Orchestrating Least Privilege by Diogo Monica

•Download as PPTX, PDF•

4 likes•1,471 views

The document discusses orchestrating systems with least privilege by describing the roles of an orchestrator and conductor in managing resources. It proposes using mutual TLS, authentication of communication, and authorization of access to mitigate attacks from external, internal, and malicious actors. Cryptographic tokens are used to bootstrap new nodes securely into the orchestrated system through mutual TLS.

Job of a Conductor
- Casting
- Assign sheet music
- Unify performers
- Set the tempo

Job of an Orchestrator
- Node management
- Task assignment
- Cluster state reconciliation
- Resource Management

A process must be able to access
only the information and
resources that are necessary for
its legitimate purpose.Principle of Least Privilege

What do we need to
achieve Least
Privilege
Orchestration?

Mitigating External Attacker
- Externally accessible service ports
are explicitly defined
- Administration endpoints are
authenticated and authorized

Mitigating Internal Network
Attacker
- Authentication of both network and
cluster control-plane communication
- Service to service communication is
authorized, with orchestrator managed
ACLs

Mitigating MiTM Attacker
- All control and data-plane traffic is
encrypted.

Mitigating Malicious Worker
‣Should only have access to
resources currently in use
‣Push VS Pull
‣No ability to modify or access any
cluster state except their own.
‣Identity is assigned, never
requested

Mitigating Malicious Manager
‣Can’t run arbitrary code on workers
‣No access to secret material
‣No ability to spin up unauthorized
nodes/impersonate existing nodes.
‣No ability to read service-to-service
communication

Mutual TLS by default
• First node generates a
new self-signed CA.

Mutual TLS by default
• First node generates a
new self-signed CA.
• New nodes can get a
certificate issued w/ a
token.

Mutual TLS by default
• First node generates a
new self-signed CA.
• New nodes can get a
certificate issued w/ a
token.
• Workers and managers
identified by their
certificate.

The Token
SWMTKN-1-mx8susrv1etsmc8omaom825bet6-cm6zts22rl4hly2
Prefix to allow VCS
searches for leaked
Tokens
Token Version
Cryptographic Hash
of the CA Root Certificate
for bootstrap
Randomly generated
Secret

Bootstrap
1. Retrieve and validate Root
CA Public key material.
2. Submit new CSR along
with secret token.
3. Retrieve the signed
certificate.

Automatic Certificate Rotation
1. Submit new CSR using
old key-pair.
2. Retrieve the new signed
certificate.

Support for External CAs
• Managers support BYO
CA.
• Forwards CSRs to
external CA.

Docker networking provides a networking fabric for containers called libnetwork that defines the container networking model and provides features like multi-host networking, service discovery, load balancing, and security. New features in Docker 1.12 include networking in swarm mode without an external key-value store, macvlan driver support, a gossip-based secure control plane, optional IPSec for the data plane, built-in DNS for service discovery and load balancing, and a routing mesh for edge routing.

Docker Networking & Swarm Mode Introduction

Phi Huynh

This document introduces Docker networking and Docker Swarm mode. It discusses the different types of Docker networks including bridge, null, and host networks. It also covers multi-host networking using overlay networks. For Docker Swarm mode, it describes the key features including self-healing, self-organizing, blue-print deployment, load balancing using a routing mesh, and not requiring additional components for service discovery or load balancing. The document aims to provide an overview of these topics and includes examples.

Service Discovery & Load-Balancing under Docker 1.12.0 @ Docker Meetup #22

Ajeet Singh Raina

OpenStack HA

Kenneth Hui

The document discusses high availability (HA) techniques in OpenStack. It covers HA concepts for both stateless and stateful services. For compute HA, it discusses server evacuation and instance migration without and with shared storage. It then covers different HA options for OpenStack controllers, including Pacemaker/Corosync/DRBD for active-passive HA and Galera for active-active MySQL HA. It also discusses using Keepalived, HAProxy and VRRP for load balancing and failover of API services. Finally, it presents a sample highly available OpenStack architecture and lists additional resources.

Docker summit : Docker Networking Control-plane & Data-Plane

Madhu Venugopal

This document discusses Docker networking and provides an overview of its control plane and data plane components. The control plane uses a gossip-based protocol for decentralized event dissemination and failure detection across nodes. The data plane uses overlay networking with Linux bridges and VXLAN interfaces to provide network connectivity between containers on different Docker hosts. Load balancing for internal and external traffic is implemented using IPVS for virtual IP addresses associated with Docker services.

Open stack networking vlan, gre

Sim Janghoon

OpenStack networking can use either VLAN tagging or GRE tunneling to provide logical isolation between tenant networks. With VLAN, packets are tagged with a VLAN ID at the compute and network nodes to associate them with a particular tenant network. With GRE, packets are encapsulated with a GRE header that includes a tunnel ID to associate them with a tenant network. Security groups are applied using iptables rules to filter traffic between VMs in different networks.

DCUS17 : Docker networking deep dive

Madhu Venugopal

This document provides an overview and agenda for a presentation on OpenStack networking. It begins with an overview of OpenStack architecture and services like Compute, Networking, Identity and Image services. It then discusses basic network components like controllers, compute nodes and networking plugins. Next, it covers networking process flows and dives deeper into the Neutron networking plugin, including the Modular Layer 2 plugin framework and drivers like Open vSwitch. It concludes with a planned demonstration of networking functionality in an OpenStack lab environment.

AstriCon 2017 - Docker Swarm & Asterisk

Evan McGee

Docker Meetup: Docker Networking 1.11, by Madhu Venugopal

Michelle Antebi

Neutron high availability open stack architecture openstack israel event 2015

Arthur Berezin

Docker Networking : 0 to 60mph slides

Docker, Inc.

Docker 1.12 networking deep dive

Madhu Venugopal

This document provides an overview and agenda for a Docker networking deep dive presentation. The presentation covers key concepts in Docker networking including libnetwork, the Container Networking Model (CNM), multi-host networking capabilities, service discovery, load balancing, and new features in Docker 1.12 like routing mesh and secured control/data planes. The agenda demonstrates Docker networking use cases like default bridge networks, user-defined bridge networks, and overlay networks. It also covers networking drivers, Docker 1.12 swarm mode networking functionality, and how packets flow through systems using routing mesh and load balancing.

Bridges and Tunnels a Drive Through OpenStack Networking

markmcclain

This document summarizes OpenStack networking and some of its key components and capabilities. It discusses the motivation for creating Neutron as a networking service, challenges in cloud networking like multi-tenancy and on-demand provisioning, and how Neutron tackles these challenges through network virtualization and SDN. It provides an overview of Neutron's architecture, including its plugin-based model, agents, and common features like security groups. It also describes new capabilities in OpenStack Juno like IPv6 support and distributed virtual routing.

Libnetwork update at Moby summit June 2017

Docker, Inc.

OpenStack Paris Summit: Bridges and Tunnels: A Drive Through OpenStack Networ...

markmcclain

This document summarizes OpenStack networking and some key improvements in recent releases. It discusses the motivation for creating Neutron as a networking component separate from Nova, challenges in cloud networking like multi-tenancy and scalability, and how Neutron addresses these through network virtualization and SDN. The basics of Neutron's architecture, plugins, agents, and abstraction of network resources are covered. Features like security groups, IPv6 support, distributed virtual routing, and load balancing are also summarized. Upcoming work in areas like metadata service, IPAM, and dynamic routing is mentioned.

rtnetlink

Taku Fukushima

Open stack ha design & deployment kilo

Steven Li

Microservices with docker swarm and consul

Nguyen Sy Thanh Son

This document discusses implementing microservices using Docker Swarm and Consul. It recommends programming languages and tools for orchestration, databases, load balancing, monitoring, and other functions. Docker Swarm allows clustering Docker hosts into a pool of resources. Consul provides service discovery, configuration, and failure detection across multiple datacenters. Consul-Template listens for Consul updates and configures applications. Registrator automatically registers and deregisters Docker services with Consul. An example scenario shows how services scale across nodes with this architecture.

Docker Swarm 45-min Workshop (Mountain View Docker Meetup 2/24/2016)

Mike Goelzer

Networking in OpenStack for non-networking people: Neutron, Open vSwitch and ...

Dave Neary

This document discusses networking in OpenStack and Neutron. It begins with an overview of the OSI model and networking in a virtual world using Open vSwitch. It then covers Neutron and how it provides high-level abstractions for networking while abstracting away the internals. The document demonstrates how to create subnets and attach instances using Neutron. It also discusses debugging networking issues through examining devices, tracking packets, and looking at DHCP and routing tables. Resources for further information are provided at the end.

Containerizing Network Services - Alon Harel - OpenStack Day Israel 2016

Cloud Native Day Tel Aviv

Load Balancing 101

HungWei Chiu

2014 OpenStack Summit - Neutron OVS to LinuxBridge Migration

James Denton

Docker Service Registration and Discovery

m_richardson

This document discusses service registration and discovery with Consul. It begins with an overview of service registration and discovery and how existing approaches like DNS can struggle in Docker environments. Consul is presented as a tool that stores information about services and supports service discovery. Registrator is introduced as a tool that automatically registers and deregisters Docker services with Consul. The document demonstrates how to run Consul and Registrator as Docker containers and have Registrator register container services with Consul. Finally, Consul Template is discussed as a tool to query services registered with Consul and apply configuration templates.

Docker Online Meetup #22: Docker Networking

Docker, Inc.

Infinit: Modern Storage Platform for Container Environments

Docker, Inc.

Providing state to applications in Docker requires a backend storage component that is both scalable and resilient in order to cope with a variety of use cases and failure scenarios. The Infinit Storage Platform has been designed to provide Docker applications with a set of interfaces (block, file and object) allowing for different tradeoffs. This talk will go through the design principles behind Infinit and demonstrate how the platform can be used to deploy a storage infrastructure through Docker containers in a few command lines.

'The History of Metrics According to me' by Stephen Day

Docker, Inc.

Metrics and monitoring are a time honored tradition for any engineering discipline. It is how we ensure the systems we use are working the way we expect. If this is a time honored tradition, why is it not a built into every piece of software we create, from the ground up? With software engineering, usually the trick to solving anything is to make it easier. By solving the hard parts of application metrics in Docker, we should make it more likely that metrics are a part of your services from the start.

Using Docker Swarm Mode to Deploy Service Without Loss by Dongluo Chen & Nish...

Docker, Inc.

Talk from Docker SF Meetup #50 Abstract: Docker swarm mode enables users to manage their applications with service primitives. In this talk we demonstrate how to do service upgrades without impacting your application. The Healthcheck feature provides health indication for a container. Coming up in Docker 1.13 release, Docker Swarm can connect healthcheck result with load balancer to implement no-loss service upgrade. Speaker Biographies: Nishant Totla is a software engineer at Docker, and works on the core open source team. He is currently working on Docker SwarmKit and Docker Swarm. Prior to Docker, he was a PhD student at UC Berkeley, doing research on programming languages. In his spare time, he enjoys long-distance running, biking, and other outdoor activities. Nishant tweets at @nishanttotla. Dongluo Chen is a software engineer at Docker focusing on orchestration and container development. Before Docker he was software engineer manager at Microsoft Azure building and automating global data centers. He worked at France Telecom (Orange) and the Ohio State University as research scientist in networking area.

What's hot

Openstack Basic with Neutron

KwonSun Bae

AstriCon 2017 - Docker Swarm & Asterisk

Evan McGee

Docker Meetup: Docker Networking 1.11, by Madhu Venugopal

Michelle Antebi

Neutron high availability open stack architecture openstack israel event 2015

Arthur Berezin

Docker Networking : 0 to 60mph slides

Docker, Inc.

Docker 1.12 networking deep dive

Madhu Venugopal

Bridges and Tunnels a Drive Through OpenStack Networking

markmcclain

Libnetwork update at Moby summit June 2017

Docker, Inc.

OpenStack Paris Summit: Bridges and Tunnels: A Drive Through OpenStack Networ...

markmcclain

rtnetlink

Taku Fukushima

Open stack ha design & deployment kilo

Steven Li

Microservices with docker swarm and consul

Nguyen Sy Thanh Son

Docker Swarm 45-min Workshop (Mountain View Docker Meetup 2/24/2016)

Mike Goelzer

Networking in OpenStack for non-networking people: Neutron, Open vSwitch and ...

Dave Neary

Containerizing Network Services - Alon Harel - OpenStack Day Israel 2016

Cloud Native Day Tel Aviv

Load Balancing 101

HungWei Chiu

2014 OpenStack Summit - Neutron OVS to LinuxBridge Migration

James Denton

Docker Service Registration and Discovery

m_richardson

Docker Online Meetup #22: Docker Networking

Docker, Inc.

What's hot (19)

Openstack Basic with Neutron

AstriCon 2017 - Docker Swarm & Asterisk

Docker Meetup: Docker Networking 1.11, by Madhu Venugopal

Neutron high availability open stack architecture openstack israel event 2015

Docker Networking : 0 to 60mph slides

Docker 1.12 networking deep dive

Bridges and Tunnels a Drive Through OpenStack Networking

Libnetwork update at Moby summit June 2017

OpenStack Paris Summit: Bridges and Tunnels: A Drive Through OpenStack Networ...

rtnetlink

Open stack ha design & deployment kilo

Microservices with docker swarm and consul

Docker Swarm 45-min Workshop (Mountain View Docker Meetup 2/24/2016)

Networking in OpenStack for non-networking people: Neutron, Open vSwitch and ...

Containerizing Network Services - Alon Harel - OpenStack Day Israel 2016

Load Balancing 101

2014 OpenStack Summit - Neutron OVS to LinuxBridge Migration

Docker Service Registration and Discovery

Docker Online Meetup #22: Docker Networking

Viewers also liked

Infinit: Modern Storage Platform for Container Environments

Docker, Inc.

'The History of Metrics According to me' by Stephen Day

Docker, Inc.

Using Docker Swarm Mode to Deploy Service Without Loss by Dongluo Chen & Nish...

Docker, Inc.

Docker Roadshow 2016

Docker, Inc.

Docker Online Meetup: Infrakit update and Q&A

Docker, Inc.

While working on Docker for AWS and Azure, we realized the need for a standard way to create and manage infrastructure state that was portable across any type of infrastructure, from different cloud providers to on-prem. One challenge is that each vendor has differentiated IP invested in how they handle certain aspects of their cloud infrastructure. It is not enough to just provision five servers; what IT ops teams need is a simple and consistent way to declare the number of servers, what size they should be, and what sort of base software configuration is required. And in the case of server failures (especially unplanned), that sudden change needs to be reconciled against the desired state to ensure that any required servers are re-provisioned with the necessary configuration. We started InfraKit to solves these problems and to provide the ability to create a self healing infrastructure for distributed systems.

Online Meetup: What's new in docker 1.13.0

Docker, Inc.

Core team member and release captain Victor Vieux will introduce us to what's new in Docker 1.13. Victor will first give an overview and demo some of the new features below: • Restructuration of CLI commands • Experimental build • CLI backward compatibility • Swarm default encryption at rest • Compose to Swarm • Data management commands • Brand new “init system” • Various orchestration enhancements

Docker and Microsoft - Windows Server 2016 Technical Deep Dive

Docker, Inc.

This document summarizes a webinar about Docker and Windows Server 2016. It discusses how Docker is now supported on 98% of enterprise workloads, including Windows Server 2016, providing the same benefits of Docker on Linux to Windows developers and IT professionals. It outlines how Microsoft and Docker partnered to port Docker Engine to Windows, and how Docker images can now be built and run across Linux and Windows. It provides examples of using Docker with Windows Server 2016 for development/testing and migrating applications.

Docker 101 - Nov 2016

Docker, Inc.

containerd and CRI

Docker, Inc.

Driving containerd operations with gRPC

Docker, Inc.

containerd uses gRPC and protocol buffers to define its API. gRPC provides benefits like code generation, performance, and common standards. The containerd gRPC services include Execution, Shim, and Content, which define methods like Create, Start, and List. Protocol buffer definitions generate client and server code in various languages. Developers can build clients and extend containerd with new services. The containerd API is under active development and aims to stabilize before the 1.0 release while allowing backwards compatibility through gRPC versioning.

Docker Online Meetup: Announcing Docker CE + EE

Docker, Inc.

Docker Community Edition (CE) and Enterprise Edition (EE) are the best expressions of the Docker Platform to date. Whether you’re a developer, an ops team or a enterprise IT-team member, and no matter the infrastructure, Docker CE and EE gives you a way to install, upgrade and maintain Docker with the support and assurances required for your particular workload. Both Docker CE and EE are available on a wide range of popular operating systems (including Windows Server 2016) and cloud infrastructure. Developers and devOps have the freedom to run Docker on their favorite infrastructure without risk of lock-in. Michael Friis will give an overview of both editions and highlight the big enhancements to the lifecycle, maintainability and upgradability of Docker.

Talking TUF: Securing Software Distribution

Docker, Inc.

The Update Framework (TUF) secures new or existing software update systems by providing a specification and library that can be flexibly and universally integrated or natively implemented. The update procedure is notoriously susceptible to malicious attacks and TUF is designed to prevent these and other updater weaknesses. Docker's Notary project integrates the Go implementation of TUF with Docker Content Trust to verify the publisher of Docker images. https://github.com/theupdateframework/tuf

Containerd - core container runtime component

Docker, Inc.

Docker extracted its core container runtime component called containerd and donated it to an open source community project to accelerate innovation across the ecosystem. Containerd provides the core primitives to manage containers on Linux and Windows hosts and will be fully compliant with the Open Container Initiative standard. Major container platforms like Docker will use containerd as their core runtime component to provide a "boring" infrastructure component and allow for greater cross-platform compatibility and collaboration.

Unikernels: the rise of the library hypervisor in MirageOS

Docker, Inc.

Prometheus design and philosophy

Docker, Inc.

containerd summit - Deep Dive into containerd

Docker, Inc.

containerd is an industry-standard core container runtime with an emphasis on simplicity, robustness and portability. It is available as a daemon for Linux and Windows, which can manage the complete container lifecycle of its host system: image transfer and storage, container execution and supervision, low-level storage and network attachments, etc.. containerd is designed to be embedded into a larger system, rather than being used directly by developers or end-users. containerd includes a daemon exposing gRPC API over a local UNIX socket. The API is a low-level one designed for higher layers to wrap and extend. It also includes a barebone CLI (ctr) designed specifically for development and debugging purpose. It uses runC to run containers according to the OCI specification. The code can be found on GitHub, and here are the contribution guidelines. containerd is based on the Docker Engine’s core container runtime to benefit from its maturity and existing contributors.

Docker Networking: Control plane and Data plane

Docker, Inc.

The document discusses Docker networking and provides an overview of its control plane and data plane components. The control plane uses a gossip-based protocol for decentralized event dissemination and failure detection across nodes. The data plane uses overlay networking with Linux bridges and VXLAN interfaces to provide network connectivity between containers on different Docker hosts. Load balancing for internal and external traffic is implemented using IPVS for virtual IP addresses associated with Docker services.

Persistent storage tailored for containers

Docker, Inc.

The document discusses Infinit, a storage platform designed for containers. It provides persistent storage solutions that can be created and scaled as easily as containers. The Infinit platform uses a distributed architecture with no single leader where data is stored immutably in blocks across a distributed hash table. It aims to provide a uniform storage solution that works the same for development, testing and production environments and can be customized for different situations.

Docker introduction

dotCloud

Docker is a system for running applications in isolated containers. It addresses issues with traditional virtual machines by providing lightweight containers that share resources and allow applications to run consistently across different environments. Docker eliminates inconsistencies in development, testing and production environments. It allows applications and their dependencies to be packaged into a standardized unit called a container that can run on any Linux server. This makes applications highly portable and improves efficiency across the entire development lifecycle.

Docker 101: Introduction to Docker

Docker, Inc.

This document provides an introduction to Docker. It discusses why Docker is useful for isolation, being lightweight, simplicity, workflow, and community. It describes the Docker engine, daemon, and CLI. It explains how Docker Hub provides image storage and automated builds. It outlines the Docker installation process and common workflows like finding images, pulling, running, stopping, and removing containers and images. It promotes Docker for building local images and using host volumes.

Viewers also liked (20)

Infinit: Modern Storage Platform for Container Environments

'The History of Metrics According to me' by Stephen Day

Using Docker Swarm Mode to Deploy Service Without Loss by Dongluo Chen & Nish...

Docker Roadshow 2016

Docker Online Meetup: Infrakit update and Q&A

Online Meetup: What's new in docker 1.13.0

Docker and Microsoft - Windows Server 2016 Technical Deep Dive

Docker 101 - Nov 2016

containerd and CRI

Driving containerd operations with gRPC

Docker Online Meetup: Announcing Docker CE + EE

Talking TUF: Securing Software Distribution

Containerd - core container runtime component

Unikernels: the rise of the library hypervisor in MirageOS

Prometheus design and philosophy

containerd summit - Deep Dive into containerd

Docker Networking: Control plane and Data plane

Persistent storage tailored for containers

Docker introduction

Docker 101: Introduction to Docker

Similar to Orchestrating Least Privilege by Diogo Monica

Orchestrating Last Privilege - Diogo Monica - DevOpsDays Tel Aviv 2016

DevOpsDays Tel Aviv

MTLS in a Microservices World

Diogo Mónica

One obvious side effect of migrating to a microservices architecture is the need for infrastructure automation. Unfortunately, most automation systems do not take security into consideration, making production deployments orders of magnitude more complex than the initial testbed deployment. The perfect example of this steep increase in deployment difficulty is the creation and management of Public-Key-Infrastructures (PKI). Even though the use of TLS Certificates for service to service communication is known as a best-practice, very few companies actually deploy their systems using mutually-authenticated TLS connections. In this talk I will go over why TLS is the right solution for service to service communication, describe ways to automate the creation and management of your PKI, and present in detail how Docker's swarm orchestration system bootstraps and manages individual node certificates.

Moby SIG Orchestration Security Summit Presentation

Diogo Mónica

The document discusses security initiatives for container orchestration including external secrets, service identities, and entitlements. It focuses on implementing least-privilege access and cryptographic node identity in swarmKit through mechanisms such as mutual TLS (mTLS) between all nodes, secret distribution, and transparent root rotation. Other topics covered include SPIFFE for service identities, capabilities and security modules in runC for entitlements, and future initiatives around service meshes and untrusted managers.

DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches

Felipe Prado

This document discusses network security monitoring of industrial control systems. It provides tips on safely capturing network data from ICS environments, such as using test environments first and working with vendors. It recommends starting with basic open-source tools like SecurityOnion and tcpdump. The document highlights focusing on top talkers, bandwidth usage, encrypted communications, and anomalies. It stresses the importance of including both IT and OT stakeholders and having a plan to address security responsibilities and upgrades.

AAA Implementation

Ahmad El Tawil

The document discusses authentication, authorization, and accounting (AAA) and provides instructions for configuring AAA on Cisco routers. It begins with an introduction to the three A's of AAA - authentication, authorization, and accounting. It then covers identifying each component and implementing authentication using local services or external servers like TACACS+ and RADIUS. The document also discusses authenticating router access, configuring AAA on Cisco routers including enabling AAA globally and setting authentication lists, and troubleshooting AAA using debug commands.

Dr. Omar Ali Alibrahim - Ssl talk

promediakw

Securing management, control & data plane

NetProtocol Xpert

The document discusses securing the management, control, and data planes of a network. It describes: 1. Securing the management plane through strong passwords, encrypted protocols like SSH, user authentication using AAA, role-based access control, logging, and network time protocol. 2. Securing the control plane using control plane policing and protection to minimize CPU load and protect against denial of service attacks. 3. Securing the data plane using access control lists, antispoofing features, port security, DHCP snooping, dynamic ARP inspection, and IP source guard to filter traffic and prevent spoofing and man-in-the-middle attacks.

Microservices Security landscape

Sagara Gunathunga

Microservices architecture is becoming a prominent design principle and a service development methodology, we have now started to see many microservices in production. Yet, security is a less concerned aspect, most of the time development teams are much focus on edge security but due to distributed and disposable nature of microservices, it's equally important to pay attention to securing service-to-service communication both during the transmission and sharing end-user context among services in order to cover vast attack surface.

3429 How to transform your messaging environment to a secure messaging envi...

Robert Parker

Carlos García - Pentesting Active Directory [rooted2018]

RootedCON

Introducción a las pruebas de intrusión en entornos Microsoft Active Directory en forma de ponencia práctica para auditores o personas interesadas en el pentesting en entornos corporativos. Se dará una breve introducción al servicio de directorio Active Directory y sus componentes más críticos desde el punto de vista de la seguridad.Posteriormente, se explicarán las principales diferencias con respecto a un pentesting clásico de infraestructura, así como las técnicas y ataques más comunes para llevar a cabo el ejercicio y comprometer completamente el dominio corporativo.Requisitos: Se recomienda que los asistentes tengan conocimientos básicos de Active Directory y básicos/medios de pentesting o hacking ético, preferiblemente en infraestructuras y/o Sistemas Operativos.

Training Slides: 302 - Securing Your Cluster With SSL

Continuent

This document discusses securing a Tungsten cluster with SSL. It explains what SSL is and why it is used. It then covers deploying SSL for cluster communications and for the Tungsten connector. For the cluster, SSL is enabled in tungsten.ini and certificates are generated and distributed. For the connector in proxy mode, MySQL certificates must be imported into keystores and SSL configured from the connector to the database. SSL can also be configured from the application to the connector. Successful SSL encryption is verified using tcpdump and checking the Tungsten connection status. The next steps will cover the Tungsten dashboard.

TLS/SSL - Study of Secured Communications

Nitin Ramesh

Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...

SBWebinars

New TLS encryption standards puts security at the forefront, but what about the visibility issue? Join us for a “How To” webinar covering the newest possibilities for decryption in the cloud to enable incident response, network detection and response and other key security and DevOps use cases . During the session, Steve Perkins, chief product officer and Erik Freeland, director of customer success at Nubeva, will discuss the complications and opportunities surrounding the new TLS 1.3 protocols. They will walk through how organizations can evolve with new encryption standards and also gain full decrypted traffic visibility for intrusion detection, threat hunting, incident response and beyond with Amazon native packet acquisition technology, Amazon VPC traffic mirroring and industry-leading open source monitoring tools.

MTLS - Securing Microservice Architecture with Mutual TLS Authentication

Laurentiu Meirosu

MTLS Authentication and End-to-End Encryption for Data in transit on the Microservice and Service Mesh Architectures. PKI (Public Key Infrastructure) Anatomy - PKCS (Public Key Cryptography Standards) - X509.v3 Certificates - Chain of Trust Provisioning and Securing Services/Devices - Provisioning Services - Provisioning Devices TOFU (Trust on First Use) Bootstrapping Services - MTLS Wrapper - Automatic Certificate Rotation - STC (Short Term Certificates) Private PKI Architecture - Attack vectors - PKI monitoring

Not a Security Boundary

Will Schroeder

1. The document discusses breaking trusts between Active Directory forests by leveraging compromised unconstrained delegation and the "printer bug" to coerce authentication across forest boundaries. 2. It explains how a compromised server with unconstrained delegation in one forest can be used to extract ticket granting tickets (TGTs) that can then be reused to access resources in a separate, trusting forest. 3. The "printer bug" allows remotely forcing authentication and is used to extract TGTs from the separate forest to circumvent typical cross-forest security restrictions. This bypasses the assumption that forests provide a security boundary when two-way trusts exist between them.

Exploiting Active Directory Administrator Insecurities

Priyanka Aash

"Defenders have been slowly adapting to the new reality: Any organization is a target. They bought boxes that blink and software that floods the SOC with alerts. None of this matters as much as how administration is performed: Pop an admin, own the system. Admins are being dragged into a new paradigm where they have to more securely administer the environment. What does this mean for the pentester or Red Teamer? Admins are gradually using better methods like two-factor and more secure administrative channels. Security is improving at many organizations, often quite rapidly. If we can quickly identify the way that administration is being performed, we can better highlight the flaws in the admin process. This talk explores some common methods Active Directory administrators (and others) use to protect their admin credentials and the flaws with these approaches. New recon methods will be provided on how to identify if the org uses an AD Red Forest (aka Admin Forest) and what that means for one hired to test the organization's defenses, as well as how to successfully avoid the Red Forest and still be successful on an engagement. Some of the areas explored in this talk: Current methods organizations use to administer Active Directory and the weaknesses around them. Using RODCs in the environment in ways the organization didn't plan for (including persistence). Exploiting access to agents typically installed on Domain Controllers and other highly privileged systems to run/install code when that's not their typical purpose. Discovering and exploiting an AD forest that leverages an AD Admin Forest (aka Red Forest) without touching the Admin Forest. If you are wondering how to pentest/red team against organizations that are improving their defenses, this talk is for you. If you are a blue team looking for inspiration on effective defenses, this talk is also for you to gain better insight into how you can be attacked."

Enabling a Secure Multi-Tenant Environment for HPC

inside-BigData.com

Preventing Advanced Targeted Attacks with IAM Best Practices

Andy Thompson

This document outlines an advanced targeted attack and then discusses identity and access management (IAM) best practices to prevent such attacks. It begins with an example "Golden Ticket" attack demonstration. Then, it describes the typical phases of an advanced attack including external reconnaissance, internal reconnaissance, lateral movement, and compromise of privileged accounts. Finally, it discusses IAM best practices such as implementing least privilege, managing application access, using network segmentation, securing credentials, implementing credential boundaries, and monitoring privileged access. The presentation aims to demonstrate advanced attack techniques in order to highlight the importance of strong IAM controls.

Understanding Active Directory Enumeration

Daniel López Jiménez

This document discusses techniques for enumerating information from Active Directory. It begins with an introduction and overview of the domain being targeted, CAPSULE.CORP. The agenda covers local privileges enumeration using MS-RPC to find local admin accounts, logon and session enumeration to detect where users are logged in from, and LDAP enumeration to discover objects and relationships. The document provides details on tools like PowerView that can be used to remotely enumerate SAM databases, network sessions, and query LDAP. It discusses attributes and groups of interest for users, computers, and privileges like delegation.

MQ Security Overview

MarkTaylorIBM

Similar to Orchestrating Least Privilege by Diogo Monica (20)

Orchestrating Last Privilege - Diogo Monica - DevOpsDays Tel Aviv 2016

MTLS in a Microservices World

Moby SIG Orchestration Security Summit Presentation

DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches

AAA Implementation

Dr. Omar Ali Alibrahim - Ssl talk

Securing management, control & data plane

Microservices Security landscape

3429 How to transform your messaging environment to a secure messaging envi...

Carlos García - Pentesting Active Directory [rooted2018]

Training Slides: 302 - Securing Your Cluster With SSL

TLS/SSL - Study of Secured Communications

Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...

MTLS - Securing Microservice Architecture with Mutual TLS Authentication

Not a Security Boundary

Exploiting Active Directory Administrator Insecurities

Enabling a Secure Multi-Tenant Environment for HPC

Preventing Advanced Targeted Attacks with IAM Best Practices

Understanding Active Directory Enumeration

MQ Security Overview

More from Docker, Inc.

Containerize Your Game Server for the Best Multiplayer Experience

Docker, Inc.

Raymond Arifianto, AccelByte and Mark Mandel, Google - We have been deploying containerized micro-services for our Game Backend Services for a while. Now we are tackling the challenge to scale up fleets of game dedicated servers in multiple regions, multiple data centers and multiple providers - some in bare metal, some in Cloud. So we leverage docker containerization to deploy Game Servers to achieve Portability, Fast Deployment and Predictability, enabling us to scale up to thousands of servers, on demand, without a sweat.

How to Improve Your Image Builds Using Advance Docker Build

Docker, Inc.

Nicholas Dille, Haufe-Lexware + Docker Captain - Docker continues to be the standard tool for building container images. For more than a year Docker ships with BuildKit as an alternative image builder, providing advanced features for secret and cache management. These features help to make image builds faster and more secure. In this session, Docker Captain Nicholas Dille will teach you how to use Buildkit features to your advantage.

Build & Deploy Multi-Container Applications to AWS

Docker, Inc.

Lukonde Mwila, Entelect - As the cloud-native approach to development and deployment becomes more prevalent, it's an exciting time for software engineers to be equipped on how to dockerize multi-container applications and deploy them to the cloud. In this talk, Lukonde Mwila, Software Engineer at Entelect, will cover the following topics: - Docker Compose - Containerizing an Nginx Server - Containerizing an React App - Containerizing an Node.JS App - Containerizing anMongoDB App - Runing Multi-Container App Locally - Creating a CI/CD Pipeline - Adding a build stage to test containers and push images to Docker Hub - Deploying Multi-Container App to AWS Elastic Beanstalk Lukonde will start by giving an overview of how Docker Compose works and how it makes it very easy and straightforward to startup multiple Docker containers at the same time and automatically connect them together with some form of networking. After that, Lukonde will take a hands on approach to containerize an Nginx server, a React app, a NodeJS app and a MongoDB instance to demonstrate the power of Docker Compose. He'll demonstrate usage of two Docker files for an application, one production grade and the other for local development and running of tests. Lastly, he'll demonstrate creating a CI/CD pipeline in AWS to build and test our Docker images before pushing them to Docker Hub or AWS ECR, and finally deploying our multi-container application AWS Elastic Beanstalk.

Securing Your Containerized Applications with NGINX

Docker, Inc.

How To Build and Run Node Apps with Docker and Compose

Docker, Inc.

Kathleen Juell, Digital Ocean - Containers are an essential part of today's microservice ecosystem, as they allow developers and operators to maintain standards of reliability and reproducibility in fast-paced deployment scenarios. And while there are best practices that extend across stacks in containerized environments, there are also things that make each stack distinct, starting with the application image itself. This talk will dive into some of these particularities, both at the image and service level, while also covering general best practices for building and running Node applications with database backends using Docker and Compose.

Hands-on Helm

Docker, Inc.

Distributed Deep Learning with Docker at Salesforce

Docker, Inc.

Jeff Hajewski, Salesforce - There is a wealth of information on building deep learning models with PyTorch or TensorFlow. Anyone interested in building a deep learning model is only a quick search away from a number of clear and well written tutorials that will take them from zero knowledge to having a working image classifier. But what happens when you need to deploy these models in a production setting? At Salesforce, we use TensorFlow models to help us provide customers with insights into their data, and we do this as close to real-time as possible. Designing these systems in a scalable manner requires overcoming a number of design challenges, but the core component is Docker. Docker enables us to design highly scalable systems by allowing us to focus on service interactions, rather than how our services will interact with the hardware. Docker is also at the core of our test infrastructure, allowing developers and data scientists to build and test the system in an end to end manner on their local machines. While some of this may sound complex, the core message is simplicity - Docker allows us to focus on the aspects of the system that matter, greatly simplifying our lives.

The First 10M Pulls: Building The Official Curl Image for Docker Hub

Docker, Inc.

James Fuller, webcomposite s.r.o. - Curl is the venerable (yet very modern) 'swiss army knife' command line tool and library for transferring data with URLs. Recently we (the Curl team) decided to build a release for Docker Hub. This talk will outline our current development workflow with respect to the docker image and provide insights on what it takes to build a docker image for mass public consumption. We are also keen to learn from users and other developers how we might improve and enhance the official curl docker image.

Monitoring in a Microservices World

Docker, Inc.

Fabian Stäber, Instana - In recent years, we saw a great paradigm shift in software engineering away from static monolithic applications towards dynamic distributed horizontally scalable architectures. Docker is one of the key technologies enabling this development. This shift poses a lot of new challenges for application monitoring, ranging from practical issues (need for automation) to technical challenges (Docker networking) to organizational topics (blurring line between software engineers and operations) to fundamental questions (define what is an application). In this talk we show how Docker changed the way we do monitoring, how modern application monitoring systems work, and what future developments we expect.

COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...

Docker, Inc.

Clemente Biondo, Engineering Ingegneria Informatica - When the COVID 19 pandemic started, Engineering Ingegneria Informatica Group (1.25 billion euros of revenues, 65 offices around the world, 12.000 employees) was forced to put their digital transformation to the test in order to maintain operational continuity. In this session, Clemente Biondo, the Tech Lead of the Information Systems Department, will share how his company is reacting to this unforeseeable scenario and how Docker-driven digital transformation had paved the path for work to continue remotely. Clemente will discuss learnings moving from colocated teams, manual approaches, email based-business processes, and a monolithic application to a mature DevOps culture characterized by a distributed autonomous workforce and a continuous deployment process that deploys backward-compatible Docker containerized microservices into hybrid multi cloud datacenters an average of twice a day with zero-downtime. He will detail how they use Docker to unify dev, test and production environments, and as an efficient and automated mechanism for deploying applications. Lastly, Clemente shares how, in our darkest hour, he and others are working to shine their brightest light.

Predicting Space Weather with Docker

Docker, Inc.

The document discusses how NOAA's Space Weather Prediction Center transitioned from a monolithic architecture to microservices using Docker. It describes how they started with a small verification project, then replaced their critical GOES satellite data source. This improved developers' morale and delivery speed. They encountered some security issues initially but learned from them. The transition was very successful and allowed them to quickly expand their mission to forecast aviation impacts using scientists' models packaged as Docker services.

Become a Docker Power User With Microsoft Visual Studio Code

Docker, Inc.

Brian Christner, 56k + Docker Captain - In this session, we will unlock the full potential of using Microsoft Visual Studio Code (VS Code) and Docker Desktop to turn you into a Docker Power User. When we expand and utilize the VS Code Docker plugin, we can take our projects and Docker skills to the next level. In addition to using VS Code, we streamline our Docker Desktop development workflow with less context switching and built-in shortcuts. You will learn how to bootstrap new projects, quickly write Dockerfiles utilizing templates, build, run, and interact with containers all from VS Code.

How to Use Mirroring and Caching to Optimize your Container Registry

Docker, Inc.

Monolithic to Microservices + Docker = SDLC on Steroids!

Docker, Inc.

Ashish Sharma, SS&C Eze - SS&C Eze provides various products in the stock market domain. We spent the last couple of years building Eclipse which is an investment suite born in cloud. The journey so far has been very interesting. The very first version of the product were a bunch of monolithic windows services and deployed using Octopus tool. We successfully managed to bring all the monolithic problem to the cloud and created a nightmare for ourselves. We then started applying microservices architecture principles and started breaking the monolithic into small services. Very soon we realized that we need a better packaging/deployment tool. Docker looked like a magical solution to our problem. Since its adoption, It has not only solved the deployment problem for us but has made a deep impact on different aspects of SDLC. It allowed us to use heterogeneous technology stacks, simplified development environment setup, simplified our testing strategy, improved our speed of delivery, and made our developers more productive. In this talk I would like to share our experience of using Docker and its positive impact on our SDLC.

Kubernetes at Datadog Scale

Docker, Inc.

Kubernetes networking can be complex to scale due to issues like growing iptables rules, but newer solutions are helping. Pod networking uses CNI plugins like flannel or Calico to assign each pod an IP and allow communication. Service networking uses kube-proxy and iptables or IPVS for load balancing to pods. DNS is used to resolve service names to IPs. While Kubernetes networking brings flexibility, operators must learn the nuances of their specific CNI plugin and issues can arise, but the ecosystem adapts quickly to new needs and changes don't impact all workloads.

Labels, Labels, Labels

Docker, Inc.

Andy Clemenko, StackRox - One underutilized, and amazing, thing about the docker image scheme is labels. Labels are a built in way to document all aspects about the image itself. Think about all the information that the tags inside your clothing carry. If you care to look you can find out everything about the garment. All that information can be very valuable. Now think about how we can leverage labels to carry similar information. We can even use the labels to contain Docker Compose or even Kubernetes Yaml. We can even include labels into the CI/CD process making things more secure and smoother. Come find out some fun techniques on how to leverage labels to do some fun and amazing things.

Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model

Docker, Inc.

Micro Focus uses Docker Hub at scale to support its software delivery and deployment model. Some key points: - Docker Hub is used as the registry service for Micro Focus container images - It allows for optimized, secure, reliable and cost-effective software delivery through deployments and updates of container images to customers and partners - Micro Focus leverages features like private repositories, offline/online access, signing and scanning of images, and integration with CI/CD pipelines - Over 1,650 organizations, 450 repositories, and 18 teams are used on Docker Hub to manage access and deliver software from Micro Focus

Build & Deploy Multi-Container Applications to AWS

Docker, Inc.

Lukonde Mwila, Entelect As the cloud-native approach to development and deployment becomes more prevalent, it's an exciting time for software engineers to be equipped on how to dockerize multi-container applications and deploy them to the cloud. In this talk, Lukonde Mwila, Software Engineer at Entelect, will cover the following topics: - Docker Compose - Containerizing an Nginx Server - Containerizing an React App - Containerizing an Node.JS App - Containerizing anMongoDB App - Runing Multi-Container App Locally - Creating a CI/CD Pipeline - Adding a build stage to test containers and push images to Docker Hub - Deploying Multi-Container App to AWS Elastic Beanstalk Lukonde will start by giving an overview of how Docker Compose works and how it makes it very easy and straightforward to startup multiple Docker containers at the same time and automatically connect them together with some form of networking. After that, Lukonde will take a hands on approach to containerize an Nginx server, a React app, a NodeJS app and a MongoDB instance to demonstrate the power of Docker Compose. He'll demonstrate usage of two Docker files for an application, one production grade and the other for local development and running of tests. Lastly, he'll demonstrate creating a CI/CD pipeline in AWS to build and test our Docker images before pushing them to Docker Hub or AWS ECR, and finally deploying our multi-container application AWS Elastic Beanstalk.

From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...

Docker, Inc.

Elton Stoneman, Docker Captain + Container Consultant and Trainer How do you provide a SaaS offering when your product is a 10-year old Fortran app, currently built to run on Windows 10? With Docker and Kubernetes of course - and you can do it in a week (... to prototype level at least). In this session I'll walk through the processes and practicalities of taking an older Windows app, making it run in containers with Kubernetes, and then building a simple API wrapper to host the whole stack as a cloud-based SaaS product. There's a lot of technology here from a real world case study, and I'll focus on: - running Windows apps in Docker containers - building a .NET Core API which can run in Linux or Windows containers - running the stack in Kubernetes with Docker Desktop locally and AKS in the cloud - configuring AKS workloads in Azure to burst out to Azure Container Instances And there's a core theme to this session: Docker and Kubernetes are complex technologies, but they're the key to modern development. If you invest time learning them, they make projects like this simple, portable, fast and fun.

Developing with Docker for the Arm Architecture

Docker, Inc.

This virtual meetup introduces the concepts and best practices of using Docker containers for software development for the Arm architecture across a variety of hardware systems. Using Docker Desktop on Windows or Mac, Amazon Web Services (AWS) A1 instances, and embedded Linux, we will demonstrate the latest Docker features to build, share, and run multi-architecture images with transparent support for Arm.

More from Docker, Inc. (20)

Containerize Your Game Server for the Best Multiplayer Experience

How to Improve Your Image Builds Using Advance Docker Build

Build & Deploy Multi-Container Applications to AWS

Securing Your Containerized Applications with NGINX

How To Build and Run Node Apps with Docker and Compose

Hands-on Helm

Distributed Deep Learning with Docker at Salesforce

The First 10M Pulls: Building The Official Curl Image for Docker Hub

Monitoring in a Microservices World

COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...

Predicting Space Weather with Docker

Become a Docker Power User With Microsoft Visual Studio Code

How to Use Mirroring and Caching to Optimize your Container Registry

Monolithic to Microservices + Docker = SDLC on Steroids!

Kubernetes at Datadog Scale

Labels, Labels, Labels

Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model

Build & Deploy Multi-Container Applications to AWS

From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...

Developing with Docker for the Arm Architecture

Recently uploaded

Generative AI Deep Dive: Advancing from Proof of Concept to Production

Aggregage

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

James Anderson

Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management. The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM). Speakers: Bob Boule Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle. Gopinath Rebala Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.

GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024

Neo4j

Introduction to CHERI technology - Cybersecurity

mikeeftimakis1

Video Streaming: Then, Now, and in the Future

Alpen-Adria-Universität

In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.

DevOps and Testing slides at DASA Connect

Kari Kakkonen

GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...

Neo4j

Dr. Sean Tan, Head of Data Science, Changi Airport Group Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.

GridMate - End to end testing is a critical piece to ensure quality and avoid...

ThomasParaiso2

Monitoring Java Application Security with JDK Tools and JFR Events

Ana-Maria Mihalceanu

Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...

SOFTTECHHUB

The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing. One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.

GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024

Neo4j

GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...

Neo4j

Leonard Jayamohan, Partner & Generative AI Lead, Deloitte This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.

Removing Uninteresting Bytes in Software Fuzzing

Aftab Hussain

Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process. In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds. - These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.

Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf

Paige Cruz

Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack. While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack. I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:

20240605 QFM017 Machine Intelligence Reading List May 2024

Matthew Sinclair

20240607 QFM018 Elixir Reading List May 2024

Matthew Sinclair

20240609 QFM020 Irresponsible AI Reading List May 2024

Matthew Sinclair

Pushing the limits of ePRTC: 100ns holdover for 100 days

Adtran

UiPath Test Automation using UiPath Test Suite series, part 6

DianaGray10

Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI. UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities. Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes. What will you get from this session? 1. Insights into integrating generative AI. 2. Understanding how this integration enhances test automation within the UiPath platform 3. Practical demonstrations 4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath Topics covered: What is generative AI Test Automation with generative AI and Open AI. UiPath integration with generative AI Speaker: Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024

Albert Hoitingh

Recently uploaded (20)

Generative AI Deep Dive: Advancing from Proof of Concept to Production

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024

Introduction to CHERI technology - Cybersecurity

Video Streaming: Then, Now, and in the Future

DevOps and Testing slides at DASA Connect

GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...

GridMate - End to end testing is a critical piece to ensure quality and avoid...

Monitoring Java Application Security with JDK Tools and JFR Events

Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...

GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024

GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...

Removing Uninteresting Bytes in Software Fuzzing

Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf

20240605 QFM017 Machine Intelligence Reading List May 2024

20240607 QFM018 Elixir Reading List May 2024

20240609 QFM020 Irresponsible AI Reading List May 2024

Pushing the limits of ePRTC: 100ns holdover for 100 days

UiPath Test Automation using UiPath Test Suite series, part 6

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024

Orchestrating Least Privilege by Diogo Monica

1. Orchestrating Least Privilege

2. What is an Orchestrator?

3. What is an Orchestra?

9. SWAR M

10. Job of a Conductor - Casting - Assign sheet music - Unify performers - Set the tempo

11. Job of an Orchestrator - Node management - Task assignment - Cluster state reconciliation - Resource Management

12. What is a Least Privilege Orchestrator?

13. What is Least Privilege?

14.

15. A process must be able to access only the information and resources that are necessary for its legitimate purpose.Principle of Least Privilege

16. Why Least Privilege?

17.

18.

19.

20.

21.

22.

23.

24.

25.

26.

27. What do we need to achieve Least Privilege Orchestration?

28. Mitigating External Attacker - Externally accessible service ports are explicitly defined - Administration endpoints are authenticated and authorized

29. Mitigating Internal Network Attacker - Authentication of both network and cluster control-plane communication - Service to service communication is authorized, with orchestrator managed ACLs

30. Mitigating MiTM Attacker - All control and data-plane traffic is encrypted.

31. Mitigating Malicious Worker ‣Should only have access to resources currently in use ‣Push VS Pull ‣No ability to modify or access any cluster state except their own. ‣Identity is assigned, never requested

32. Mitigating Malicious Manager ‣Can’t run arbitrary code on workers ‣No access to secret material ‣No ability to spin up unauthorized nodes/impersonate existing nodes. ‣No ability to read service-to-service communication

33. Byzantine Consensus.

34.

35. SWAR M

36. Mutual TLS by default • First node generates a new self-signed CA.

37. Mutual TLS by default • First node generates a new self-signed CA. • New nodes can get a certificate issued w/ a token.

38. Mutual TLS by default • First node generates a new self-signed CA. • New nodes can get a certificate issued w/ a token. • Workers and managers identified by their certificate.

39. Mutual TLS by default • First node generates a new self-signed CA. • New nodes can get a certificate issued w/ a token. • Workers and managers identified by their certificate. • Communications secured with Mutual TLS.

40. The Token SWMTKN-1-mx8susrv1etsmc8omaom825bet6-cm6zts22rl4hly2 Prefix to allow VCS searches for leaked Tokens Token Version Cryptographic Hash of the CA Root Certificate for bootstrap Randomly generated Secret

41. Bootstrap 1. Retrieve and validate Root CA Public key material. 2. Submit new CSR along with secret token. 3. Retrieve the signed certificate.

42. Automatic Certificate Rotation 1. Submit new CSR using old key-pair. 2. Retrieve the new signed certificate.

43. Support for External CAs • Managers support BYO CA. • Forwards CSRs to external CA.

44. Dem o

45.

46.

47. Thank you

Editor's Notes

Group of musicians, with different roles, that play a specific pre-arranged tune in synchronicity One interesting thing about Classical arts such as Plays, Ballets, and even Symphonies is that they all follow a script A writer, or composer writes a script that is performed by the creative people under the direction of a director or conductor Even though Directors and conductors have some latitude to arrange things according to their liking, but they must completely follow certain wishes of the original author In classical music, the notes performed must be the exact notes that the composer wrote
In plays, the exact wording of the script must be followed even though casting and certain details about the set can change
In ballets, the exact movements of the dancers must be followed.
In each of the examples of the examples that we’ve mentioned: symphonies, ballet and plays, there is a declarative syntax that the authors can represent their intentions in. These intentions must be strictly followed this is BALLET NOTATION
Composer (Bach), Conductor and a musician
Now that we know what is an orchestrator? What is a least privilege orchestrator then”
Least privilege is the concept of specialization. For example, if you have a Tuba player, she has to follow strictly the sheet music, and can’t, for example, start playing the drums. It shouldn’t have access to either the drums or the drums sheet music.
- And therefore a least-privilege orchestrator is a an orchestrator that follows this principle in the strictest manner possible.
It comes down what is your attacker model. And we believe we should architect for the most pessimistic attacker model. Following least privilege allows us to think critically about exactly what access each participant in a system should have. These are the five broad categories of attacker models that we can think about when looking at orchestrator systems
- A common attacker model, is someone completely outside of your system. An example of this attacker model are external firewalls: their exclusive attacker model is an external attacker, and they are completely bypassed by someone with internal network access
- A common attacker model, is someone completely outside of your system. An example of this attacker model are external firewalls: their exclusive attacker model is an external attacker, and they are completely bypassed by someone with internal network access
- A common attacker model, is someone completely outside of your system. An example of this attacker model are external firewalls: their exclusive attacker model is an external attacker, and they are completely bypassed by someone with internal network access
- NSA cat
- A common attacker model, is someone completely outside of your system. An example of this attacker model are external firewalls: their exclusive attacker model is an external attacker, and they are completely bypassed by someone with internal network access
- Malicious Musician AKA malicious worker
- A common attacker model, is someone completely outside of your system. An example of this attacker model are external firewalls: their exclusive attacker model is an external attacker, and they are completely bypassed by someone with internal network access
- Malicious Conductor aka Malicious Manager
- Malicious Conductor aka Malicious Manager And the fact that we should protect against all of these attacker models, is why we need least-privilege architectures. If any node is compromised, an attacker has exactly the access that the node has at that specific moment in time, no more, no less. Eclipse attack
What do we need? It is super important in security design, let’s design architectures that take into account all the attacker models that we just discussed. From this, we will come up design principles for our idealized least-privilege orchestrator
If a service did not get explicitly defined as needing an internet accessible port, it is closed by default. Administration endpoints are authenticated, and authorized by default, which means that misconfiguration is unlikely
Secrets, Configs, Networks, etc Once worker no longer needs resource, remove them to mitigate against future compromise
Simple and understandable through decomposition and state space reduction. Since any node can trigger an election and terminate the current term at any moment, a Byzantine node can effortlessly starve the whole system by perpetual elections, and consequently subvert Raft’s availability. Tangaroa and Juno
What do we need? It is super important in security design, let’s design architectures that take into account all the attacker models that we just discussed. From this, we will come up design principles for our idealized least-privilege orchestrator
User’s should sign all declarative changes, Workers have to enforce them All external dependencies must also be signed, specially if they are time-of-use dependent (alpine:latest) Talk about notary - Bootstrap: where does the trusted user keys come from in a self-signed, automatically generated swarm. TOFU? Manual configuration on nodes? Hardware trust anchor?
Raft VS Paxos Tangaroa + blockchain (whtaver the name is) implementations aren’t production ready. Don’t want malicious manager to take leadership
Add diagram that explains how least-privilege secrets distribution is hard - Secrets can’t pass managers unencrypted - Still need the ability of recovering from node failure and rescheduling containers, but can’t add new nodes and self-schedule tasks - Managers can’t control node identities Open questions: Secrets should be accessed through a third-party system or encrypted to each node’s public key? How do you control identities of new nodes, and ensure that malicious managers aren’t intercepting the requests or creating phantom nodes. external certificate authority
The current state of orchestrators from a security perspective: It’s great, it’s entertaining, it makes you want to put $5 in the donation bucket. But it really isn’t what you want to run in your production environment. We deserve better. We deserve orchestrators that live up to the name.
Let me tell you about what we’re doing with swarm and how we’re trying to achieve least-privilege orchestrators.
- The first node Generates a CA, and creates a 1-node
- One mode of operation: requires a token, tokens are generated by the server. Short of tweeting the token there is very little you can do to screw it up.
- Everyone has roles. In certificates
- MiTM attacker and Internal Attacker. We also encrypt gossip membership, and have optional data-plane encryption
Customizable certificate rotation periods. Occurs automatically. Ensures potentially compromised or leaked certificates are rotated out of use. Whitelist of currently valid certificates.
- This is the current state of swarm: they are a jazz band. Swarm currently has least-privilege musicians, but we need least-privilege conductors.
And what we want is a classical music orchestra And we would love your help getting there.

Orchestrating Least Privilege by Diogo Monica

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Viewers also liked

Viewers also liked (20)

Similar to Orchestrating Least Privilege by Diogo Monica

Similar to Orchestrating Least Privilege by Diogo Monica (20)

More from Docker, Inc.

More from Docker, Inc. (20)

Recently uploaded

Recently uploaded (20)

Orchestrating Least Privilege by Diogo Monica

Editor's Notes