Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
In Search of Segmentation
Adrian Cockcroft @adrianco
Technology Fellow - Battery Ventures
February 2016
What does @adrianco do?
@adrianco
Technology Due
Diligence on Deals
Presentations at
Conferences
Presentations at
Companie...
Segmentation
Industry Trends
Airgaps closing
Industrial IoT
Security blanket perimeter firewalls
Datacenter to cloud transitions
New systems of engagem...
Policy
A can talk to B
B can talk to C
A must not talk to C
A B C
Y and Z failure modes
must be independent so
X can always succeed
Y
X
Z
Availability requirements drive
a need for distributed
segmentation
Choices?
Too many
choices!
Over-reliance on one
mechanism leads to abuse…
Lack of coordination across
many mechanisms leads to
fragility
Example
segmentation
mechanisms
Disclaimer:
I’m not a developer, I don’t have hands-on
experience with any of these mechanisms,
I’m looking for input wher...
Datacenters/AWS Accounts
IAM/AD/LDAP Roles
VPC/VLAN Networks
Security Groups/Hypervisor
IPtables/Calico Policy
Docker Link...
B
Accounts and Roles
Who can set policy for what?
Needs distributed policy management
A C
Network Segmentation
Who controls the network?
A B C
Network Segmentation
Datacenter policies are based on
separation of duties. Tickets,
Network admins and VLANs
Network Segmentation
AWS VPC networking uses
developer-driven automation,
loses separation of duties…
VPC Abuse Antipattern
Lots of small VPC networks for
microservices, end up in IP address
space capacity management hell…
Hypervisor and Security
Group Segmentation
Distributed firewall rules
A B CA B
Security Group Abuse Antipattern
Too many microservices need to be in the
same group, overloads configuration
limitations
Kernel eBPF & Calico
IPtables Segmentation
Distributed firewall rules
A B CA B
IPtables Segmentation
Can use IP Sets to scale
Managed in the container host OS
Separates routing reachability from access...
Docker & Weave
Segmentation
Docker daemon manages connections
B CA
B C
proxy:
build: ./proxy
ports:
- "8080:8080"
links:
- app
app:
build: ./app
links:
- db
db:
image: postgres
Docker Compose V...
version: '2'
services:
proxy:
build: ./proxy
ports:
- "8080:8080"
networks:
- front
app:
build: ./app
networks:
- front
- ...
Docker Segmentation
Overlay network created and
managed by Docker or Weave.
DNS based lookups.
Segmentation Scalability
Real world microservices
architectures have hundreds to
thousands of distinct microservices
Segmentation Scalability
There’s often a few very popular
microservices that everyone else
wants to talk to
Datacenters/AWS Accounts
IAM/AD/LDAP Roles
VPC/VLAN Networks
Security Groups/Hypervisor
IPtables/Calico Policy
Docker Link...
Hierarchical Segmentation
Enforced by IAM roles at every level
B CA
B C
E FD
E F
Security Group X Security Group Y
VPC Z -...
Policy Specification Options
Docker Compose V2
Kubernetes/Mesos policy
Calico/Cisco Contiv
AWS IAM/AD Policies
How to
coor...
Comments and Questions?
Adrian Cockcroft @adrianco
http://slideshare.com/adriancockcroft
Technology Fellow - Battery Ventu...
Security
Visit http://www.battery.com/our-companies/ for a full list of all portfolio companies in which all Battery Funds...
Nächste SlideShare
Wird geladen in …5
×

In Search of Segmentation

262.506 Aufrufe

Veröffentlicht am

There are many ways to manage whether a service can talk to another service. It can be tempting to over-use one segmentation mechanism to implement policy when the real problem is how to coordinate and manage many mechanisms in the physical, cloud and container spaces. This talk summarizes the problem space and opportunities rather than offers solutions.

Presented at the Docker Palo Alto meetup Feb 16th 2016 http://www.meetup.com/Docker-Palo-Alto/events/228277181/

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

In Search of Segmentation

  1. 1. In Search of Segmentation Adrian Cockcroft @adrianco Technology Fellow - Battery Ventures February 2016
  2. 2. What does @adrianco do? @adrianco Technology Due Diligence on Deals Presentations at Conferences Presentations at Companies Technical Advice for Portfolio Companies Program Committee for Conferences Networking with Interesting PeopleTinkering with Technologies Maintain Relationship with Cloud Vendors http://www.slideshare.net/adriancockcroft
  3. 3. Segmentation
  4. 4. Industry Trends
  5. 5. Airgaps closing Industrial IoT Security blanket perimeter firewalls Datacenter to cloud transitions New systems of engagement http://peanuts.wikia.com/wiki/Linus'_security_blanket
  6. 6. Policy
  7. 7. A can talk to B B can talk to C A must not talk to C A B C
  8. 8. Y and Z failure modes must be independent so X can always succeed Y X Z
  9. 9. Availability requirements drive a need for distributed segmentation
  10. 10. Choices?
  11. 11. Too many choices!
  12. 12. Over-reliance on one mechanism leads to abuse…
  13. 13. Lack of coordination across many mechanisms leads to fragility
  14. 14. Example segmentation mechanisms
  15. 15. Disclaimer: I’m not a developer, I don’t have hands-on experience with any of these mechanisms, I’m looking for input where I’m wrong or missed something. Also, apologies if I didn’t namecheck your favorite project/product.
  16. 16. Datacenters/AWS Accounts IAM/AD/LDAP Roles VPC/VLAN Networks Security Groups/Hypervisor IPtables/Calico Policy Docker Links/Weave Overlay Ops Dev
  17. 17. B Accounts and Roles Who can set policy for what? Needs distributed policy management A C
  18. 18. Network Segmentation Who controls the network? A B C
  19. 19. Network Segmentation Datacenter policies are based on separation of duties. Tickets, Network admins and VLANs
  20. 20. Network Segmentation AWS VPC networking uses developer-driven automation, loses separation of duties…
  21. 21. VPC Abuse Antipattern Lots of small VPC networks for microservices, end up in IP address space capacity management hell…
  22. 22. Hypervisor and Security Group Segmentation Distributed firewall rules A B CA B
  23. 23. Security Group Abuse Antipattern Too many microservices need to be in the same group, overloads configuration limitations
  24. 24. Kernel eBPF & Calico IPtables Segmentation Distributed firewall rules A B CA B
  25. 25. IPtables Segmentation Can use IP Sets to scale Managed in the container host OS Separates routing reachability from access policy
  26. 26. Docker & Weave Segmentation Docker daemon manages connections B CA B C
  27. 27. proxy: build: ./proxy ports: - "8080:8080" links: - app app: build: ./app links: - db db: image: postgres Docker Compose V1 proxy app db 8080
  28. 28. version: '2' services: proxy: build: ./proxy ports: - "8080:8080" networks: - front app: build: ./app networks: - front - back db: image: postgres networks: - back networks: front: back: Docker Compose V2 proxy app db 8080 front backfront
  29. 29. Docker Segmentation Overlay network created and managed by Docker or Weave. DNS based lookups.
  30. 30. Segmentation Scalability Real world microservices architectures have hundreds to thousands of distinct microservices
  31. 31. Segmentation Scalability There’s often a few very popular microservices that everyone else wants to talk to
  32. 32. Datacenters/AWS Accounts IAM/AD/LDAP Roles VPC/VLAN Networks Security Groups/Hypervisor IPtables/Calico Policy Docker Links/Weave Overlay How to coordinate across all these layers? How to scale to 1000+ segments?
  33. 33. Hierarchical Segmentation Enforced by IAM roles at every level B CA B C E FD E F Security Group X Security Group Y VPC Z - Manage a reasonable number of large network spaces D X An AWS oriented example… AWS Account - Manage across multiple accounts
  34. 34. Policy Specification Options Docker Compose V2 Kubernetes/Mesos policy Calico/Cisco Contiv AWS IAM/AD Policies How to coordinate any/all of these?
  35. 35. Comments and Questions? Adrian Cockcroft @adrianco http://slideshare.com/adriancockcroft Technology Fellow - Battery Ventures See www.battery.com for a list of portfolio investments
  36. 36. Security Visit http://www.battery.com/our-companies/ for a full list of all portfolio companies in which all Battery Funds have invested. Palo Alto Networks Enterprise IT Operations & Management Big DataCompute Networking Storage

×