbots with Linkerd, K8s and OpenFaaSService Mesh and Serverless Chatbots with Linkerd, K8s and OpenFaaS
Service Mesh and Serverless Chatbots with Linkerd, K8s and OpenFaaS
 
Was ist ein Service Mesh und wie funktioniert es?
Was ist ein Service Mesh und wie funktioniert es?Was ist ein Service Mesh und wie funktioniert es?
Was ist ein Service Mesh und wie funktioniert es?
 
Cloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlow
Cloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlowCloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlow
Cloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlow
 
Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?
Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?
Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptx
 
Centralized TLS Certificates Management Using Vault PKI + Cert-Manager
Centralized TLS Certificates Management Using Vault PKI + Cert-ManagerCentralized TLS Certificates Management Using Vault PKI + Cert-Manager
Centralized TLS Certificates Management Using Vault PKI + Cert-Manager
 
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedKCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
 
chaitraresume
chaitraresumechaitraresume
chaitraresume
 
Introducing ConnectGuard™ Cloud
Introducing ConnectGuard™ Cloud Introducing ConnectGuard™ Cloud
Introducing ConnectGuard™ Cloud
 
Implementing zero trust in IBM Cloud Pak for Integration
Implementing zero trust in IBM Cloud Pak for IntegrationImplementing zero trust in IBM Cloud Pak for Integration
Implementing zero trust in IBM Cloud Pak for Integration
 

More from Christian Posta

Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Compliance and Zero Trust Ambient Mesh
Compliance and Zero Trust Ambient MeshCompliance and Zero Trust Ambient Mesh
Compliance and Zero Trust Ambient MeshChristian Posta
 
Cilium + Istio with Gloo Mesh
Cilium + Istio with Gloo MeshCilium + Istio with Gloo Mesh
Cilium + Istio with Gloo MeshChristian Posta
 
Multi-cluster service mesh with GlooMesh
Multi-cluster service mesh with GlooMeshMulti-cluster service mesh with GlooMesh
Multi-cluster service mesh with GlooMeshChristian Posta
 
Multicluster Kubernetes and Service Mesh Patterns
Multicluster Kubernetes and Service Mesh PatternsMulticluster Kubernetes and Service Mesh Patterns
Multicluster Kubernetes and Service Mesh PatternsChristian Posta
 
Cloud-Native Application Debugging with Envoy and Service Mesh
Cloud-Native Application Debugging with Envoy and Service MeshCloud-Native Application Debugging with Envoy and Service Mesh
Cloud-Native Application Debugging with Envoy and Service MeshChristian Posta
 
Kubernetes Ingress to Service Mesh (and beyond!)
Kubernetes Ingress to Service Mesh (and beyond!)Kubernetes Ingress to Service Mesh (and beyond!)
Kubernetes Ingress to Service Mesh (and beyond!)Christian Posta
 
The Truth About the Service Mesh Data Plane
The Truth About the Service Mesh Data PlaneThe Truth About the Service Mesh Data Plane
The Truth About the Service Mesh Data PlaneChristian Posta
 
Deep Dive: Building external auth plugins for Gloo Enterprise
Deep Dive: Building external auth plugins for Gloo EnterpriseDeep Dive: Building external auth plugins for Gloo Enterprise
Deep Dive: Building external auth plugins for Gloo EnterpriseChristian Posta
 
Role of edge gateways in relation to service mesh adoption
Role of edge gateways in relation to service mesh adoptionRole of edge gateways in relation to service mesh adoption
Role of edge gateways in relation to service mesh adoptionChristian Posta
 
Navigating the service mesh landscape with Istio, Consul Connect, and Linkerd
Navigating the service mesh landscape with Istio, Consul Connect, and LinkerdNavigating the service mesh landscape with Istio, Consul Connect, and Linkerd
Navigating the service mesh landscape with Istio, Consul Connect, and LinkerdChristian Posta
 
Chaos Debugging for Microservices
Chaos Debugging for MicroservicesChaos Debugging for Microservices
Chaos Debugging for MicroservicesChristian Posta
 
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...Christian Posta
 
Service-mesh options with Linkerd, Consul, Istio and AWS AppMesh
Service-mesh options with Linkerd, Consul, Istio and AWS AppMeshService-mesh options with Linkerd, Consul, Istio and AWS AppMesh
Service-mesh options with Linkerd, Consul, Istio and AWS AppMeshChristian Posta
 
Intro Istio and what's new Istio 1.1
Intro Istio and what's new Istio 1.1Intro Istio and what's new Istio 1.1
Intro Istio and what's new Istio 1.1Christian Posta
 
API Gateways are going through an identity crisis
API Gateways are going through an identity crisisAPI Gateways are going through an identity crisis
API Gateways are going through an identity crisisChristian Posta
 
KubeCon NA 2018: Evolution of Integration and Microservices with Service Mesh...
KubeCon NA 2018: Evolution of Integration and Microservices with Service Mesh...KubeCon NA 2018: Evolution of Integration and Microservices with Service Mesh...
KubeCon NA 2018: Evolution of Integration and Microservices with Service Mesh...Christian Posta
 
PHX DevOps Days: Service Mesh Landscape
PHX DevOps Days: Service Mesh LandscapePHX DevOps Days: Service Mesh Landscape
PHX DevOps Days: Service Mesh LandscapeChristian Posta
 
API World: The service-mesh landscape
API World: The service-mesh landscapeAPI World: The service-mesh landscape
API World: The service-mesh landscapeChristian Posta
 

More from Christian Posta (20)

Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Compliance and Zero Trust Ambient Mesh
Compliance and Zero Trust Ambient MeshCompliance and Zero Trust Ambient Mesh
Compliance and Zero Trust Ambient Mesh
 
Cilium + Istio with Gloo Mesh
Cilium + Istio with Gloo MeshCilium + Istio with Gloo Mesh
Cilium + Istio with Gloo Mesh
 
Multi-cluster service mesh with GlooMesh
Multi-cluster service mesh with GlooMeshMulti-cluster service mesh with GlooMesh
Multi-cluster service mesh with GlooMesh
 
Multicluster Kubernetes and Service Mesh Patterns
Multicluster Kubernetes and Service Mesh PatternsMulticluster Kubernetes and Service Mesh Patterns
Multicluster Kubernetes and Service Mesh Patterns
 
Cloud-Native Application Debugging with Envoy and Service Mesh
Cloud-Native Application Debugging with Envoy and Service MeshCloud-Native Application Debugging with Envoy and Service Mesh
Cloud-Native Application Debugging with Envoy and Service Mesh
 
Kubernetes Ingress to Service Mesh (and beyond!)
Kubernetes Ingress to Service Mesh (and beyond!)Kubernetes Ingress to Service Mesh (and beyond!)
Kubernetes Ingress to Service Mesh (and beyond!)
 
The Truth About the Service Mesh Data Plane
The Truth About the Service Mesh Data PlaneThe Truth About the Service Mesh Data Plane
The Truth About the Service Mesh Data Plane
 
Deep Dive: Building external auth plugins for Gloo Enterprise
Deep Dive: Building external auth plugins for Gloo EnterpriseDeep Dive: Building external auth plugins for Gloo Enterprise
Deep Dive: Building external auth plugins for Gloo Enterprise
 
Role of edge gateways in relation to service mesh adoption
Role of edge gateways in relation to service mesh adoptionRole of edge gateways in relation to service mesh adoption
Role of edge gateways in relation to service mesh adoption
 
Navigating the service mesh landscape with Istio, Consul Connect, and Linkerd
Navigating the service mesh landscape with Istio, Consul Connect, and LinkerdNavigating the service mesh landscape with Istio, Consul Connect, and Linkerd
Navigating the service mesh landscape with Istio, Consul Connect, and Linkerd
 
Chaos Debugging for Microservices
Chaos Debugging for MicroservicesChaos Debugging for Microservices
Chaos Debugging for Microservices
 
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...
 
Service-mesh options with Linkerd, Consul, Istio and AWS AppMesh
Service-mesh options with Linkerd, Consul, Istio and AWS AppMeshService-mesh options with Linkerd, Consul, Istio and AWS AppMesh
Service-mesh options with Linkerd, Consul, Istio and AWS AppMesh
 
Intro Istio and what's new Istio 1.1
Intro Istio and what's new Istio 1.1Intro Istio and what's new Istio 1.1
Intro Istio and what's new Istio 1.1
 
API Gateways are going through an identity crisis
API Gateways are going through an identity crisisAPI Gateways are going through an identity crisis
API Gateways are going through an identity crisis
 
KubeCon NA 2018: Evolution of Integration and Microservices with Service Mesh...
KubeCon NA 2018: Evolution of Integration and Microservices with Service Mesh...KubeCon NA 2018: Evolution of Integration and Microservices with Service Mesh...
KubeCon NA 2018: Evolution of Integration and Microservices with Service Mesh...
 
PHX DevOps Days: Service Mesh Landscape
PHX DevOps Days: Service Mesh LandscapePHX DevOps Days: Service Mesh Landscape
PHX DevOps Days: Service Mesh Landscape
 
Intro to Knative
Intro to KnativeIntro to Knative
Intro to Knative
 
API World: The service-mesh landscape
API World: The service-mesh landscapeAPI World: The service-mesh landscape
API World: The service-mesh landscape
 

Recently uploaded

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 

Recently uploaded (20)

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 

Understanding Wireguard, TLS and Workload Identity

  • 1. 1 | Copyright © 2022 Understanding Wireguard, TLS and Workload Identity: The Backbone of Modern Service Networking
  • 2. 2 | Copyright © 2022 CHRISTIAN POSTA VP, Global Field CTO, Solo.io @christianposta christian@solo.io
  • 3. 3 | Copyright © 2022 01 02 03 04 05 Why do we need modern security? Case Study: Google ALTS Modern Networking Security Workload Identity Demos! Agenda
  • 4. 4 | Copyright © 2022 c Application Networking Well Funded ($175M), $1B valuation Satisfied Customers (130% Renewals) Cloud-native Technology Leadership Cloud-native Education Leadership TODAY’S BUSINESS DIGITAL BUSINESS The Service Mesh and API Platform for Kubernetes | Zero-Trust | Microservices
  • 5. 5 | Copyright © 2022 Service A can talk to Service B
  • 6. 6 | Copyright © 2022 Long Live IP!
  • 7. 7 | Copyright © 2022 Containerized Workloads
  • 8. 8 | Copyright © 2022 Beware!
  • 9. 9 | Copyright © 2022 Beware! https://www.theverge.com/2014/12/8/7352581/sony-pictures-hacked-storystream
  • 10. 10 | Copyright © 2022 Tenets of a Modern, Secure Network • Assume a Hostile Environment - There are malicious persona both inside and outside the environment • Presume Breach - Operate and Defend resources with the assumption that an adversary has presence in your environment • Never Trust, Always Verify - Deny by default. Every resource is explicitly authorized using least privilege multiple attributes, and dynamic cybersecurity principles • Scrutinize Explicitly - Access to resources is conditional and access can dynamically change based on action and confidence levels resulting from those actions • Apply Unified Analytics - for data, applications, assets, services to include behavioristics and log each transaction
  • 11. 11 | Copyright © 2022 Writing Networking Policy ● Who is calling whom ● Constraining who can call whom ● Avoid MiTM, eavesdropping ● Quota / QoS / Limits ● Logging, auditing ● Policy enforcement via fine-grained authz
  • 12. 12 | Copyright © 2022 Example from Google ALTS
  • 13. 13 | Copyright © 2022 Application Layer Transport Security • Built in 2007 (TLS 1.1 was the latest version at this point) • TLS 1.1 did not meet Google’s minimum security standards • A simpler, more tailored impl of TLS • More flexible workload identity model • Certs use ECDH keys, Uses DH key exchange, can provide PFS and AE • Uses Protocol Buffers to serialize certificates and protocol messages https://cloud.google.com/docs/security/encryption-in-transit/application-layer-transport-security
  • 14. 14 | Copyright © 2022 ALTS Design • Transparent to applications / RPC invocations • Simplified cryptography (limited key exchange/cipher algorithms) • Authentication based on Identity NOT host machines • Identity tied to chain of trust / key distribution (transparent to application) • Authorization policies built around Identity model https://cloud.google.com/docs/security/encryption-in-transit/application-layer-transport-security
  • 15. 15 | Copyright © 2022 Transparent ALTS
  • 16. 16 | Copyright © 2022 Handshake / Record Protocol
  • 17. 17 | Copyright © 2022 ALTS is Proven at Scale Should we build ALTS?
  • 18. 18 | Copyright © 2022 No. Modern Building Blocks Exist Let’s take a look
  • 19. 19 | Copyright © 2022 Modern, Secure Service Networking • Transparent to applications / RPC invocations • Transparent encryption • Simplified cryptography (limited key exchange/cipher algorithms) • Authentication based on Identity NOT host machines • Identity tied to chain of trust / key distribution (transparent to application) • Authorization policies built around Identity model
  • 20. 20 | Copyright © 2022 Wireguard Transparent encryption made easy
  • 21. 21 | Copyright © 2022 Wireguard
  • 22. 22 | Copyright © 2022 Wireguard • A Kernel/OS module aimed at transparently encrypting IP between two nodes for VPN use cases • Simple code base (around 7k LOC vs e.g., 100K+ IPSec) • No cipher/protocol negotiation; fixed cryptography • For L3, encapsulate encrypted packets in UDP • Intended to use ciphers that afford more performance • Simplified configuration, out of band public-key exchange https://www.wireguard.com/papers/wireguard.pdf
  • 23. 23 | Copyright © 2022 Configure public keys and it just works
  • 24. 24 | Copyright © 2022 Opinionated Crypto (Based on the Noise Framework) • Elliptic Curve Diffie Hellman with Curve22519 • ChaCha20+Poly1305 for Authenticated Encryption • BLAKE2s for hashing • Optional Pre-Shared Key (PSK) • If a vulnerability is found, upgrade everything https://www.wireguard.com/papers/wireguard.pdf
  • 25. 25 | Copyright © 2022 Downsides of Wireguard • Could be very difficult to upgrade “everything” all at once for a discovered vulnerability • Not FIPS compliant • Will not be FIPS compliant − https://twitter.com/matthew_d_green/status/1443558648878350339 • Doesn’t solve for workload Mutual Authentication, Identity, or Authorization
  • 26. 26 | Copyright © 2022 Options to Layer Authentication for svc-to-svc? • Wireguard “authenticates” its peers but has no knowledge of svc identities • JWT access tokens (ie, OAuth 2.0 + Secure Token Service) • Custom mutual authentication mechanism (see Cilium) • Layer client certificates and TLS on top
  • 27. 27 | Copyright © 2022 Cilium’s approach to mutual authentication
  • 28. 28 | Copyright © 2022 Cilium’s approach to mutual authentication
  • 29. 29 | Copyright © 2022 Cilium’s approach to mutual authentication
  • 30. 30 | Copyright © 2022 Transport Layer Security TLS 1.3
  • 31. 31 | Copyright © 2022 Transport Layer Security
  • 32. 32 | Copyright © 2022 Transport Layer Security (TLS 1.2)
  • 33. 33 | Copyright © 2022 Transport Layer Security (TLS 1.3)
  • 34. 34 | Copyright © 2022 Client Authentication (mTLS)
  • 35. 35 | Copyright © 2022 Why use TLS 1.3? • Faster − Handshake takes fewer round trips • Safer (drop support for unsafe cryptographic algorithms) − Remove RSA key exchange (doesn’t provide Forward Secrecy) − Remove CBC/RC4 ciphers − Restrict DH parameters to known secure params − Handshake is signed by the server, cannot be tricked into downgrade − Chose AEAD ciphers
  • 36. 36 | Copyright © 2022 TLS Can do Authentication, Encryption, Integrity Checks • FIPS compliant implementations • Private keys do not get sent over the wire (like JWT tokens) • Can be terminated at the applications for end-to-end session • TLS 1.3 brings simplification for ciphers/protocol negotiation • Looks a lot more like Google ALTS!
  • 37. 37 | Copyright © 2022 Downsides to TLS • No standard way to specify identity • Key issuance, revocation, rotation can be complex • How do the applications handle key material safely? • What if applications mis-configure? • Every language/framework/library is different
  • 38. 38 | Copyright © 2022 Standard Workload Identity Framework with SPIFFE
  • 39. 39 | Copyright © 2022 Secure Production Identity Framework (for Everyone) • Open Source Identity Specification for workloads • Intended to solve the “universal workload identity problem” • Independent of application type, network, or platform/cloud • Specified with URI strings • Verified via signed credentials (x509, JWT, etc) • API and workflow for attestation built into SPIFFE implementations • Intended to eliminate passwords, other secrets, etc
  • 40. 40 | Copyright © 2022 SPIFFE
  • 41. 41 | Copyright © 2022 Who is Service A?
  • 42. 42 | Copyright © 2022 Identity described in SVID
  • 43. 43 | Copyright © 2022 Identity for Workloads
  • 44. 44 | Copyright © 2022 SPIRE is a Production Implementation of SPIFFE
  • 45. 45 | Copyright © 2022 Bringing it Together Transparently TLS 1.3 + SPIFFE
  • 46. 46 | Copyright © 2022 Now we know who Service A is…
  • 47. 47 | Copyright © 2022 An example implementation: Istio Ambient Mesh https://istio.io/latest/blog/2022/introducing-ambient-mesh/
  • 48. 48 | Copyright © 2022 Istio Ambient Mesh (w/ TLS 1.3 + SPIFFE) • Transparent to applications / RPC invocations • Transparent encryption • Simplified cryptography (limited key exchange/cipher algorithms) • Authentication based on Identity NOT host machines • Identity tied to chain of trust / key distribution (transparent to application) • Authorization policies built around Identity model
  • 49. 49 | Copyright © 2022 Demo
  • 50. 50 | Copyright © 2022 Additional Resources ● https://lp.solo.io/white-paper-zero-trust ● https://cloud.google.com/docs/security/encryption-in-transit/applica tion-layer-transport-security ● https://istio.io/latest/blog/2022/introducing-ambient-mesh/ ● https://www.wireguard.com/papers/wireguard.pdf ● https://www.solo.io/zero-trust/ ● https://academy.solo.io ● https://istio.io ● https://cilium.io https://lp.solo.io/istio-ambient-mesh-explained