Linux Native, HTTP Aware Network Security

Title.Thomas GrafCTO & Co-Founder @ Covalent

Linux-Native, HTTP-Aware Network Security

Application Architectures

Delivery Frequency

Operational Complexity

Single Server App

Yearly

Low

Distributed Microservices App

10-100 x’s / day

Extreme

3-Tier App

Monthly

Moderate

CODE CONSISTENCY AT VELOCITY

Network Securityhas not evolved

$ iptables -A INPUT -p tcp \-s 15.15.15.3 --dport 80 \-m conntrack --ctstate NEW \-j ACCEPT

The world still runs on iptablesmatching IPs and ports:

Your HTTP ports be like …

L3/L4

Network Securityfor microservices

Pod“Frontend”

Pod“Store”

API

L3/L4


Pod“Frontend”

Pod“Store”

API

GET /store/myItem HTTP/1.1

L3/L4


Pod“Frontend”

Pod“Store”

API


FROM frontendALLOW tcp:80

L3/L4


Pod“Frontend”

Pod“Store”

GET /store/{id}API



L3/L4


Pod“Frontend”

Pod“Store”

GET /healthz

GET /store/{id}

PUT /store/{id}

PUT /config

API



L3/L4


Pod“Frontend”

Pod“Store”

GET /healthz

GET /store/{id}

PUT /store/{id}

PUT /config

API

atta

ck s

urfa

ce



L3/L4


Pod“Frontend”

Pod“Store”

GET /healthz

GET /store/{id}

PUT /store/{id}

PUT /config

API

exposed

exposed

exposed



OK

L4 security hasbecome meaningless in the age of microservices

L3/L4


Pod“Frontend”

Pod“Store”

GET /healthz

GET /store/{id}

PUT /store/{id}

PUT /config

API


L3/L4


Pod“Frontend”

Pod“Store”

GET /healthz

GET /store/{id}

PUT /store/{id}

PUT /config

APIFROM frontendALLOW GET /store/.*


We demanda demo!

BPF – The Superpowers inside Linux

What is BPF?.insns = {

BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),BPF_LD_MAP_FD(BPF_REG_1, 0),BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),BPF_EXIT_INSN(),

}

What is BPF?SOURCE CODE [C]

</>USER SPACE


</>BYTE CODE [BPF]

USER SPACE</>


</>BYTE CODE [BPF]

VERIFIER + JIT

USER SPACE

KERNEL

</>


</>BYTE CODE [BPF]

VERIFIER + JIT

USER SPACE

KERNEL

</>

SANDBOX

BPF


</>BYTE CODE [BPF]

VERIFIER + JIT

USER SPACE

KERNEL

</>

SANDBOX

BPF

Process

Process


</>BYTE CODE [BPF]

VERIFIER + JIT

USER SPACE

KERNEL

</>

SANDBOX

BPF

Process

SANDBOX

BPFwrite()

Process


</>BYTE CODE [BPF]

VERIFIER + JIT

USER SPACE

KERNEL

</>

SANDBOX

BPF

Process

SANDBOX

BPFwrite()

Process

EACCESS

How does BPF relate to HTTP?

ProcessGET /foo

SANDBOX

BPF ProcessGET /foo


SANDBOX

BPF Process

Proxy

rules

GET /fooredirect


SANDBOX

BPF Process

Proxy

rules

GET /fooredirect

reinject


SANDBOX

BPF Process

Proxy

rules

GET /fooredirect

403

Access

Denied


Cilium Architecture

Cilium

Kernel

ProcessBPF

ProcessBPF

BPF

CiliumAgent

CLI Monitor Policy

Plugins

• Generate networking code at Container Startup

+ Tailored to each container+ Include Minimal Code Required

FasterSmaller Attack Surface

• Constant Config (IP, MAC, Ports, …), Compiler Optimization

• Regeneration at Runtime Without Breaking Connections

BPF CODE GENERATION ATCONTAINER STARTUP

75

140

205240

325365 370 365

410 412 425445 450 460 460

490 495 505 515 525545

565

0

100

200

300

400

500

600

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22

BPF redirect() performance[GBit per core]

Intel Xeon 3.5Ghz Sandy Bridge, 24 Cores,1 TCP GSO flow per core, netperf -t TCP_SENDFILE, 10K Cilium policies

Thank You

Learn More:cilium.io

Code:github.com/cilium/cilium

Follow us:@ciliumproject

KubeCon booth:S19

Linux Native, HTTP Aware Network Security

Software

Transcript of Linux Native, HTTP Aware Network Security