SlideShare a Scribd company logo

Understanding Wireguard, TLS and Workload Identity

Christian Posta
Christian Posta

Zero Trust Networking has become a standard marketing buzzword but the underlying principles are critical for modern microservice-style architectures. Authentication, authorizations, policy, etc. can be difficult to implement between services and do so in a maintainable way. Google invented their own transparent encryption and authorization protocol called "ALTS" back in 2007 to serve the application layer of Google's Borg workload scheduler, but we don't see others using it outside Google. In this webinar we look at existing technology like TLS and newcomer Wireguard and see how these technologies come together to provide a secure foundation for workload identity and modern service-to-service networking.

Technology
1 of 51
Download to read offline
1 | Copyright © 2022 Understanding Wireguard, TLS and Workload Identity: The Backbone of Modern Service Networking
2 | Copyright © 2022 CHRISTIAN POSTA VP, Global Field CTO, Solo.io @christianposta christian@solo.io
3 | Copyright © 2022 01 02 03 04 05 Why do we need modern security? Case Study: Google ALTS Modern Networking Security Workload Identity Demos! Agenda
4 | Copyright © 2022 c Application Networking Well Funded ($175M), $1B valuation Satisfied Customers (130% Renewals) Cloud-native Technology Leadership Cloud-native Education Leadership TODAY’S BUSINESS DIGITAL BUSINESS The Service Mesh and API Platform for Kubernetes | Zero-Trust | Microservices
5 | Copyright © 2022 Service A can talk to Service B
6 | Copyright © 2022 Long Live IP!
7 | Copyright © 2022 Containerized Workloads
8 | Copyright © 2022 Beware!
9 | Copyright © 2022 Beware! https://www.theverge.com/2014/12/8/7352581/sony-pictures-hacked-storystream
10 | Copyright © 2022 Tenets of a Modern, Secure Network • Assume a Hostile Environment - There are malicious persona both inside and outside the environment • Presume Breach - Operate and Defend resources with the assumption that an adversary has presence in your environment • Never Trust, Always Verify - Deny by default. Every resource is explicitly authorized using least privilege multiple attributes, and dynamic cybersecurity principles • Scrutinize Explicitly - Access to resources is conditional and access can dynamically change based on action and confidence levels resulting from those actions • Apply Unified Analytics - for data, applications, assets, services to include behavioristics and log each transaction
11 | Copyright © 2022 Writing Networking Policy ● Who is calling whom ● Constraining who can call whom ● Avoid MiTM, eavesdropping ● Quota / QoS / Limits ● Logging, auditing ● Policy enforcement via fine-grained authz
12 | Copyright © 2022 Example from Google ALTS
13 | Copyright © 2022 Application Layer Transport Security • Built in 2007 (TLS 1.1 was the latest version at this point) • TLS 1.1 did not meet Google’s minimum security standards • A simpler, more tailored impl of TLS • More flexible workload identity model • Certs use ECDH keys, Uses DH key exchange, can provide PFS and AE • Uses Protocol Buffers to serialize certificates and protocol messages https://cloud.google.com/docs/security/encryption-in-transit/application-layer-transport-security
14 | Copyright © 2022 ALTS Design • Transparent to applications / RPC invocations • Simplified cryptography (limited key exchange/cipher algorithms) • Authentication based on Identity NOT host machines • Identity tied to chain of trust / key distribution (transparent to application) • Authorization policies built around Identity model https://cloud.google.com/docs/security/encryption-in-transit/application-layer-transport-security
15 | Copyright © 2022 Transparent ALTS
16 | Copyright © 2022 Handshake / Record Protocol
17 | Copyright © 2022 ALTS is Proven at Scale Should we build ALTS?
18 | Copyright © 2022 No. Modern Building Blocks Exist Let’s take a look
19 | Copyright © 2022 Modern, Secure Service Networking • Transparent to applications / RPC invocations • Transparent encryption • Simplified cryptography (limited key exchange/cipher algorithms) • Authentication based on Identity NOT host machines • Identity tied to chain of trust / key distribution (transparent to application) • Authorization policies built around Identity model
20 | Copyright © 2022 Wireguard Transparent encryption made easy
21 | Copyright © 2022 Wireguard
22 | Copyright © 2022 Wireguard • A Kernel/OS module aimed at transparently encrypting IP between two nodes for VPN use cases • Simple code base (around 7k LOC vs e.g., 100K+ IPSec) • No cipher/protocol negotiation; fixed cryptography • For L3, encapsulate encrypted packets in UDP • Intended to use ciphers that afford more performance • Simplified configuration, out of band public-key exchange https://www.wireguard.com/papers/wireguard.pdf
23 | Copyright © 2022 Configure public keys and it just works
24 | Copyright © 2022 Opinionated Crypto (Based on the Noise Framework) • Elliptic Curve Diffie Hellman with Curve22519 • ChaCha20+Poly1305 for Authenticated Encryption • BLAKE2s for hashing • Optional Pre-Shared Key (PSK) • If a vulnerability is found, upgrade everything https://www.wireguard.com/papers/wireguard.pdf
25 | Copyright © 2022 Downsides of Wireguard • Could be very difficult to upgrade “everything” all at once for a discovered vulnerability • Not FIPS compliant • Will not be FIPS compliant − https://twitter.com/matthew_d_green/status/1443558648878350339 • Doesn’t solve for workload Mutual Authentication, Identity, or Authorization
26 | Copyright © 2022 Options to Layer Authentication for svc-to-svc? • Wireguard “authenticates” its peers but has no knowledge of svc identities • JWT access tokens (ie, OAuth 2.0 + Secure Token Service) • Custom mutual authentication mechanism (see Cilium) • Layer client certificates and TLS on top
27 | Copyright © 2022 Cilium’s approach to mutual authentication
28 | Copyright © 2022 Cilium’s approach to mutual authentication
29 | Copyright © 2022 Cilium’s approach to mutual authentication
30 | Copyright © 2022 Transport Layer Security TLS 1.3
31 | Copyright © 2022 Transport Layer Security
32 | Copyright © 2022 Transport Layer Security (TLS 1.2)
33 | Copyright © 2022 Transport Layer Security (TLS 1.3)
34 | Copyright © 2022 Client Authentication (mTLS)
35 | Copyright © 2022 Why use TLS 1.3? • Faster − Handshake takes fewer round trips • Safer (drop support for unsafe cryptographic algorithms) − Remove RSA key exchange (doesn’t provide Forward Secrecy) − Remove CBC/RC4 ciphers − Restrict DH parameters to known secure params − Handshake is signed by the server, cannot be tricked into downgrade − Chose AEAD ciphers
36 | Copyright © 2022 TLS Can do Authentication, Encryption, Integrity Checks • FIPS compliant implementations • Private keys do not get sent over the wire (like JWT tokens) • Can be terminated at the applications for end-to-end session • TLS 1.3 brings simplification for ciphers/protocol negotiation • Looks a lot more like Google ALTS!
37 | Copyright © 2022 Downsides to TLS • No standard way to specify identity • Key issuance, revocation, rotation can be complex • How do the applications handle key material safely? • What if applications mis-configure? • Every language/framework/library is different
38 | Copyright © 2022 Standard Workload Identity Framework with SPIFFE
39 | Copyright © 2022 Secure Production Identity Framework (for Everyone) • Open Source Identity Specification for workloads • Intended to solve the “universal workload identity problem” • Independent of application type, network, or platform/cloud • Specified with URI strings • Verified via signed credentials (x509, JWT, etc) • API and workflow for attestation built into SPIFFE implementations • Intended to eliminate passwords, other secrets, etc
40 | Copyright © 2022 SPIFFE
41 | Copyright © 2022 Who is Service A?
42 | Copyright © 2022 Identity described in SVID
43 | Copyright © 2022 Identity for Workloads
44 | Copyright © 2022 SPIRE is a Production Implementation of SPIFFE
45 | Copyright © 2022 Bringing it Together Transparently TLS 1.3 + SPIFFE
46 | Copyright © 2022 Now we know who Service A is…
47 | Copyright © 2022 An example implementation: Istio Ambient Mesh https://istio.io/latest/blog/2022/introducing-ambient-mesh/
48 | Copyright © 2022 Istio Ambient Mesh (w/ TLS 1.3 + SPIFFE) • Transparent to applications / RPC invocations • Transparent encryption • Simplified cryptography (limited key exchange/cipher algorithms) • Authentication based on Identity NOT host machines • Identity tied to chain of trust / key distribution (transparent to application) • Authorization policies built around Identity model
49 | Copyright © 2022 Demo
50 | Copyright © 2022 Additional Resources ● https://lp.solo.io/white-paper-zero-trust ● https://cloud.google.com/docs/security/encryption-in-transit/applica tion-layer-transport-security ● https://istio.io/latest/blog/2022/introducing-ambient-mesh/ ● https://www.wireguard.com/papers/wireguard.pdf ● https://www.solo.io/zero-trust/ ● https://academy.solo.io ● https://istio.io ● https://cilium.io https://lp.solo.io/istio-ambient-mesh-explained
Thank You!

Recommended

MikroTik & RouterOS
MikroTik & RouterOSMikroTik & RouterOS
MikroTik & RouterOSFaelix Ltd
 
Misc: Introduction to ATSSS - Access Traffic Steering, Switching and Splitting
Misc: Introduction to ATSSS - Access Traffic Steering, Switching and SplittingMisc: Introduction to ATSSS - Access Traffic Steering, Switching and Splitting
Misc: Introduction to ATSSS - Access Traffic Steering, Switching and Splitting3G4G
 
5G URLLC (Ultra Reliable Low Latency Communications)
5G URLLC (Ultra Reliable Low Latency Communications) 5G URLLC (Ultra Reliable Low Latency Communications)
5G URLLC (Ultra Reliable Low Latency Communications) Abhijeet Kumar
 
VPLS Fundamental
VPLS FundamentalVPLS Fundamental
VPLS FundamentalReza Farahani
 
Duel of Two Libraries: Cairo & Skia
Duel of Two Libraries: Cairo & SkiaDuel of Two Libraries: Cairo & Skia
Duel of Two Libraries: Cairo & SkiaSamsung Open Source Group
 
CI, CD with Docker, Jenkins and Tutum
CI, CD with Docker, Jenkins and TutumCI, CD with Docker, Jenkins and Tutum
CI, CD with Docker, Jenkins and TutumSreenivas Makam
 
Ericsson Radio System reaches new heights
Ericsson Radio System reaches new heightsEricsson Radio System reaches new heights
Ericsson Radio System reaches new heightsEricsson
 
Cisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
Cisco connect montreal 2018 - Network Slicing: Horizontal VirtualizationCisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
Cisco connect montreal 2018 - Network Slicing: Horizontal VirtualizationCisco Canada
 

Recommended

MikroTik & RouterOS
MikroTik & RouterOSMikroTik & RouterOS
MikroTik & RouterOSFaelix Ltd
 
Misc: Introduction to ATSSS - Access Traffic Steering, Switching and Splitting
Misc: Introduction to ATSSS - Access Traffic Steering, Switching and SplittingMisc: Introduction to ATSSS - Access Traffic Steering, Switching and Splitting
Misc: Introduction to ATSSS - Access Traffic Steering, Switching and Splitting3G4G
 
5G URLLC (Ultra Reliable Low Latency Communications)
5G URLLC (Ultra Reliable Low Latency Communications) 5G URLLC (Ultra Reliable Low Latency Communications)
5G URLLC (Ultra Reliable Low Latency Communications) Abhijeet Kumar
 
VPLS Fundamental
VPLS FundamentalVPLS Fundamental
VPLS FundamentalReza Farahani
 
Duel of Two Libraries: Cairo & Skia
Duel of Two Libraries: Cairo & SkiaDuel of Two Libraries: Cairo & Skia
Duel of Two Libraries: Cairo & SkiaSamsung Open Source Group
 
CI, CD with Docker, Jenkins and Tutum
CI, CD with Docker, Jenkins and TutumCI, CD with Docker, Jenkins and Tutum
CI, CD with Docker, Jenkins and TutumSreenivas Makam
 
Ericsson Radio System reaches new heights
Ericsson Radio System reaches new heightsEricsson Radio System reaches new heights
Ericsson Radio System reaches new heightsEricsson
 
Cisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
Cisco connect montreal 2018 - Network Slicing: Horizontal VirtualizationCisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
Cisco connect montreal 2018 - Network Slicing: Horizontal VirtualizationCisco Canada
 
Gpon xgpon ng pon xgs-pon
Gpon xgpon ng pon xgs-ponGpon xgpon ng pon xgs-pon
Gpon xgpon ng pon xgs-ponAmbar Erna
 
Kubernetes Networking 101
Kubernetes Networking 101Kubernetes Networking 101
Kubernetes Networking 101Weaveworks
 
ネットワークスイッチ構築実践 1.VLAN・LinkAggregation編
ネットワークスイッチ構築実践 1.VLAN・LinkAggregation編ネットワークスイッチ構築実践 1.VLAN・LinkAggregation編
ネットワークスイッチ構築実践 1.VLAN・LinkAggregation編株式会社 NTTテクノクロス
 
Kuberneteの運用を支えるGitOps
Kuberneteの運用を支えるGitOpsKuberneteの運用を支えるGitOps
Kuberneteの運用を支えるGitOpsshunki fujiwara
 
PUN 2を使おう!
PUN 2を使おう!PUN 2を使おう!
PUN 2を使おう!Tomohiro Okamura
 
DVB-S2X Migration
DVB-S2X MigrationDVB-S2X Migration
DVB-S2X MigrationNewtec
 
How to chtmultiregionfoam
How to chtmultiregionfoamHow to chtmultiregionfoam
How to chtmultiregionfoamEustache Gokpi
 
Istio presentation jhug
Istio presentation jhugIstio presentation jhug
Istio presentation jhugGeorgios Andrianakis
 
最近のOpenStackを振り返ってみよう
最近のOpenStackを振り返ってみよう最近のOpenStackを振り返ってみよう
最近のOpenStackを振り返ってみようTakashi Kajinami
 
Kubernetes networking: Introduction to overlay networks, communication models...
Kubernetes networking: Introduction to overlay networks, communication models...Kubernetes networking: Introduction to overlay networks, communication models...
Kubernetes networking: Introduction to overlay networks, communication models...Murat Mukhtarov
 
Let's talk about Failures with Kubernetes - Hamburg Meetup
Let's talk about Failures with Kubernetes - Hamburg MeetupLet's talk about Failures with Kubernetes - Hamburg Meetup
Let's talk about Failures with Kubernetes - Hamburg MeetupHenning Jacobs
 
Vxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalVxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalKwonSun Bae
 
OVS VXLAN Network Accelaration on OpenStack (VXLAN offload and DPDK) - OpenSt...
OVS VXLAN Network Accelaration on OpenStack (VXLAN offload and DPDK) - OpenSt...OVS VXLAN Network Accelaration on OpenStack (VXLAN offload and DPDK) - OpenSt...
OVS VXLAN Network Accelaration on OpenStack (VXLAN offload and DPDK) - OpenSt...VirtualTech Japan Inc.
 
Overview 5G Architecture Options from Deutsche Telekom
Overview 5G Architecture Options from Deutsche TelekomOverview 5G Architecture Options from Deutsche Telekom
Overview 5G Architecture Options from Deutsche TelekomEiko Seidel
 
Lockheed Martin Research Paper
Lockheed Martin Research PaperLockheed Martin Research Paper
Lockheed Martin Research Papermattrice88
 
News And Development Update Of The CloudStack Tungsten Fabric SDN Plug-in
News And Development Update Of The CloudStack Tungsten Fabric SDN Plug-inNews And Development Update Of The CloudStack Tungsten Fabric SDN Plug-in
News And Development Update Of The CloudStack Tungsten Fabric SDN Plug-inShapeBlue
 
Advanced: 5G Service Based Architecture (SBA)
Advanced: 5G Service Based Architecture (SBA)Advanced: 5G Service Based Architecture (SBA)
Advanced: 5G Service Based Architecture (SBA)3G4G
 
SIP over TLS
SIP over TLSSIP over TLS
SIP over TLSHossein Yavari
 
MIMO in 4G Wireless
MIMO in 4G WirelessMIMO in 4G Wireless
MIMO in 4G WirelessIqbal Singh Josan, P.E., PMP
 
01 5 g-nr_introduction_190205
01 5 g-nr_introduction_19020501 5 g-nr_introduction_190205
01 5 g-nr_introduction_190205Muntazir Mehdi
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitToni de la Fuente
 
The Current And Future State Of Service Mesh
The Current And Future State Of Service MeshThe Current And Future State Of Service Mesh
The Current And Future State Of Service MeshRam Vennam
 

More Related Content

What's hot

Gpon xgpon ng pon xgs-pon
Gpon xgpon ng pon xgs-ponGpon xgpon ng pon xgs-pon
Gpon xgpon ng pon xgs-ponAmbar Erna
 
Kubernetes Networking 101
Kubernetes Networking 101Kubernetes Networking 101
Kubernetes Networking 101Weaveworks
 
ネットワークスイッチ構築実践 1.VLAN・LinkAggregation編
ネットワークスイッチ構築実践 1.VLAN・LinkAggregation編ネットワークスイッチ構築実践 1.VLAN・LinkAggregation編
ネットワークスイッチ構築実践 1.VLAN・LinkAggregation編株式会社 NTTテクノクロス
 
Kuberneteの運用を支えるGitOps
Kuberneteの運用を支えるGitOpsKuberneteの運用を支えるGitOps
Kuberneteの運用を支えるGitOpsshunki fujiwara
 
DVB-S2X Migration
DVB-S2X MigrationDVB-S2X Migration
DVB-S2X MigrationNewtec
 
How to chtmultiregionfoam
How to chtmultiregionfoamHow to chtmultiregionfoam
How to chtmultiregionfoamEustache Gokpi
 
最近のOpenStackを振り返ってみよう
最近のOpenStackを振り返ってみよう最近のOpenStackを振り返ってみよう
最近のOpenStackを振り返ってみようTakashi Kajinami
 
Kubernetes networking: Introduction to overlay networks, communication models...
Kubernetes networking: Introduction to overlay networks, communication models...Kubernetes networking: Introduction to overlay networks, communication models...
Kubernetes networking: Introduction to overlay networks, communication models...Murat Mukhtarov
 
Let's talk about Failures with Kubernetes - Hamburg Meetup
Let's talk about Failures with Kubernetes - Hamburg MeetupLet's talk about Failures with Kubernetes - Hamburg Meetup
Let's talk about Failures with Kubernetes - Hamburg MeetupHenning Jacobs
 
Vxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalVxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalKwonSun Bae
 
OVS VXLAN Network Accelaration on OpenStack (VXLAN offload and DPDK) - OpenSt...
OVS VXLAN Network Accelaration on OpenStack (VXLAN offload and DPDK) - OpenSt...OVS VXLAN Network Accelaration on OpenStack (VXLAN offload and DPDK) - OpenSt...
OVS VXLAN Network Accelaration on OpenStack (VXLAN offload and DPDK) - OpenSt...VirtualTech Japan Inc.
 
Overview 5G Architecture Options from Deutsche Telekom
Overview 5G Architecture Options from Deutsche TelekomOverview 5G Architecture Options from Deutsche Telekom
Overview 5G Architecture Options from Deutsche TelekomEiko Seidel
 
Lockheed Martin Research Paper
Lockheed Martin Research PaperLockheed Martin Research Paper
Lockheed Martin Research Papermattrice88
 
News And Development Update Of The CloudStack Tungsten Fabric SDN Plug-in
News And Development Update Of The CloudStack Tungsten Fabric SDN Plug-inNews And Development Update Of The CloudStack Tungsten Fabric SDN Plug-in
News And Development Update Of The CloudStack Tungsten Fabric SDN Plug-inShapeBlue
 
Advanced: 5G Service Based Architecture (SBA)
Advanced: 5G Service Based Architecture (SBA)Advanced: 5G Service Based Architecture (SBA)
Advanced: 5G Service Based Architecture (SBA)3G4G
 
01 5 g-nr_introduction_190205
01 5 g-nr_introduction_19020501 5 g-nr_introduction_190205
01 5 g-nr_introduction_190205Muntazir Mehdi
 

What's hot (20)

Gpon xgpon ng pon xgs-pon
Gpon xgpon ng pon xgs-ponGpon xgpon ng pon xgs-pon
Gpon xgpon ng pon xgs-pon
 
Kubernetes Networking 101
Kubernetes Networking 101Kubernetes Networking 101
Kubernetes Networking 101
 
ネットワークスイッチ構築実践 1.VLAN・LinkAggregation編
ネットワークスイッチ構築実践 1.VLAN・LinkAggregation編ネットワークスイッチ構築実践 1.VLAN・LinkAggregation編
ネットワークスイッチ構築実践 1.VLAN・LinkAggregation編
 
Kuberneteの運用を支えるGitOps
Kuberneteの運用を支えるGitOpsKuberneteの運用を支えるGitOps
Kuberneteの運用を支えるGitOps
 
PUN 2を使おう!
PUN 2を使おう!PUN 2を使おう!
PUN 2を使おう!
 
DVB-S2X Migration
DVB-S2X MigrationDVB-S2X Migration
DVB-S2X Migration
 
How to chtmultiregionfoam
How to chtmultiregionfoamHow to chtmultiregionfoam
How to chtmultiregionfoam
 
Istio presentation jhug
Istio presentation jhugIstio presentation jhug
Istio presentation jhug
 
最近のOpenStackを振り返ってみよう
最近のOpenStackを振り返ってみよう最近のOpenStackを振り返ってみよう
最近のOpenStackを振り返ってみよう
 
Kubernetes networking: Introduction to overlay networks, communication models...
Kubernetes networking: Introduction to overlay networks, communication models...Kubernetes networking: Introduction to overlay networks, communication models...
Kubernetes networking: Introduction to overlay networks, communication models...
 
Let's talk about Failures with Kubernetes - Hamburg Meetup
Let's talk about Failures with Kubernetes - Hamburg MeetupLet's talk about Failures with Kubernetes - Hamburg Meetup
Let's talk about Failures with Kubernetes - Hamburg Meetup
 
Vxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalVxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 final
 
OVS VXLAN Network Accelaration on OpenStack (VXLAN offload and DPDK) - OpenSt...
OVS VXLAN Network Accelaration on OpenStack (VXLAN offload and DPDK) - OpenSt...OVS VXLAN Network Accelaration on OpenStack (VXLAN offload and DPDK) - OpenSt...
OVS VXLAN Network Accelaration on OpenStack (VXLAN offload and DPDK) - OpenSt...
 
Overview 5G Architecture Options from Deutsche Telekom
Overview 5G Architecture Options from Deutsche TelekomOverview 5G Architecture Options from Deutsche Telekom
Overview 5G Architecture Options from Deutsche Telekom
 
Lockheed Martin Research Paper
Lockheed Martin Research PaperLockheed Martin Research Paper
Lockheed Martin Research Paper
 
News And Development Update Of The CloudStack Tungsten Fabric SDN Plug-in
News And Development Update Of The CloudStack Tungsten Fabric SDN Plug-inNews And Development Update Of The CloudStack Tungsten Fabric SDN Plug-in
News And Development Update Of The CloudStack Tungsten Fabric SDN Plug-in
 
Advanced: 5G Service Based Architecture (SBA)
Advanced: 5G Service Based Architecture (SBA)Advanced: 5G Service Based Architecture (SBA)
Advanced: 5G Service Based Architecture (SBA)
 
SIP over TLS
SIP over TLSSIP over TLS
SIP over TLS
 
MIMO in 4G Wireless
MIMO in 4G WirelessMIMO in 4G Wireless
MIMO in 4G Wireless
 
01 5 g-nr_introduction_190205
01 5 g-nr_introduction_19020501 5 g-nr_introduction_190205
01 5 g-nr_introduction_190205
 

Similar to Understanding Wireguard, TLS and Workload Identity

Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitToni de la Fuente
 
The Current And Future State Of Service Mesh
The Current And Future State Of Service MeshThe Current And Future State Of Service Mesh
The Current And Future State Of Service MeshRam Vennam
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021lior mazor
 
Wwc developing hyperledger applications v4
Wwc developing hyperledger applications v4Wwc developing hyperledger applications v4
Wwc developing hyperledger applications v4LennartF
 
How to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedHow to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl
 
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...OnBoard Security, Inc. - a Qualcomm Company
 
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHansFarroCastillo1
 
Kaleido Platform Overview and Full-stack Blockchain Services
Kaleido Platform Overview and Full-stack Blockchain ServicesKaleido Platform Overview and Full-stack Blockchain Services
Kaleido Platform Overview and Full-stack Blockchain ServicesPeter Broadhurst
 
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...DATA SECURITY SOLUTIONS
 
Service Mesh and Serverless Chatbots with Linkerd, K8s and OpenFaaS
Service Mesh and Serverless Chatbots with Linkerd, K8s and OpenFaaSService Mesh and Serverless Chatbots with Linkerd, K8s and OpenFaaS
Service Mesh and Serverless Chatbots with Linkerd, K8s and OpenFaaSSoftware Guru
 
Cloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlow
Cloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlowCloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlow
Cloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlowCohesive Networks
 
Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?
Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?
Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?Hacken_Ecosystem
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxVasiliy Fomichev
 
Centralized TLS Certificates Management Using Vault PKI + Cert-Manager
Centralized TLS Certificates Management Using Vault PKI + Cert-ManagerCentralized TLS Certificates Management Using Vault PKI + Cert-Manager
Centralized TLS Certificates Management Using Vault PKI + Cert-ManagerSaiLinnThu2
 
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedKCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl
 
Introducing ConnectGuard™ Cloud
Introducing ConnectGuard™ Cloud Introducing ConnectGuard™ Cloud
Introducing ConnectGuard™ Cloud ADVA
 
Implementing zero trust in IBM Cloud Pak for Integration
Implementing zero trust in IBM Cloud Pak for IntegrationImplementing zero trust in IBM Cloud Pak for Integration
Implementing zero trust in IBM Cloud Pak for IntegrationKim Clark
 

Similar to Understanding Wireguard, TLS and Workload Identity (20)

Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
 
The Current And Future State Of Service Mesh
The Current And Future State Of Service MeshThe Current And Future State Of Service Mesh
The Current And Future State Of Service Mesh
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
 
Wwc developing hyperledger applications v4
Wwc developing hyperledger applications v4Wwc developing hyperledger applications v4
Wwc developing hyperledger applications v4
 
How to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedHow to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being Hacked
 
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
 
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptx
 
Kaleido Platform Overview and Full-stack Blockchain Services
Kaleido Platform Overview and Full-stack Blockchain ServicesKaleido Platform Overview and Full-stack Blockchain Services
Kaleido Platform Overview and Full-stack Blockchain Services
 
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...The Future of PKI. Using automation tools and protocols to bootstrap trust in...
The Future of PKI. Using automation tools and protocols to bootstrap trust in...
 
Service Mesh and Serverless Chatbots with Linkerd, K8s and OpenFaaS
Service Mesh and Serverless Chatbots with Linkerd, K8s and OpenFaaSService Mesh and Serverless Chatbots with Linkerd, K8s and OpenFaaS
Service Mesh and Serverless Chatbots with Linkerd, K8s and OpenFaaS
 
Was ist ein Service Mesh und wie funktioniert es?
Was ist ein Service Mesh und wie funktioniert es?Was ist ein Service Mesh und wie funktioniert es?
Was ist ein Service Mesh und wie funktioniert es?
 
Cloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlow
Cloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlowCloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlow
Cloud Expo New York: OpenFlow Is SDN Yet SDN Is Not Only OpenFlow
 
Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?
Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?
Dejan Podgorsek - Is Hyperledger Fabric secure enough for your Business?
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptx
 
Centralized TLS Certificates Management Using Vault PKI + Cert-Manager
Centralized TLS Certificates Management Using Vault PKI + Cert-ManagerCentralized TLS Certificates Management Using Vault PKI + Cert-Manager
Centralized TLS Certificates Management Using Vault PKI + Cert-Manager
 
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedKCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
 
chaitraresume
chaitraresumechaitraresume
chaitraresume
 
Introducing ConnectGuard™ Cloud
Introducing ConnectGuard™ Cloud Introducing ConnectGuard™ Cloud
Introducing ConnectGuard™ Cloud
 
Implementing zero trust in IBM Cloud Pak for Integration
Implementing zero trust in IBM Cloud Pak for IntegrationImplementing zero trust in IBM Cloud Pak for Integration
Implementing zero trust in IBM Cloud Pak for Integration
 

More from Christian Posta

Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Compliance and Zero Trust Ambient Mesh
Compliance and Zero Trust Ambient MeshCompliance and Zero Trust Ambient Mesh
Compliance and Zero Trust Ambient MeshChristian Posta
 
Cilium + Istio with Gloo Mesh
Cilium + Istio with Gloo MeshCilium + Istio with Gloo Mesh
Cilium + Istio with Gloo MeshChristian Posta
 
Multi-cluster service mesh with GlooMesh
Multi-cluster service mesh with GlooMeshMulti-cluster service mesh with GlooMesh
Multi-cluster service mesh with GlooMeshChristian Posta
 
Multicluster Kubernetes and Service Mesh Patterns
Multicluster Kubernetes and Service Mesh PatternsMulticluster Kubernetes and Service Mesh Patterns
Multicluster Kubernetes and Service Mesh PatternsChristian Posta
 
Cloud-Native Application Debugging with Envoy and Service Mesh
Cloud-Native Application Debugging with Envoy and Service MeshCloud-Native Application Debugging with Envoy and Service Mesh
Cloud-Native Application Debugging with Envoy and Service MeshChristian Posta
 
Kubernetes Ingress to Service Mesh (and beyond!)
Kubernetes Ingress to Service Mesh (and beyond!)Kubernetes Ingress to Service Mesh (and beyond!)
Kubernetes Ingress to Service Mesh (and beyond!)Christian Posta
 
The Truth About the Service Mesh Data Plane
The Truth About the Service Mesh Data PlaneThe Truth About the Service Mesh Data Plane
The Truth About the Service Mesh Data PlaneChristian Posta
 
Deep Dive: Building external auth plugins for Gloo Enterprise
Deep Dive: Building external auth plugins for Gloo EnterpriseDeep Dive: Building external auth plugins for Gloo Enterprise
Deep Dive: Building external auth plugins for Gloo EnterpriseChristian Posta
 
Role of edge gateways in relation to service mesh adoption
Role of edge gateways in relation to service mesh adoptionRole of edge gateways in relation to service mesh adoption
Role of edge gateways in relation to service mesh adoptionChristian Posta
 
Navigating the service mesh landscape with Istio, Consul Connect, and Linkerd
Navigating the service mesh landscape with Istio, Consul Connect, and LinkerdNavigating the service mesh landscape with Istio, Consul Connect, and Linkerd
Navigating the service mesh landscape with Istio, Consul Connect, and LinkerdChristian Posta
 
Chaos Debugging for Microservices
Chaos Debugging for MicroservicesChaos Debugging for Microservices
Chaos Debugging for MicroservicesChristian Posta
 
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...Christian Posta
 
Service-mesh options with Linkerd, Consul, Istio and AWS AppMesh
Service-mesh options with Linkerd, Consul, Istio and AWS AppMeshService-mesh options with Linkerd, Consul, Istio and AWS AppMesh
Service-mesh options with Linkerd, Consul, Istio and AWS AppMeshChristian Posta
 
Intro Istio and what's new Istio 1.1
Intro Istio and what's new Istio 1.1Intro Istio and what's new Istio 1.1
Intro Istio and what's new Istio 1.1Christian Posta
 
API Gateways are going through an identity crisis
API Gateways are going through an identity crisisAPI Gateways are going through an identity crisis
API Gateways are going through an identity crisisChristian Posta
 
KubeCon NA 2018: Evolution of Integration and Microservices with Service Mesh...
KubeCon NA 2018: Evolution of Integration and Microservices with Service Mesh...KubeCon NA 2018: Evolution of Integration and Microservices with Service Mesh...
KubeCon NA 2018: Evolution of Integration and Microservices with Service Mesh...Christian Posta
 
PHX DevOps Days: Service Mesh Landscape
PHX DevOps Days: Service Mesh LandscapePHX DevOps Days: Service Mesh Landscape
PHX DevOps Days: Service Mesh LandscapeChristian Posta
 
API World: The service-mesh landscape
API World: The service-mesh landscapeAPI World: The service-mesh landscape
API World: The service-mesh landscapeChristian Posta
 

More from Christian Posta (20)

Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Compliance and Zero Trust Ambient Mesh
Compliance and Zero Trust Ambient MeshCompliance and Zero Trust Ambient Mesh
Compliance and Zero Trust Ambient Mesh
 
Cilium + Istio with Gloo Mesh
Cilium + Istio with Gloo MeshCilium + Istio with Gloo Mesh
Cilium + Istio with Gloo Mesh
 
Multi-cluster service mesh with GlooMesh
Multi-cluster service mesh with GlooMeshMulti-cluster service mesh with GlooMesh
Multi-cluster service mesh with GlooMesh
 
Multicluster Kubernetes and Service Mesh Patterns
Multicluster Kubernetes and Service Mesh PatternsMulticluster Kubernetes and Service Mesh Patterns
Multicluster Kubernetes and Service Mesh Patterns
 
Cloud-Native Application Debugging with Envoy and Service Mesh
Cloud-Native Application Debugging with Envoy and Service MeshCloud-Native Application Debugging with Envoy and Service Mesh
Cloud-Native Application Debugging with Envoy and Service Mesh
 
Kubernetes Ingress to Service Mesh (and beyond!)
Kubernetes Ingress to Service Mesh (and beyond!)Kubernetes Ingress to Service Mesh (and beyond!)
Kubernetes Ingress to Service Mesh (and beyond!)
 
The Truth About the Service Mesh Data Plane
The Truth About the Service Mesh Data PlaneThe Truth About the Service Mesh Data Plane
The Truth About the Service Mesh Data Plane
 
Deep Dive: Building external auth plugins for Gloo Enterprise
Deep Dive: Building external auth plugins for Gloo EnterpriseDeep Dive: Building external auth plugins for Gloo Enterprise
Deep Dive: Building external auth plugins for Gloo Enterprise
 
Role of edge gateways in relation to service mesh adoption
Role of edge gateways in relation to service mesh adoptionRole of edge gateways in relation to service mesh adoption
Role of edge gateways in relation to service mesh adoption
 
Navigating the service mesh landscape with Istio, Consul Connect, and Linkerd
Navigating the service mesh landscape with Istio, Consul Connect, and LinkerdNavigating the service mesh landscape with Istio, Consul Connect, and Linkerd
Navigating the service mesh landscape with Istio, Consul Connect, and Linkerd
 
Chaos Debugging for Microservices
Chaos Debugging for MicroservicesChaos Debugging for Microservices
Chaos Debugging for Microservices
 
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...
 
Service-mesh options with Linkerd, Consul, Istio and AWS AppMesh
Service-mesh options with Linkerd, Consul, Istio and AWS AppMeshService-mesh options with Linkerd, Consul, Istio and AWS AppMesh
Service-mesh options with Linkerd, Consul, Istio and AWS AppMesh
 
Intro Istio and what's new Istio 1.1
Intro Istio and what's new Istio 1.1Intro Istio and what's new Istio 1.1
Intro Istio and what's new Istio 1.1
 
API Gateways are going through an identity crisis
API Gateways are going through an identity crisisAPI Gateways are going through an identity crisis
API Gateways are going through an identity crisis
 
KubeCon NA 2018: Evolution of Integration and Microservices with Service Mesh...
KubeCon NA 2018: Evolution of Integration and Microservices with Service Mesh...KubeCon NA 2018: Evolution of Integration and Microservices with Service Mesh...
KubeCon NA 2018: Evolution of Integration and Microservices with Service Mesh...
 
PHX DevOps Days: Service Mesh Landscape
PHX DevOps Days: Service Mesh LandscapePHX DevOps Days: Service Mesh Landscape
PHX DevOps Days: Service Mesh Landscape
 
Intro to Knative
Intro to KnativeIntro to Knative
Intro to Knative
 
API World: The service-mesh landscape
API World: The service-mesh landscapeAPI World: The service-mesh landscape
API World: The service-mesh landscape
 

Recently uploaded

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 

Recently uploaded (20)

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 

Understanding Wireguard, TLS and Workload Identity

  • 1. 1 | Copyright © 2022 Understanding Wireguard, TLS and Workload Identity: The Backbone of Modern Service Networking
  • 2. 2 | Copyright © 2022 CHRISTIAN POSTA VP, Global Field CTO, Solo.io @christianposta christian@solo.io
  • 3. 3 | Copyright © 2022 01 02 03 04 05 Why do we need modern security? Case Study: Google ALTS Modern Networking Security Workload Identity Demos! Agenda
  • 4. 4 | Copyright © 2022 c Application Networking Well Funded ($175M), $1B valuation Satisfied Customers (130% Renewals) Cloud-native Technology Leadership Cloud-native Education Leadership TODAY’S BUSINESS DIGITAL BUSINESS The Service Mesh and API Platform for Kubernetes | Zero-Trust | Microservices
  • 5. 5 | Copyright © 2022 Service A can talk to Service B
  • 6. 6 | Copyright © 2022 Long Live IP!
  • 7. 7 | Copyright © 2022 Containerized Workloads
  • 8. 8 | Copyright © 2022 Beware!
  • 9. 9 | Copyright © 2022 Beware! https://www.theverge.com/2014/12/8/7352581/sony-pictures-hacked-storystream
  • 10. 10 | Copyright © 2022 Tenets of a Modern, Secure Network • Assume a Hostile Environment - There are malicious persona both inside and outside the environment • Presume Breach - Operate and Defend resources with the assumption that an adversary has presence in your environment • Never Trust, Always Verify - Deny by default. Every resource is explicitly authorized using least privilege multiple attributes, and dynamic cybersecurity principles • Scrutinize Explicitly - Access to resources is conditional and access can dynamically change based on action and confidence levels resulting from those actions • Apply Unified Analytics - for data, applications, assets, services to include behavioristics and log each transaction
  • 11. 11 | Copyright © 2022 Writing Networking Policy ● Who is calling whom ● Constraining who can call whom ● Avoid MiTM, eavesdropping ● Quota / QoS / Limits ● Logging, auditing ● Policy enforcement via fine-grained authz
  • 12. 12 | Copyright © 2022 Example from Google ALTS
  • 13. 13 | Copyright © 2022 Application Layer Transport Security • Built in 2007 (TLS 1.1 was the latest version at this point) • TLS 1.1 did not meet Google’s minimum security standards • A simpler, more tailored impl of TLS • More flexible workload identity model • Certs use ECDH keys, Uses DH key exchange, can provide PFS and AE • Uses Protocol Buffers to serialize certificates and protocol messages https://cloud.google.com/docs/security/encryption-in-transit/application-layer-transport-security
  • 14. 14 | Copyright © 2022 ALTS Design • Transparent to applications / RPC invocations • Simplified cryptography (limited key exchange/cipher algorithms) • Authentication based on Identity NOT host machines • Identity tied to chain of trust / key distribution (transparent to application) • Authorization policies built around Identity model https://cloud.google.com/docs/security/encryption-in-transit/application-layer-transport-security
  • 15. 15 | Copyright © 2022 Transparent ALTS
  • 16. 16 | Copyright © 2022 Handshake / Record Protocol
  • 17. 17 | Copyright © 2022 ALTS is Proven at Scale Should we build ALTS?
  • 18. 18 | Copyright © 2022 No. Modern Building Blocks Exist Let’s take a look
  • 19. 19 | Copyright © 2022 Modern, Secure Service Networking • Transparent to applications / RPC invocations • Transparent encryption • Simplified cryptography (limited key exchange/cipher algorithms) • Authentication based on Identity NOT host machines • Identity tied to chain of trust / key distribution (transparent to application) • Authorization policies built around Identity model
  • 20. 20 | Copyright © 2022 Wireguard Transparent encryption made easy
  • 21. 21 | Copyright © 2022 Wireguard
  • 22. 22 | Copyright © 2022 Wireguard • A Kernel/OS module aimed at transparently encrypting IP between two nodes for VPN use cases • Simple code base (around 7k LOC vs e.g., 100K+ IPSec) • No cipher/protocol negotiation; fixed cryptography • For L3, encapsulate encrypted packets in UDP • Intended to use ciphers that afford more performance • Simplified configuration, out of band public-key exchange https://www.wireguard.com/papers/wireguard.pdf
  • 23. 23 | Copyright © 2022 Configure public keys and it just works
  • 24. 24 | Copyright © 2022 Opinionated Crypto (Based on the Noise Framework) • Elliptic Curve Diffie Hellman with Curve22519 • ChaCha20+Poly1305 for Authenticated Encryption • BLAKE2s for hashing • Optional Pre-Shared Key (PSK) • If a vulnerability is found, upgrade everything https://www.wireguard.com/papers/wireguard.pdf
  • 25. 25 | Copyright © 2022 Downsides of Wireguard • Could be very difficult to upgrade “everything” all at once for a discovered vulnerability • Not FIPS compliant • Will not be FIPS compliant − https://twitter.com/matthew_d_green/status/1443558648878350339 • Doesn’t solve for workload Mutual Authentication, Identity, or Authorization
  • 26. 26 | Copyright © 2022 Options to Layer Authentication for svc-to-svc? • Wireguard “authenticates” its peers but has no knowledge of svc identities • JWT access tokens (ie, OAuth 2.0 + Secure Token Service) • Custom mutual authentication mechanism (see Cilium) • Layer client certificates and TLS on top
  • 27. 27 | Copyright © 2022 Cilium’s approach to mutual authentication
  • 28. 28 | Copyright © 2022 Cilium’s approach to mutual authentication
  • 29. 29 | Copyright © 2022 Cilium’s approach to mutual authentication
  • 30. 30 | Copyright © 2022 Transport Layer Security TLS 1.3
  • 31. 31 | Copyright © 2022 Transport Layer Security
  • 32. 32 | Copyright © 2022 Transport Layer Security (TLS 1.2)
  • 33. 33 | Copyright © 2022 Transport Layer Security (TLS 1.3)
  • 34. 34 | Copyright © 2022 Client Authentication (mTLS)
  • 35. 35 | Copyright © 2022 Why use TLS 1.3? • Faster − Handshake takes fewer round trips • Safer (drop support for unsafe cryptographic algorithms) − Remove RSA key exchange (doesn’t provide Forward Secrecy) − Remove CBC/RC4 ciphers − Restrict DH parameters to known secure params − Handshake is signed by the server, cannot be tricked into downgrade − Chose AEAD ciphers
  • 36. 36 | Copyright © 2022 TLS Can do Authentication, Encryption, Integrity Checks • FIPS compliant implementations • Private keys do not get sent over the wire (like JWT tokens) • Can be terminated at the applications for end-to-end session • TLS 1.3 brings simplification for ciphers/protocol negotiation • Looks a lot more like Google ALTS!
  • 37. 37 | Copyright © 2022 Downsides to TLS • No standard way to specify identity • Key issuance, revocation, rotation can be complex • How do the applications handle key material safely? • What if applications mis-configure? • Every language/framework/library is different
  • 38. 38 | Copyright © 2022 Standard Workload Identity Framework with SPIFFE
  • 39. 39 | Copyright © 2022 Secure Production Identity Framework (for Everyone) • Open Source Identity Specification for workloads • Intended to solve the “universal workload identity problem” • Independent of application type, network, or platform/cloud • Specified with URI strings • Verified via signed credentials (x509, JWT, etc) • API and workflow for attestation built into SPIFFE implementations • Intended to eliminate passwords, other secrets, etc
  • 40. 40 | Copyright © 2022 SPIFFE
  • 41. 41 | Copyright © 2022 Who is Service A?
  • 42. 42 | Copyright © 2022 Identity described in SVID
  • 43. 43 | Copyright © 2022 Identity for Workloads
  • 44. 44 | Copyright © 2022 SPIRE is a Production Implementation of SPIFFE
  • 45. 45 | Copyright © 2022 Bringing it Together Transparently TLS 1.3 + SPIFFE
  • 46. 46 | Copyright © 2022 Now we know who Service A is…
  • 47. 47 | Copyright © 2022 An example implementation: Istio Ambient Mesh https://istio.io/latest/blog/2022/introducing-ambient-mesh/
  • 48. 48 | Copyright © 2022 Istio Ambient Mesh (w/ TLS 1.3 + SPIFFE) • Transparent to applications / RPC invocations • Transparent encryption • Simplified cryptography (limited key exchange/cipher algorithms) • Authentication based on Identity NOT host machines • Identity tied to chain of trust / key distribution (transparent to application) • Authorization policies built around Identity model
  • 49. 49 | Copyright © 2022 Demo
  • 50. 50 | Copyright © 2022 Additional Resources ● https://lp.solo.io/white-paper-zero-trust ● https://cloud.google.com/docs/security/encryption-in-transit/applica tion-layer-transport-security ● https://istio.io/latest/blog/2022/introducing-ambient-mesh/ ● https://www.wireguard.com/papers/wireguard.pdf ● https://www.solo.io/zero-trust/ ● https://academy.solo.io ● https://istio.io ● https://cilium.io https://lp.solo.io/istio-ambient-mesh-explained