how not to have a 'bad time' securing your micro-services

How not to have a ‘bad time’ securing your micro-services Or, how to avoid firewall hell @liljenstolpe | [email protected]

Upload: phamngoc

Post on 14-Feb-2017

215 views

Category:

Documents

1 download

Report

Download

Embed Size (px):

TRANSCRIPT

How not to have a ‘bad time’

securing your micro-services

Or, how to avoid firewall hell@liljenstolpe | [email protected]

Page 3: How not to have a 'bad time' securing your micro-services

Remember 3-‐tier architectures?

Page 4: How not to have a 'bad time' securing your micro-services

Getting Medieval

Page 5: How not to have a 'bad time' securing your micro-services

Fast forward to the present

Page 6: How not to have a 'bad time' securing your micro-services

Increased complexity

Page 7: How not to have a 'bad time' securing your micro-services

Resource Fungibility

Page 8: How not to have a 'bad time' securing your micro-services

Tear down the walls?

Page 9: How not to have a 'bad time' securing your micro-services

The opportunity?

Page 10: How not to have a 'bad time' securing your micro-services

The opportunity?

Page 11: How not to have a 'bad time' securing your micro-services

PSA: Do not use port mapping

NetworkFabric80 <-‐> 5389

Port 80

4397<-‐>80

Page 12: How not to have a 'bad time' securing your micro-services

The Distributed Firewall

NetworkFabric

Routing

10.0.0.1

192.168.1.2

192.168.1.1

Routing10.0.0.2

192.168.1.3

192.168.1.4

Page 13: How not to have a 'bad time' securing your micro-services

Project Calico architecture

RouteReflector

Kernel

Routing

10.0.0.2

192.168.1.3

192.168.1.4

Routes

iptablesFelix

BGP

Page 14: How not to have a 'bad time' securing your micro-services

admin-ui.yaml

kind: NetworkPolicyapiVersion: net.alpha.kubernetes.io/v1alpha1metadata:

namespace: defaultname: allow-‐ui

spec:podSelector:ingress:-‐ from:

-‐ namespaces:role: management-‐ui

Metadata

Empty selector applies to all pods

Allow from management namespace

Page 15: How not to have a 'bad time' securing your micro-services

Network Intent

Page 16: How not to have a 'bad time' securing your micro-services

Thank’s for watching

•Main project website: www.projectcalico.org•https://github.com/Metaswitch/calico•http://lists.projectcalico.org/listinfo/calico•Download & try it out•We welcome your feedback and contributions• Follow us @projectcalico• Follow me @liljenstolpe

Symposium Theme Good Time, Bad Time · PDF fileSymposium Theme Good Time, Bad Time ... Micro- and macro-surgery VISTA for soft tissue augmentation ... shorter treatment times from

Securing Your Web World - drh.img.digitalriver.comdrh.img.digitalriver.com/DRHM/Storefront/Site/tmamer/cm/multimedi… · Trend Micro™ Titanium™ Internet Security Security that

How not to have a ‘bad time’ securing your micro-services · How not to have a ‘bad time’ securing your micro-services Or, how to avoid firewall hell @liljenstolpe | [email protected]

Securing Enterprise Securing Enterprise Securing Enterprise

Good Visions Bad Micro Management and Ugly Ambiguity Contradictions of Non Leadership in a Knowle

Avoiding Bad URLs in the Mobile Web - Trend Micro

GLOBAL BRANDS IN A SEMIGLOBALIZED WORLD: SECURING THE GOOD ... · Global Brands in a Semiglobalized World – Securing the Good and Avoiding the Bad ... standardization for different

Securing Micro Services in Cloud Foundry

Tournai mass facs (bad micro)

Micro Focus Presentation Templatemicrofocus.fundorfina.pl/wp-content/uploads/2019/... · APPLICATION SECURITY. Securing applications by integrating seamlessly with the entire . software

Chapter 8: Securing Switched LANs · 2 8: Securing Switched LANs 3 Chapter Roadmap Securing Switched Ethernet LANs Securing the MAC self-learning process Securing DHCP and ARP Securing

Securing Assets Using Micro-Segmentation: A SANS Review …