Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Cloud Security
Ateneu Barcelonés, March 28th 6:30pm
https://www.meetup.com/Barcelona-Cybersecurity/events/259902770/
We build confidence
Agenda
(50’) Security for Microservices in
CLOUD by Germán Arranz,
Juan Gordo and Jose Moyano
(10’) Q&A
(60’) Drinks and n...
#A2Meetup meet-up@a2secure.com
BCN Cybersec Monthly - March
Security for Microservices
in Google Cloud Platform
Arranz Cob...
#A2Meetup meet-up@a2secure.com
Germán Arranz Cobos
● Security Project Manager
● Responsible of Google Cloud Platform Layer...
#A2Meetup meet-up@a2secure.com
Content
IAM
Firewall
Rules
Monitoring
Attack
vectors
#A2Meetup meet-up@a2secure.com
Understanding of IAM
hierarchy in GCP
#A2Meetup meet-up@a2secure.com
GCP Architecture
#A2Meetup meet-up@a2secure.com
IAM hierarchy in GCP
#A2Meetup meet-up@a2secure.com
Example: IAM hierarchy in GCP
Organization
Folder
Project
#A2Meetup meet-up@a2secure.com
Example: IAM hierarchy in GCP
#A2Meetup meet-up@a2secure.com
Example: IAM hierarchy in GCP
#A2Meetup meet-up@a2secure.com
Relationship of GCP
roles and GKE roles
#A2Meetup meet-up@a2secure.com
Relationship of GCP roles and GKE
roles
Kubernetes Engine Cluster Admin
Kubernetes Engine A...
#A2Meetup meet-up@a2secure.com
Relationship of GCP roles and GKE
roles
Kubernetes Engine Cluster Admin
Kubernetes Engine A...
#A2Meetup meet-up@a2secure.com
Firewall Rules in GCP
#A2Meetup meet-up@a2secure.com
Firewall rules by default
Default-allow-internal
Allows network connections of any protocol...
#A2Meetup meet-up@a2secure.com
Firewall Rules Key
points when using GKE
#A2Meetup meet-up@a2secure.com
Firewall Rules Key points using GKE
Auto-generation of firewall rules when you deploy a ser...
#A2Meetup meet-up@a2secure.com
Firewall Rules Key points using GKE
Define the Authorized Network to restrict the access to...
#A2Meetup meet-up@a2secure.com
Apply SSH restrictions to
connect to the GKE nodes
#A2Meetup meet-up@a2secure.com
Our scenario
Tag: shelob Tag: shelob
#A2Meetup meet-up@a2secure.com
SSH Bastion “Minas Tirith” architecture
Tag: shelob Tag: shelob
Tag: bastion
#A2Meetup meet-up@a2secure.com
DEMO
#A2Meetup meet-up@a2secure.com
GKE basic WebApp
“DevOps ready to play”
#A2Meetup meet-up@a2secure.com
Our scenario
#A2Meetup meet-up@a2secure.com
Web App
#A2Meetup meet-up@a2secure.com
Service
#A2Meetup meet-up@a2secure.com
Deployment
#A2Meetup meet-up@a2secure.com
Dockerfile
#A2Meetup meet-up@a2secure.com
Web App
#A2Meetup meet-up@a2secure.com
Elevation of privileges &&
Back Door
“ One Ring to rule them all, One Ring to find them, On...
#A2Meetup meet-up@a2secure.com
Web App
#A2Meetup meet-up@a2secure.com
OneRing
#A2Meetup meet-up@a2secure.com
Deployment
#A2Meetup meet-up@a2secure.com
Dockerfile
#A2Meetup meet-up@a2secure.com
BackDoor
#A2Meetup meet-up@a2secure.com
BackDoor
#A2Meetup meet-up@a2secure.com
DEMO
#A2Meetup meet-up@a2secure.com
GKE - Falco
Runtime monitoring
#A2Meetup meet-up@a2secure.com
What is Falco?
#A2Meetup meet-up@a2secure.com
Falco
#A2Meetup meet-up@a2secure.com
Service
#A2Meetup meet-up@a2secure.com
Daemonset
#A2Meetup meet-up@a2secure.com
BackDoor - Monitoring
#A2Meetup meet-up@a2secure.com
BackDoor - Monitoring
#A2Meetup meet-up@a2secure.com
Alerts
#A2Meetup meet-up@a2secure.com
DEMO
#A2Meetup meet-up@a2secure.com
References
● OneRing repo: https://github.com/ilcapone/OneRing
● Install falco in k8:
https...
#A2Meetup meet-up@a2secure.com
K8s Network
#A2Meetup meet-up@a2secure.com
K8s Network
The problems
What happens with Pod 2 Pod connectivity?
Are the VPC rules enough...
#A2Meetup meet-up@a2secure.com
Network Policies
What are they?
K8s resource that allows to define allowed traffic flows.
H...
#A2Meetup meet-up@a2secure.com
Network Policies
What are they?
K8s resource that allows to define allowed traffic.
How do ...
#A2Meetup meet-up@a2secure.com
Network Policies
Ingress Policy
#A2Meetup meet-up@a2secure.com
Network Policies
Deny by Default
#A2Meetup meet-up@a2secure.com
Network Policies
● Demo - Deny by default
#A2Meetup meet-up@a2secure.com
Network Policies
● Demo - Deny by default
#A2Meetup meet-up@a2secure.com
Network Policies
Security Policies are not enabled by default!
Network policies are a key s...
#A2Meetup meet-up@a2secure.com
IDS on GKE
#A2Meetup meet-up@a2secure.com
IDS on GKE
Why an IDS?
● Allows us to detect attacks even before they succeed
● Can monitor...
#A2Meetup meet-up@a2secure.com
IDS on GKE - Scenario
#A2Meetup meet-up@a2secure.com
IDS on GKE - GKE Node
TCPDUMP on each node
/usr/sbin/tcpdump -i ${IFACE} -w - "($PCAP_FILTE...
#A2Meetup meet-up@a2secure.com
IDS on GKE
● Demo
#A2Meetup meet-up@a2secure.com
IDS on GKE
References
● Topo repo: https://github.com/gum0x/topo
● Install Suricata in Cent...
#A2Meetup meet-up@a2secure.com
Wrap up
#A2Meetup meet-up@a2secure.com
BCN Cybersec Monthly - March
Thanks for the attention.
Any question?
Arranz Cobos, Germán
G...
#A2Meetup meet-up@a2secure.com
BCN Cybersec Monthly - March
Arranz Cobos, Germán
Gordo Ara, Juan
Moyano Gutierrez, Jose
Si quieres más
información de quiénes somos:
meet-up@a2secure.com
¿Networking - Drinks?
Meet with us at Bar – Ateneu (prin...
BARCELONA
Avd. Francesc Cambó 21,
planta 10
08003 Barcelona
+34 933 945 600
Info@a2secure.com
MADRID
Paseo de la Castellan...
Nächste SlideShare
Wird geladen in …5
×

Security for Microservices in GCP

239 Aufrufe

Veröffentlicht am

This presentation focuses on the secure deployment of microservices in Google Kubernetes Engine (GKE) and the proper security monitorization of the platform and deployed services.

DEMOS:
SSH_Bastion: https://vimeo.com/327701140
One_Ring_Attack: https://vimeo.com/327701078
Monitoring_Falco: https://vimeo.com/327701057
Network_Policies: https://vimeo.com/327701125
Cloud_IDS: https://vimeo.com/327701111

SPEAKERS:
Germán Arranz Cobos
Juan Gordo Ara
José Moyano Gutierrez

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

Security for Microservices in GCP

  1. 1. Cloud Security Ateneu Barcelonés, March 28th 6:30pm https://www.meetup.com/Barcelona-Cybersecurity/events/259902770/
  2. 2. We build confidence
  3. 3. Agenda (50’) Security for Microservices in CLOUD by Germán Arranz, Juan Gordo and Jose Moyano (10’) Q&A (60’) Drinks and networking ●Place: Bar & Terrace at Principal floor. We build confidence (7pm) (8pm)
  4. 4. #A2Meetup meet-up@a2secure.com BCN Cybersec Monthly - March Security for Microservices in Google Cloud Platform Arranz Cobos, Germán Gordo Ara, Juan Moyano Gutierrez, Jose
  5. 5. #A2Meetup meet-up@a2secure.com Germán Arranz Cobos ● Security Project Manager ● Responsible of Google Cloud Platform Layer Juan Gordo Ara ● Security Analyst ● Responsible of Host Attack and Monitoring Layer Jose Moyano Gutierrez ● Security Technical Officer ● Responsible of K8s Network Layer The crew
  6. 6. #A2Meetup meet-up@a2secure.com Content IAM Firewall Rules Monitoring Attack vectors
  7. 7. #A2Meetup meet-up@a2secure.com Understanding of IAM hierarchy in GCP
  8. 8. #A2Meetup meet-up@a2secure.com GCP Architecture
  9. 9. #A2Meetup meet-up@a2secure.com IAM hierarchy in GCP
  10. 10. #A2Meetup meet-up@a2secure.com Example: IAM hierarchy in GCP Organization Folder Project
  11. 11. #A2Meetup meet-up@a2secure.com Example: IAM hierarchy in GCP
  12. 12. #A2Meetup meet-up@a2secure.com Example: IAM hierarchy in GCP
  13. 13. #A2Meetup meet-up@a2secure.com Relationship of GCP roles and GKE roles
  14. 14. #A2Meetup meet-up@a2secure.com Relationship of GCP roles and GKE roles Kubernetes Engine Cluster Admin Kubernetes Engine Admin Kubernetes Engine Developer Kubernetes Engine Viewer Cluster Admin Admin Edit View
  15. 15. #A2Meetup meet-up@a2secure.com Relationship of GCP roles and GKE roles Kubernetes Engine Cluster Admin Kubernetes Engine Admin Kubernetes Engine Developer Kubernetes Engine Viewer Cluster Admin Admin Edit View
  16. 16. #A2Meetup meet-up@a2secure.com Firewall Rules in GCP
  17. 17. #A2Meetup meet-up@a2secure.com Firewall rules by default Default-allow-internal Allows network connections of any protocol and port between instances on the network. Default-allow-ssh Allows SSH connections from any source to any instance on the network over TCP port 22. Default-allow-rdp Allows RDP connections from any source to any instance on the network over TCP port 3389. Default-allow-icmp Allows ICMP traffic from any source to any instance on the network
  18. 18. #A2Meetup meet-up@a2secure.com Firewall Rules Key points when using GKE
  19. 19. #A2Meetup meet-up@a2secure.com Firewall Rules Key points using GKE Auto-generation of firewall rules when you deploy a service inside the cluster.
  20. 20. #A2Meetup meet-up@a2secure.com Firewall Rules Key points using GKE Define the Authorized Network to restrict the access to the master.
  21. 21. #A2Meetup meet-up@a2secure.com Apply SSH restrictions to connect to the GKE nodes
  22. 22. #A2Meetup meet-up@a2secure.com Our scenario Tag: shelob Tag: shelob
  23. 23. #A2Meetup meet-up@a2secure.com SSH Bastion “Minas Tirith” architecture Tag: shelob Tag: shelob Tag: bastion
  24. 24. #A2Meetup meet-up@a2secure.com DEMO
  25. 25. #A2Meetup meet-up@a2secure.com GKE basic WebApp “DevOps ready to play”
  26. 26. #A2Meetup meet-up@a2secure.com Our scenario
  27. 27. #A2Meetup meet-up@a2secure.com Web App
  28. 28. #A2Meetup meet-up@a2secure.com Service
  29. 29. #A2Meetup meet-up@a2secure.com Deployment
  30. 30. #A2Meetup meet-up@a2secure.com Dockerfile
  31. 31. #A2Meetup meet-up@a2secure.com Web App
  32. 32. #A2Meetup meet-up@a2secure.com Elevation of privileges && Back Door “ One Ring to rule them all, One Ring to find them, One Ring to bring them all and in the darkness bind them”
  33. 33. #A2Meetup meet-up@a2secure.com Web App
  34. 34. #A2Meetup meet-up@a2secure.com OneRing
  35. 35. #A2Meetup meet-up@a2secure.com Deployment
  36. 36. #A2Meetup meet-up@a2secure.com Dockerfile
  37. 37. #A2Meetup meet-up@a2secure.com BackDoor
  38. 38. #A2Meetup meet-up@a2secure.com BackDoor
  39. 39. #A2Meetup meet-up@a2secure.com DEMO
  40. 40. #A2Meetup meet-up@a2secure.com GKE - Falco Runtime monitoring
  41. 41. #A2Meetup meet-up@a2secure.com What is Falco?
  42. 42. #A2Meetup meet-up@a2secure.com Falco
  43. 43. #A2Meetup meet-up@a2secure.com Service
  44. 44. #A2Meetup meet-up@a2secure.com Daemonset
  45. 45. #A2Meetup meet-up@a2secure.com BackDoor - Monitoring
  46. 46. #A2Meetup meet-up@a2secure.com BackDoor - Monitoring
  47. 47. #A2Meetup meet-up@a2secure.com Alerts
  48. 48. #A2Meetup meet-up@a2secure.com DEMO
  49. 49. #A2Meetup meet-up@a2secure.com References ● OneRing repo: https://github.com/ilcapone/OneRing ● Install falco in k8: https://github.com/falcosecurity/falco/tree/dev/integrations/k8s-using- daemonset ● Deploying a containerized web application in GKE: https://cloud.google.com/kubernetes-engine/docs/tutorials/hello-app
  50. 50. #A2Meetup meet-up@a2secure.com K8s Network
  51. 51. #A2Meetup meet-up@a2secure.com K8s Network The problems What happens with Pod 2 Pod connectivity? Are the VPC rules enough? How can I monitor the network traffic?
  52. 52. #A2Meetup meet-up@a2secure.com Network Policies What are they? K8s resource that allows to define allowed traffic flows. How do they work? ● NP are Namespace resources ● Assigned to Groups of Pods selected by labels ● Applied to Pod level. Like iptables =) ● Policies are “stateful” ● Default K8s Policy is to allow all
  53. 53. #A2Meetup meet-up@a2secure.com Network Policies What are they? K8s resource that allows to define allowed traffic. How do they work? ● NP are Namespace resources ● Assigned to Groups of Pods selected by labels ● Applied to Pod level. Like iptables =) ● Policies are “stateful” ● Default K8s Policy is ALLOW ALL
  54. 54. #A2Meetup meet-up@a2secure.com Network Policies Ingress Policy
  55. 55. #A2Meetup meet-up@a2secure.com Network Policies Deny by Default
  56. 56. #A2Meetup meet-up@a2secure.com Network Policies ● Demo - Deny by default
  57. 57. #A2Meetup meet-up@a2secure.com Network Policies ● Demo - Deny by default
  58. 58. #A2Meetup meet-up@a2secure.com Network Policies Security Policies are not enabled by default! Network policies are a key security point Deny By Default always! NP can enforce our security or let an user compromise your cluster! ● Control by RBAC who can manage Network Policies ● Control by RBAC who can create Namespaces
  59. 59. #A2Meetup meet-up@a2secure.com IDS on GKE
  60. 60. #A2Meetup meet-up@a2secure.com IDS on GKE Why an IDS? ● Allows us to detect attacks even before they succeed ● Can monitor all kind of traffic ● Forensic Handicaps ● There is no port mirroring in GKE/GCP, but we still need a way to detect attacks against our microservices ● K8s nodes are managed and volatile
  61. 61. #A2Meetup meet-up@a2secure.com IDS on GKE - Scenario
  62. 62. #A2Meetup meet-up@a2secure.com IDS on GKE - GKE Node TCPDUMP on each node /usr/sbin/tcpdump -i ${IFACE} -w - "($PCAP_FILTER) and not (dst host $SOCAT_HOST and dst port $SOCAT_PORT)"| socat - openssl:"$SOCAT_HOST":"$SOCAT_PORT",verify=0,ignoreeof TCPDUMP on IDS server $ socat openssl-listen:58888,cert=/etc/suricata/cert.pem,key=/etc/s uricata/cert.key,reuseaddr,pf=ip4,fork,verify=0 SYSTEM:tcpdump -n - s0 -r - -W 5 -G 30 -w /var/lib/topo/unread/tcpdump_%Y%m%d%H%M%S.pcap
  63. 63. #A2Meetup meet-up@a2secure.com IDS on GKE ● Demo
  64. 64. #A2Meetup meet-up@a2secure.com IDS on GKE References ● Topo repo: https://github.com/gum0x/topo ● Install Suricata in Centos7 https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentO S_Installation ● Special thanks to: https://github.com/xme/fpc - Socat concept extracted from here https://github.com/owlh/owlhmaster/ - Server concept extracted from here
  65. 65. #A2Meetup meet-up@a2secure.com Wrap up
  66. 66. #A2Meetup meet-up@a2secure.com BCN Cybersec Monthly - March Thanks for the attention. Any question? Arranz Cobos, Germán Gordo Ara, Juan Moyano Gutierrez, Jose
  67. 67. #A2Meetup meet-up@a2secure.com BCN Cybersec Monthly - March Arranz Cobos, Germán Gordo Ara, Juan Moyano Gutierrez, Jose
  68. 68. Si quieres más información de quiénes somos: meet-up@a2secure.com ¿Networking - Drinks? Meet with us at Bar – Ateneu (principal)
  69. 69. BARCELONA Avd. Francesc Cambó 21, planta 10 08003 Barcelona +34 933 945 600 Info@a2secure.com MADRID Paseo de la Castellana 210, planta 10, puerta 7 28046 Madrid +34 910 585 349 Info@a2secure.com

×