Linux Native, HTTP Aware Network Security

Title. Thomas Graf CTO & Co-Founder @ Covalent Linux-Native, HTTP-Aware Network Security

Application Architectures Delivery Frequency Operational Complexity Single Server App Yearly Low Distributed Microservices App 10-100 x’s / day Extreme 3-Tier App Monthly Moderate CODE CONSISTENCY AT VELOCITY

Network Security has not evolved $ iptables -A INPUT -p tcp -s 15.15.15.3 --dport 80 -m conntrack --ctstate NEW -j ACCEPT The world still runs on iptables matching IPs and ports:

L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” API

L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” API GET /store/myItem HTTP/1.1

L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” API GET /store/myItem HTTP/1.1 FROM frontend ALLOW tcp:80

L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” GET /store/{id} API GET /store/myItem HTTP/1.1 FROM frontend ALLOW tcp:80

L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” GET /healthz GET /store/{id} PUT /store/{id} PUT /config API GET /store/myItem HTTP/1.1 FROM frontend ALLOW tcp:80

L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” GET /healthz GET /store/{id} PUT /store/{id} PUT /config API attacksurface GET /store/myItem HTTP/1.1 FROM frontend ALLOW tcp:80

L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” GET /healthz GET /store/{id} PUT /store/{id} PUT /config API exposed exposed exposed FROM frontend ALLOW tcp:80 GET /store/myItem HTTP/1.1 OK

L4 security has become meaningless in the age of microservices

L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” GET /healthz GET /store/{id} PUT /store/{id} PUT /config API GET /store/myItem HTTP/1.1

L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” GET /healthz GET /store/{id} PUT /store/{id} PUT /config API FROM frontend ALLOW GET /store/.* GET /store/myItem HTTP/1.1

BPF – The Superpowers inside Linux

What is BPF? .insns = { BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152), BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0), BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42), BPF_EXIT_INSN(), }

What is BPF? SOURCE CODE [C] </> USER SPACE

What is BPF? SOURCE CODE [C] </> BYTE CODE [BPF] USER SPACE </>

What is BPF? SOURCE CODE [C] </> BYTE CODE [BPF] VERIFIER + JIT USER SPACE KERNEL </>

What is BPF? SOURCE CODE [C] </> BYTE CODE [BPF] VERIFIER + JIT USER SPACE KERNEL </> SANDBOX BPF

What is BPF? SOURCE CODE [C] </> BYTE CODE [BPF] VERIFIER + JIT USER SPACE KERNEL </> SANDBOX BPF Process Process

What is BPF? SOURCE CODE [C] </> BYTE CODE [BPF] VERIFIER + JIT USER SPACE KERNEL </> SANDBOX BPF Process SANDBOX BPF write() Process

What is BPF? SOURCE CODE [C] </> BYTE CODE [BPF] VERIFIER + JIT USER SPACE KERNEL </> SANDBOX BPF Process SANDBOX BPF write() Process EACCESS

How does BPF relate to HTTP? Process GET /foo

SANDBOX BPF Process GET /foo How does BPF relate to HTTP?

SANDBOX BPF Process Proxy rules GET /foo redirect How does BPF relate to HTTP?

SANDBOX BPF Process Proxy rules GET /foo redirect reinject How does BPF relate to HTTP?

SANDBOX BPF Process Proxy rules GET /foo redirect 403 Access Denied How does BPF relate to HTTP?

Cilium Architecture Cilium Kernel ProcessBPF ProcessBPF BPF Cilium Agent CLI Monitor Policy Plugins

• Generate networking code at Container Startup + Tailored to each container + Include Minimal Code Required Faster Smaller Attack Surface • Constant Config (IP, MAC, Ports, …), Compiler Optimization • Regeneration at Runtime Without Breaking Connections BPF CODE GENERATION AT CONTAINER STARTUP

75 140 205 240 325 365 370 365 410 412 425 445 450 460 460 490 495 505 515 525 545 565 0 100 200 300 400 500 600 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 BPF redirect() performance [GBit per core] Intel Xeon 3.5Ghz Sandy Bridge, 24 Cores, 1 TCP GSO flow per core, netperf -t TCP_SENDFILE, 10K Cilium policies

Thank You Learn More: cilium.io Code: github.com/cilium/cilium Follow us: @ciliumproject KubeCon booth: S19

Linux Native, HTTP Aware Network Security

More Related Content

What's hot

Viewers also liked

Similar to Linux Native, HTTP Aware Network Security

Recently uploaded

In this document

Linux Native, HTTP Aware Network Security