SlideShare uma empresa Scribd logo

Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAP

Transferir como PPTX, PDF
O
Olivia LaMar

This presentation covers: * The NGINX Ingress Controller for Kubernetes * NGINX Plus to up-level your KIC Architecture * NGINX App Protect for securing your Kubernetes services * Demo of both working in tandem to set: * Kubernetes routing policy with NGINX KIC * Granular, Per-App and Per-Service Security Policy with NGINX App Protect

Software
1 de 50
Securing Your Apps & APIs in Kubernetes VIRTUAL EVENT Aug 27th, 2020
| ©2020 F5 NETWORKS - CONFIDENTIAL2
| ©2020 F5 NETWORKS - CONFIDENTIAL3
| ©2020 F5 NETWORKS - CONFIDENTIAL4
| ©2020 F5 NETWORKS - CONFIDENTIAL5 There’s two types of apps in this world…. Greenfield Brownfield
| ©2020 F5 NETWORKS - CONFIDENTIAL6 Ok, so maybe that’s an oversimplification…. Brownfield Greenfield
| ©2020 F5 NETWORKS - CONFIDENTIAL7 And they often are mixed together 7 Monolithic Hybrid Microservices Modernization >60% Core, legacy business apps ~30% Legacy with micro- services add-ons ~10% Modern apps optimized for digital Statistics from 2018 NGINX Brand Survey Where most enterprises will be for years to come
| ©2020 F5 NETWORKS - CONFIDENTIAL8 Current CNCF Landscape
| ©2020 F5 NETWORKS - CONFIDENTIAL9 Ok, that’s a lot. What do I need to think about to start ramping towards actually getting to production? What flavor of Kubernetes am I going to leverage? Cloud Services Cloud Services Hybrids Vanilla Agnostic
| ©2020 F5 NETWORKS - CONFIDENTIAL10 Ok, that’s still a little more complicated than expected Is there anything I can do regardless of my platform choice? Sure, and we’re about to focus on a couple of them. Figure out your application routing, monitoring, and security strategy Platform agnostic tool chain = solve the problem once, solve it for good
| ©2020 F5 NETWORKS - CONFIDENTIAL11 Ingress Controller pod pod pod pod pod Per-Pod proxy Per-Service proxy Kubernetes adds several more locations to deploy Application Services API Gateway Load Balancer App Security Four locations to deploy Application Services: • Edge: External load balancers and proxies • Ingress Controller: Entry-point into Kubernetes • Per-Service Proxy: Interior service proxy tier • Per-Pod Proxy: Sidecar-style proxy per pod Edge
| ©2020 F5 NETWORKS - CONFIDENTIAL12 Three criteria to determine where to deploy a service 1. Is the service specific to an application, or general, for all applications? Close to the Application Close to the Edge 3. The Technical Fit – what components offer the necessary functionality and APIs? 2. Is the service configuration owned by DevOps/DevSecOps, or by NetOps/SecOps? Owned by Dev(Sec)Ops Owned by NetOps/SecOps Not app components are equal, and different configuration and APIs meet needs of different users
| ©2020 F5 NETWORKS - CONFIDENTIAL13 • Native open-source integration in container environments for F5 BIG-IP Ingress control • Enable self-service selection in orchestration for app services • Scale and secure apps through automated event discovery and service insertion • Scale and secure NGINX Ingress controller F5 Container Ingress Services (CIS) F5 Container Ingress Services Container Environments Visibility and Analytics F5 BIG-IP App Performance and Security Services F5 Container Ingress Services Orchestration Dotted line = integration control plane Solid line = traffic data plane AppServicesAcrossNetwork Node 2Node 1 Kubernetes Openshift
| ©2020 F5 NETWORKS - CONFIDENTIAL14 • Single pod deployment, running in Kubernetes as nodeport • Rich, app-oriented configuration using both Kubernetes and NGINX Ingress Resources • Supports DevOps use cases: routing, B/G, circuit breaker • Multi-tenant, secure RBAC • Typically requires external LB NGINX Ingress Controller NGINX Ingress Controller Container Environments Visibility and Analytics Orchestration Dotted line = integration control plane Solid line = traffic data plane AppServicesAcrossNetwork Node 2Node 1 Kubernetes Openshift Tracing
| ©2020 F5 NETWORKS - CONFIDENTIAL15 Ingress Controller as point of control for App Protect Ingress Controller Edge Services pod pod pod pod pod Customer DevOps requests additional capabilities using Ingress Resource extensions Kubernetes Control Plane NGINX Ingress Resource WAF policy DNS policy IPAM policy Ingress Controller automates downstream services, within boundaries controlled by NetOps Automated discovery and High-Performance Load Balancing
| ©2020 F5 NETWORKS - CONFIDENTIAL16 WAF Deployment on the Ingress Controller DEPLOY WAF POLICIES ON THE INGRESS CONTROLLER, CONFIGURED USING KUBERNETES API Ingress Controller pod pod pod pod pod Per-Pod proxy Per-Service proxy Edge K8s NetOps/DevOps-Centric Approach Appropriate solution when WAF policies are under direction of NetOps or DevOps teams. Policies are defined and associated with services using Kubernetes API. NGINX Ingress Controller RBAC allows: • Admin users to enforce policies per listener • DevOps users to select policy per Ingress Resource Leverage Container Ingress Services to scale NGINX Ingress Controller and add other application services (LB, DNS, DDoS, IAM). Appropriate for Kubernetes-native NetOps or DevOps WAF
NGINX App Protect CHRIS AKKER TECHNICAL SOLUTIONS ARCHITECT NGINX BU / F5
| ©2020 F5 NETWORKS - CONFIDENTIAL18 0 2000 4000 6000 8000 10000 12000 14000 16000 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 YoY Increase in CVEs Note: Excludes any rejections or disputes. New vulnerabilities are discovered in all manner of software all the time They are exploited by both malicious bots and human attackers Do you know how many affect your application stack(s)? Can you keep up with the pace of published vulnerabilities? Do you want to?
| ©2020 F5 NETWORKS - CONFIDENTIAL19 Strong App Security Built for Modern Apps CI/CD Friendly NGINX App Protect
| ©2020 F5 NETWORKS - CONFIDENTIAL20 Strong App Security App security and controls built using F5 Advanced WAF technology. Blocks attacks and helps prevent downtime. Easy Install & Updates OWASP Top 10 And More Regulatory Compliance IP Blocking Prevent sensitive data loss F5-based Layer 7 Attack Protection API Security
| ©2020 F5 NETWORKS - CONFIDENTIAL21 Built for Modern Apps High performance security with performance and scale Small Footprint, less than 2MB on disk – ideal for Container workloads Seamless integration into the #1 web application platform High performance Deployment options Minimizes tool sprawl Lightweight footprint Seamless NGINX Integration 20X+ faster than alternative OSS
| ©2020 F5 NETWORKS - CONFIDENTIAL22 CI/CD Friendly Enable security to keep pace with DevOps and Support “shift left” initiatives Declarative policies Speed Time to Market Reduced cost Enable AppDev Feedback loops Automate security in CI/CD cycle
| ©2020 F5 NETWORKS - CONFIDENTIAL23 CONFIDENTIAL Signature Differences Attack Signature Threat Campaign Generic form of attack Instance of a specific attack Many false positives Near 100% accurate Difficult to evade Sensitive to attack variations Updated once in couple of weeks Multiple updates per week No information if ever exploited Based on real observations Generic attack information Provides Context (Intent/Risk) Local attack indicator Global threat visibility ~4,000 ~200
| ©2020 F5 NETWORKS - CONFIDENTIAL24 Deployment options / Use Cases  Edge SW WAF  API WAF  Kubernetes IC WAF  Pod WAF  Microservice WAF
| ©2020 F5 NETWORKS - CONFIDENTIAL25 Ingress Controller pod pod pod pod pod Per-Pod proxy Per-Service proxy Kubernetes adds several more locations to deploy Application Security API Gateway Load Balancer App Security Four locations to deploy Application Services: • Edge: External load balancers and proxies • Ingress Controller: Entry-point into Kubernetes • Per-Service Proxy: Interior service proxy tier • Per-Pod Proxy: Proxy embedded in pod Edge Standard App Protect NGINX-Proxy deployment
| ©2020 F5 NETWORKS - CONFIDENTIAL26 Declarative Policy Helps CI/CD Motion INFRASTRUCTURE AND SECURITY AS CODE Source Code Repository CI/CD Pipeline Tool IT Automation Application code/config for App X security policy/config for App X Pipeline for build/test/deploy of App X Ansible playbook for deployment of App X with its app services Owned by SecOps Operated by DevOps { "entityChanges": { "type": "explicit" }, "entity": { "name": "bak" }, "entityKind": "tm:asm:policies:filetypes:filetypestate", "action": "delete", "description": "Delete Disallowed File Type" }
Demo Highlights ENVIRONMENT OVERVIEW NGINX PLUS WITH APP PROTECT - EDGE NGINX PLUS KUBERNETES INGRESS WITH APP PROTECT ELK – KIBANA DASHBOARDS EXAMPLE
357 Demo 3 INSTALL COMMANDS 5 LINES OF CONFIGURATION 7 MINUTES TO RUNNING APP PROTECT
Demo Environment Centos Server, 3-node K8s cluster, N+ KIC, ELK Server
| ©2020 F5 NETWORKS - CONFIDENTIAL30 Centos# yum install –y app-protect Centos# yum install –y app-protect-attack-signatures Centos# yum install –y app-protect-threat-campaigns 3 - Install AppProtect on Centos 7 Pre-Reqs 1. Need your NginxPlus Repo SSL nginx.crt and nginx.key 2. Add the App-Protect Signatures yum repo Centos# wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-signatures-7.repo
| ©2020 F5 NETWORKS - CONFIDENTIAL31 user nginx; worker_processes auto; error_log /var/log/nginx/error.log notice; pid /var/run/nginx.pid; load_module modules/ngx_http_app_protect_module.so; #Dynamic Module … server { listen 80; server_name localhost; proxy_http_version 1.1; app_protect_enable on; #Enable AppProtect app_protect_policy_file "/etc/nginx/NginxDefaultPolicy.json"; #Policy Definition app_protect_security_log_enable on; #Enable logging app_protect_security_log "/etc/nginx/log-default.json” syslog:server=10.1.20.6:5144; #Syslog IP:port location / { … proxy_pass http://k8s.arcadia-finance.io:30274$request_uri; } } 5 – Configure Nginx.conf with AppProtect
| ©2020 F5 NETWORKS - CONFIDENTIAL32 Centos# systemctl restart nginx Centos# cat /var/log/nginx/error.log Centos# curl –k http://localhost Centos# curl –k “http://localhost/?<script>” 7 – Running NginxPlus with AppProtect
| ©2020 F5 NETWORKS - CONFIDENTIAL33 Demo Ingress YAML with App Protect
NGINX App Protect WRAP UP SIZE ? PERFORMANCE ? RESOURCES
| ©2020 F5 NETWORKS - CONFIDENTIAL35 Yum info app-protect Name : app-protect Arch : x86_64 Version : 22+3.90.2 Release : 1.el7.ngx Size : 172 k Repo : installed From repo : nginx-plus App Protect Repo
| ©2020 F5 NETWORKS - CONFIDENTIAL36 Yum info app-protect-attack-signatures Name : app-protect-attack-signatures Arch : x86_64 Version : 2020.08.19 Release : 1.el7.ngx Size : 1.3 M Repo : installed From repo : app-protect-signatures Summary : app-protect-attack-signatures-rpm License : Commercial App Protect Signatures Repo
| ©2020 F5 NETWORKS - CONFIDENTIAL37 Yum info app-protect-threat-campaigns Name : app-protect-threat-campaigns Arch : x86_64 Version : 2020.08.24 Release : 1.el7.ngx Size : 113 k Repo : installed From repo : app-protect-signatures Summary : app-protect-threat-campaigns-rpm License : Commercial Threat Campaign Repo
| ©2020 F5 NETWORKS - CONFIDENTIAL38 NGINX App Protect Performance 0 0.5 1 1.5 2 2.5 Throughput (MB/sec) No Protection NGINX App Protect ModSec 0 2000 4000 6000 8000 10000 12000 14000 Requests/sec No Protection NGINX App Protect ModSec 0 100 200 300 400 500 600 700 800 Latency (ms) No Protection NGINX App Protect ModSec Comprehensive security policy has no impact on latency, and offers better throughput and requests/second when compared to ModSec • ModSec Configuration: OWASP Top 10 (enable all CRS v3 rules) • NGINX App Protect Configuration: OWASP Top 10 (Enable signatures), Evasion technique, Data Guard, Disallowed file types, HTTP protocol compliance​
| ©2020 F5 NETWORKS - CONFIDENTIAL39 Nginx App Protect Resources ● https://www.nginx.com/products/nginx-app-protect/ ● https://docs.nginx.com/nginx-app-protect/admin-guide/# ● https://www.nginx.com/blog/nginx-app-protect-1-0-released/ Nginx Threat Campaigns ● https://www.f5.com/pdf/products/f5_threat_campaigns_waf.pdf NGINX Ingress Controller with App Protect ● https://www.nginx.com/blog/securing-apps-in-kubernetes-nginx-app-protect/ ● https://github.com/nginxinc/kubernetes-ingress/tree/master/examples/appprotect ● https://github.com/nginxinc/ansible-role-nginx-app-protect Resources
| ©2020 F5 NETWORKS - CONFIDENTIAL40 Questions?
| ©2020 F541 September 15-17, 2020 VIRTUAL EVENT Sprint is a three-day virtual event designed to inspire and engage developers, architects, and operators looking to use NGINX technologies to develop and deliver modern applications at scale. www.nginx.com/events/nginx-sprint-2020 GOALS • Introduce solutions and evolution of NGINX. • Engage with the NGINX community and users. • Attract 1,500 live attendees/day.
| ©2020 F542 Day One: Keynotes SEPTEMBER 15 Duration: 2 hours Pre-recorded and streamed “live” • Provide thought leadership, roadmap review, and announce new solutions • Invite external influencers and maybe customers to present • Engage audience with post-keynote analysis from Tech Field Day Day Two: Demos SEPTEMBER 16 Duration: 1.5 hours Live, interactive session • Provide 6-7 short demos showing of NGINX and F5 products • Have demos build on each other, creating a single app by the end • Use delegates from Tech Field Day as audience proxy Day Three: Hackathon SEPTEMBER 17 Duration: 2-3 hours Live streamed session • Have teams present ideas and prototypes • Judge and award winners
| ©2020 F5 NETWORKS - CONFIDENTIAL43 Thank You!
NGINX App Protect BACKUP SLIDES
| ©2020 F5 NETWORKS - CONFIDENTIAL45
| ©2020 F5 NETWORKS - CONFIDENTIAL46 Kibana Overview page
| ©2020 F5 NETWORKS - CONFIDENTIAL47 Kibana Log Entry details
| ©2020 F5 NETWORKS - CONFIDENTIAL48
| ©2020 F5 NETWORKS - CONFIDENTIAL49
| ©2020 F5 NETWORKS - CONFIDENTIAL50 Arcadia Ingress

Recomendados

Relevez les défis Kubernetes avec NGINX
Relevez les défis Kubernetes avec NGINXRelevez les défis Kubernetes avec NGINX
Relevez les défis Kubernetes avec NGINX
NGINX, Inc.
 
NGINX DevSecOps Workshop
NGINX DevSecOps WorkshopNGINX DevSecOps Workshop
NGINX DevSecOps Workshop
NGINX, Inc.
 
Get the Most Out of Kubernetes with NGINX
Get the Most Out of Kubernetes with NGINXGet the Most Out of Kubernetes with NGINX
Get the Most Out of Kubernetes with NGINX
NGINX, Inc.
 
From Code to Customer with F5 and NGNX London Nov 19
From Code to Customer with F5 and NGNX London Nov 19From Code to Customer with F5 and NGNX London Nov 19
From Code to Customer with F5 and NGNX London Nov 19
NGINX, Inc.
 
Using NGINX and NGINX Plus as a Kubernetes Ingress
Using NGINX and NGINX Plus as a Kubernetes IngressUsing NGINX and NGINX Plus as a Kubernetes Ingress
Using NGINX and NGINX Plus as a Kubernetes Ingress
Kevin Jones
 
Control Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINXControl Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINX
NGINX, Inc.
 
Migrating from BIG-IP Deployment to NGINX ADC
Migrating from BIG-IP Deployment to NGINX ADCMigrating from BIG-IP Deployment to NGINX ADC
Migrating from BIG-IP Deployment to NGINX ADC
NGINX, Inc.
 
NGINX Basics and Best Practices Workshop
NGINX Basics and Best Practices WorkshopNGINX Basics and Best Practices Workshop
NGINX Basics and Best Practices Workshop
NGINX, Inc.
 

Recomendados

Relevez les défis Kubernetes avec NGINX
Relevez les défis Kubernetes avec NGINXRelevez les défis Kubernetes avec NGINX
Relevez les défis Kubernetes avec NGINX
NGINX, Inc.
 
NGINX DevSecOps Workshop
NGINX DevSecOps WorkshopNGINX DevSecOps Workshop
NGINX DevSecOps Workshop
NGINX, Inc.
 
Get the Most Out of Kubernetes with NGINX
Get the Most Out of Kubernetes with NGINXGet the Most Out of Kubernetes with NGINX
Get the Most Out of Kubernetes with NGINX
NGINX, Inc.
 
From Code to Customer with F5 and NGNX London Nov 19
From Code to Customer with F5 and NGNX London Nov 19From Code to Customer with F5 and NGNX London Nov 19
From Code to Customer with F5 and NGNX London Nov 19
NGINX, Inc.
 
Using NGINX and NGINX Plus as a Kubernetes Ingress
Using NGINX and NGINX Plus as a Kubernetes IngressUsing NGINX and NGINX Plus as a Kubernetes Ingress
Using NGINX and NGINX Plus as a Kubernetes Ingress
Kevin Jones
 
Control Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINXControl Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINX
NGINX, Inc.
 
Migrating from BIG-IP Deployment to NGINX ADC
Migrating from BIG-IP Deployment to NGINX ADCMigrating from BIG-IP Deployment to NGINX ADC
Migrating from BIG-IP Deployment to NGINX ADC
NGINX, Inc.
 
NGINX Basics and Best Practices Workshop
NGINX Basics and Best Practices WorkshopNGINX Basics and Best Practices Workshop
NGINX Basics and Best Practices Workshop
NGINX, Inc.
 
Securing k8s With Kubernetes Goat
Securing k8s With Kubernetes GoatSecuring k8s With Kubernetes Goat
Securing k8s With Kubernetes Goat
Muhammad Yuga Nugraha
 
Kubernetes and the NGINX Plus Ingress Controller
Kubernetes and the NGINX Plus Ingress ControllerKubernetes and the NGINX Plus Ingress Controller
Kubernetes and the NGINX Plus Ingress Controller
Katherine Bagood
 
Securing Your Apps & APIs in the Cloud
Securing Your Apps & APIs in the CloudSecuring Your Apps & APIs in the Cloud
Securing Your Apps & APIs in the Cloud
Olivia LaMar
 
Control Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINXControl Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINX
NGINX, Inc.
 
Secured APIM-as-a-Service
Secured APIM-as-a-ServiceSecured APIM-as-a-Service
Secured APIM-as-a-Service
NGINX, Inc.
 
Application Security with NGINX
Application Security with NGINXApplication Security with NGINX
Application Security with NGINX
NGINX, Inc.
 
NGINX Controller: Configuration, Management, and Troubleshooting at Scale
NGINX Controller: Configuration, Management, and Troubleshooting at Scale NGINX Controller: Configuration, Management, and Troubleshooting at Scale
NGINX Controller: Configuration, Management, and Troubleshooting at Scale
NGINX, Inc.
 
NGINX Basics: Ask Me Anything – EMEA
NGINX Basics: Ask Me Anything – EMEANGINX Basics: Ask Me Anything – EMEA
NGINX Basics: Ask Me Anything – EMEA
NGINX, Inc.
 
NGINX: Back to Basics – APCJ
NGINX: Back to Basics – APCJNGINX: Back to Basics – APCJ
NGINX: Back to Basics – APCJ
NGINX, Inc.
 
NGINX Lunch and Learn Event: Kubernetes and the NGINX Plus Ingress controller
NGINX Lunch and Learn Event: Kubernetes and the NGINX Plus Ingress controllerNGINX Lunch and Learn Event: Kubernetes and the NGINX Plus Ingress controller
NGINX Lunch and Learn Event: Kubernetes and the NGINX Plus Ingress controller
Katherine Bagood
 
Fundamentals of microservices
Fundamentals of microservicesFundamentals of microservices
Fundamentals of microservices
NGINX, Inc.
 
Data Plane Matters! A Deep Dive and Demo on NGINX Service Mesh
Data Plane Matters! A Deep Dive and Demo on NGINX Service MeshData Plane Matters! A Deep Dive and Demo on NGINX Service Mesh
Data Plane Matters! A Deep Dive and Demo on NGINX Service Mesh
NGINX, Inc.
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
NGINX, Inc.
 
Replacing and Augmenting F5 BIG-IP with NGINX Plus - EMEA
Replacing and Augmenting F5 BIG-IP with NGINX Plus - EMEAReplacing and Augmenting F5 BIG-IP with NGINX Plus - EMEA
Replacing and Augmenting F5 BIG-IP with NGINX Plus - EMEA
NGINX, Inc.
 
How to Get Started With NGINX
How to Get Started With NGINXHow to Get Started With NGINX
How to Get Started With NGINX
NGINX, Inc.
 
Découvrez NGINX AppProtect
Découvrez NGINX AppProtectDécouvrez NGINX AppProtect
Découvrez NGINX AppProtect
NGINX, Inc.
 
NGINX Unit at Scale: Use Cases and the Future of Unit
NGINX Unit at Scale: Use Cases and the Future of UnitNGINX Unit at Scale: Use Cases and the Future of Unit
NGINX Unit at Scale: Use Cases and the Future of Unit
NGINX, Inc.
 
Session: A Reference Architecture for Running Modern APIs with NGINX Unit and...
Session: A Reference Architecture for Running Modern APIs with NGINX Unit and...Session: A Reference Architecture for Running Modern APIs with NGINX Unit and...
Session: A Reference Architecture for Running Modern APIs with NGINX Unit and...
NGINX, Inc.
 
Global Server Load Balancing with NS1 and NGINX
Global Server Load Balancing with NS1 and NGINXGlobal Server Load Balancing with NS1 and NGINX
Global Server Load Balancing with NS1 and NGINX
NGINX, Inc.
 
Nim tames sprawl
Nim tames sprawlNim tames sprawl
Nim tames sprawl
NGINX, Inc.
 
What's New with NGINX Application Security Solutions
What's New with NGINX Application Security SolutionsWhat's New with NGINX Application Security Solutions
What's New with NGINX Application Security Solutions
NGINX, Inc.
 
Application Security with NGINX | APAC
Application Security with NGINX | APACApplication Security with NGINX | APAC
Application Security with NGINX | APAC
NGINX, Inc.
 

Mais conteúdo relacionado

Mais procurados

Securing Your Apps & APIs in the Cloud
Securing Your Apps & APIs in the CloudSecuring Your Apps & APIs in the Cloud
Securing Your Apps & APIs in the Cloud
Olivia LaMar
 
Control Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINXControl Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINX
NGINX, Inc.
 
NGINX Controller: Configuration, Management, and Troubleshooting at Scale
NGINX Controller: Configuration, Management, and Troubleshooting at Scale NGINX Controller: Configuration, Management, and Troubleshooting at Scale
NGINX Controller: Configuration, Management, and Troubleshooting at Scale
NGINX, Inc.
 
Replacing and Augmenting F5 BIG-IP with NGINX Plus - EMEA
Replacing and Augmenting F5 BIG-IP with NGINX Plus - EMEAReplacing and Augmenting F5 BIG-IP with NGINX Plus - EMEA
Replacing and Augmenting F5 BIG-IP with NGINX Plus - EMEA
NGINX, Inc.
 
Session: A Reference Architecture for Running Modern APIs with NGINX Unit and...
Session: A Reference Architecture for Running Modern APIs with NGINX Unit and...Session: A Reference Architecture for Running Modern APIs with NGINX Unit and...
Session: A Reference Architecture for Running Modern APIs with NGINX Unit and...
NGINX, Inc.
 

Mais procurados (20)

Securing k8s With Kubernetes Goat
Securing k8s With Kubernetes GoatSecuring k8s With Kubernetes Goat
Securing k8s With Kubernetes Goat
 
Kubernetes and the NGINX Plus Ingress Controller
Kubernetes and the NGINX Plus Ingress ControllerKubernetes and the NGINX Plus Ingress Controller
Kubernetes and the NGINX Plus Ingress Controller
 
Securing Your Apps & APIs in the Cloud
Securing Your Apps & APIs in the CloudSecuring Your Apps & APIs in the Cloud
Securing Your Apps & APIs in the Cloud
 
Control Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINXControl Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINX
 
Secured APIM-as-a-Service
Secured APIM-as-a-ServiceSecured APIM-as-a-Service
Secured APIM-as-a-Service
 
Application Security with NGINX
Application Security with NGINXApplication Security with NGINX
Application Security with NGINX
 
NGINX Controller: Configuration, Management, and Troubleshooting at Scale
NGINX Controller: Configuration, Management, and Troubleshooting at Scale NGINX Controller: Configuration, Management, and Troubleshooting at Scale
NGINX Controller: Configuration, Management, and Troubleshooting at Scale
 
NGINX Basics: Ask Me Anything – EMEA
NGINX Basics: Ask Me Anything – EMEANGINX Basics: Ask Me Anything – EMEA
NGINX Basics: Ask Me Anything – EMEA
 
NGINX: Back to Basics – APCJ
NGINX: Back to Basics – APCJNGINX: Back to Basics – APCJ
NGINX: Back to Basics – APCJ
 
NGINX Lunch and Learn Event: Kubernetes and the NGINX Plus Ingress controller
NGINX Lunch and Learn Event: Kubernetes and the NGINX Plus Ingress controllerNGINX Lunch and Learn Event: Kubernetes and the NGINX Plus Ingress controller
NGINX Lunch and Learn Event: Kubernetes and the NGINX Plus Ingress controller
 
Fundamentals of microservices
Fundamentals of microservicesFundamentals of microservices
Fundamentals of microservices
 
Data Plane Matters! A Deep Dive and Demo on NGINX Service Mesh
Data Plane Matters! A Deep Dive and Demo on NGINX Service MeshData Plane Matters! A Deep Dive and Demo on NGINX Service Mesh
Data Plane Matters! A Deep Dive and Demo on NGINX Service Mesh
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
 
Replacing and Augmenting F5 BIG-IP with NGINX Plus - EMEA
Replacing and Augmenting F5 BIG-IP with NGINX Plus - EMEAReplacing and Augmenting F5 BIG-IP with NGINX Plus - EMEA
Replacing and Augmenting F5 BIG-IP with NGINX Plus - EMEA
 
How to Get Started With NGINX
How to Get Started With NGINXHow to Get Started With NGINX
How to Get Started With NGINX
 
Découvrez NGINX AppProtect
Découvrez NGINX AppProtectDécouvrez NGINX AppProtect
Découvrez NGINX AppProtect
 
NGINX Unit at Scale: Use Cases and the Future of Unit
NGINX Unit at Scale: Use Cases and the Future of UnitNGINX Unit at Scale: Use Cases and the Future of Unit
NGINX Unit at Scale: Use Cases and the Future of Unit
 
Session: A Reference Architecture for Running Modern APIs with NGINX Unit and...
Session: A Reference Architecture for Running Modern APIs with NGINX Unit and...Session: A Reference Architecture for Running Modern APIs with NGINX Unit and...
Session: A Reference Architecture for Running Modern APIs with NGINX Unit and...
 
Global Server Load Balancing with NS1 and NGINX
Global Server Load Balancing with NS1 and NGINXGlobal Server Load Balancing with NS1 and NGINX
Global Server Load Balancing with NS1 and NGINX
 
Nim tames sprawl
Nim tames sprawlNim tames sprawl
Nim tames sprawl
 

Semelhante a Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAP

Secure Your Kubernetes Apps from Attacks with NGINX
Secure Your Kubernetes Apps from Attacks with NGINXSecure Your Kubernetes Apps from Attacks with NGINX
Secure Your Kubernetes Apps from Attacks with NGINX
NGINX, Inc.
 
Infrastructure as Code in Large Scale Organizations
Infrastructure as Code in Large Scale OrganizationsInfrastructure as Code in Large Scale Organizations
Infrastructure as Code in Large Scale Organizations
XebiaLabs
 
Deploying NGINX in Cloud Native Kubernetes
Deploying NGINX in Cloud Native KubernetesDeploying NGINX in Cloud Native Kubernetes
Deploying NGINX in Cloud Native Kubernetes
Kangaroot
 
Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?
DevOps.com
 
Successfully Implement Your API Strategy with NGINX
Successfully Implement Your API Strategy with NGINXSuccessfully Implement Your API Strategy with NGINX
Successfully Implement Your API Strategy with NGINX
NGINX, Inc.
 
One And Done Multi-Cloud Load Balancing Done Right.pptx
One And Done Multi-Cloud Load Balancing Done Right.pptxOne And Done Multi-Cloud Load Balancing Done Right.pptx
One And Done Multi-Cloud Load Balancing Done Right.pptx
Avi Networks
 
SP Virtual Managed Services (VMS) for Intelligent WAN (IWAN)
SP Virtual Managed Services (VMS) for Intelligent WAN (IWAN)SP Virtual Managed Services (VMS) for Intelligent WAN (IWAN)
SP Virtual Managed Services (VMS) for Intelligent WAN (IWAN)
Cisco Canada
 

Semelhante a Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAP (20)

What's New with NGINX Application Security Solutions
What's New with NGINX Application Security SolutionsWhat's New with NGINX Application Security Solutions
What's New with NGINX Application Security Solutions
 
Application Security with NGINX | APAC
Application Security with NGINX | APACApplication Security with NGINX | APAC
Application Security with NGINX | APAC
 
F5 and HashiCorp Multi-Cloud
F5 and HashiCorp Multi-CloudF5 and HashiCorp Multi-Cloud
F5 and HashiCorp Multi-Cloud
 
Secure Your Kubernetes Apps from Attacks with NGINX
Secure Your Kubernetes Apps from Attacks with NGINXSecure Your Kubernetes Apps from Attacks with NGINX
Secure Your Kubernetes Apps from Attacks with NGINX
 
F5 Distributed Cloud.pptx
F5 Distributed Cloud.pptxF5 Distributed Cloud.pptx
F5 Distributed Cloud.pptx
 
Infrastructure as Code in Large Scale Organizations
Infrastructure as Code in Large Scale OrganizationsInfrastructure as Code in Large Scale Organizations
Infrastructure as Code in Large Scale Organizations
 
Nginx app protect-for-meetup-v1.0-202006_lk
Nginx app protect-for-meetup-v1.0-202006_lkNginx app protect-for-meetup-v1.0-202006_lk
Nginx app protect-for-meetup-v1.0-202006_lk
 
Deploying NGINX in Cloud Native Kubernetes
Deploying NGINX in Cloud Native KubernetesDeploying NGINX in Cloud Native Kubernetes
Deploying NGINX in Cloud Native Kubernetes
 
Achieving DevSecOps Outcomes with Tanzu Advanced- May 25, 2021
Achieving DevSecOps Outcomes with Tanzu Advanced- May 25, 2021Achieving DevSecOps Outcomes with Tanzu Advanced- May 25, 2021
Achieving DevSecOps Outcomes with Tanzu Advanced- May 25, 2021
 
Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?
 
F5 Networks - парадная дверь в облака
F5 Networks - парадная дверь в облакаF5 Networks - парадная дверь в облака
F5 Networks - парадная дверь в облака
 
ciscothousandeyesusecase
ciscothousandeyesusecaseciscothousandeyesusecase
ciscothousandeyesusecase
 
Automate and simplify multi cloud complexity with f5 and hashi corp
Automate and simplify multi cloud complexity with f5 and hashi corpAutomate and simplify multi cloud complexity with f5 and hashi corp
Automate and simplify multi cloud complexity with f5 and hashi corp
 
Successfully Implement Your API Strategy with NGINX
Successfully Implement Your API Strategy with NGINXSuccessfully Implement Your API Strategy with NGINX
Successfully Implement Your API Strategy with NGINX
 
Virtualization / Cloud / SDN
Virtualization / Cloud / SDNVirtualization / Cloud / SDN
Virtualization / Cloud / SDN
 
F5 Synthesis Toronto February 2014 Roadshow
F5 Synthesis Toronto February 2014 RoadshowF5 Synthesis Toronto February 2014 Roadshow
F5 Synthesis Toronto February 2014 Roadshow
 
VMware Tanzu Kubernetes Connect
VMware Tanzu Kubernetes ConnectVMware Tanzu Kubernetes Connect
VMware Tanzu Kubernetes Connect
 
One And Done Multi-Cloud Load Balancing Done Right.pptx
One And Done Multi-Cloud Load Balancing Done Right.pptxOne And Done Multi-Cloud Load Balancing Done Right.pptx
One And Done Multi-Cloud Load Balancing Done Right.pptx
 
SP Virtual Managed Services (VMS) for Intelligent WAN (IWAN)
SP Virtual Managed Services (VMS) for Intelligent WAN (IWAN)SP Virtual Managed Services (VMS) for Intelligent WAN (IWAN)
SP Virtual Managed Services (VMS) for Intelligent WAN (IWAN)
 
Thinking about SDN and whether it is the right approach for your organization?
Thinking about SDN and whether it is the right approach for your organization?Thinking about SDN and whether it is the right approach for your organization?
Thinking about SDN and whether it is the right approach for your organization?
 

Último

TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
MyIntelliSource, Inc.
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
anilsa9823
 

Último (20)

Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 

Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAP

  • 1. Securing Your Apps & APIs in Kubernetes VIRTUAL EVENT Aug 27th, 2020
  • 2. | ©2020 F5 NETWORKS - CONFIDENTIAL2
  • 3. | ©2020 F5 NETWORKS - CONFIDENTIAL3
  • 4. | ©2020 F5 NETWORKS - CONFIDENTIAL4
  • 5. | ©2020 F5 NETWORKS - CONFIDENTIAL5 There’s two types of apps in this world…. Greenfield Brownfield
  • 6. | ©2020 F5 NETWORKS - CONFIDENTIAL6 Ok, so maybe that’s an oversimplification…. Brownfield Greenfield
  • 7. | ©2020 F5 NETWORKS - CONFIDENTIAL7 And they often are mixed together 7 Monolithic Hybrid Microservices Modernization >60% Core, legacy business apps ~30% Legacy with micro- services add-ons ~10% Modern apps optimized for digital Statistics from 2018 NGINX Brand Survey Where most enterprises will be for years to come
  • 8. | ©2020 F5 NETWORKS - CONFIDENTIAL8 Current CNCF Landscape
  • 9. | ©2020 F5 NETWORKS - CONFIDENTIAL9 Ok, that’s a lot. What do I need to think about to start ramping towards actually getting to production? What flavor of Kubernetes am I going to leverage? Cloud Services Cloud Services Hybrids Vanilla Agnostic
  • 10. | ©2020 F5 NETWORKS - CONFIDENTIAL10 Ok, that’s still a little more complicated than expected Is there anything I can do regardless of my platform choice? Sure, and we’re about to focus on a couple of them. Figure out your application routing, monitoring, and security strategy Platform agnostic tool chain = solve the problem once, solve it for good
  • 11. | ©2020 F5 NETWORKS - CONFIDENTIAL11 Ingress Controller pod pod pod pod pod Per-Pod proxy Per-Service proxy Kubernetes adds several more locations to deploy Application Services API Gateway Load Balancer App Security Four locations to deploy Application Services: • Edge: External load balancers and proxies • Ingress Controller: Entry-point into Kubernetes • Per-Service Proxy: Interior service proxy tier • Per-Pod Proxy: Sidecar-style proxy per pod Edge
  • 12. | ©2020 F5 NETWORKS - CONFIDENTIAL12 Three criteria to determine where to deploy a service 1. Is the service specific to an application, or general, for all applications? Close to the Application Close to the Edge 3. The Technical Fit – what components offer the necessary functionality and APIs? 2. Is the service configuration owned by DevOps/DevSecOps, or by NetOps/SecOps? Owned by Dev(Sec)Ops Owned by NetOps/SecOps Not app components are equal, and different configuration and APIs meet needs of different users
  • 13. | ©2020 F5 NETWORKS - CONFIDENTIAL13 • Native open-source integration in container environments for F5 BIG-IP Ingress control • Enable self-service selection in orchestration for app services • Scale and secure apps through automated event discovery and service insertion • Scale and secure NGINX Ingress controller F5 Container Ingress Services (CIS) F5 Container Ingress Services Container Environments Visibility and Analytics F5 BIG-IP App Performance and Security Services F5 Container Ingress Services Orchestration Dotted line = integration control plane Solid line = traffic data plane AppServicesAcrossNetwork Node 2Node 1 Kubernetes Openshift
  • 14. | ©2020 F5 NETWORKS - CONFIDENTIAL14 • Single pod deployment, running in Kubernetes as nodeport • Rich, app-oriented configuration using both Kubernetes and NGINX Ingress Resources • Supports DevOps use cases: routing, B/G, circuit breaker • Multi-tenant, secure RBAC • Typically requires external LB NGINX Ingress Controller NGINX Ingress Controller Container Environments Visibility and Analytics Orchestration Dotted line = integration control plane Solid line = traffic data plane AppServicesAcrossNetwork Node 2Node 1 Kubernetes Openshift Tracing
  • 15. | ©2020 F5 NETWORKS - CONFIDENTIAL15 Ingress Controller as point of control for App Protect Ingress Controller Edge Services pod pod pod pod pod Customer DevOps requests additional capabilities using Ingress Resource extensions Kubernetes Control Plane NGINX Ingress Resource WAF policy DNS policy IPAM policy Ingress Controller automates downstream services, within boundaries controlled by NetOps Automated discovery and High-Performance Load Balancing
  • 16. | ©2020 F5 NETWORKS - CONFIDENTIAL16 WAF Deployment on the Ingress Controller DEPLOY WAF POLICIES ON THE INGRESS CONTROLLER, CONFIGURED USING KUBERNETES API Ingress Controller pod pod pod pod pod Per-Pod proxy Per-Service proxy Edge K8s NetOps/DevOps-Centric Approach Appropriate solution when WAF policies are under direction of NetOps or DevOps teams. Policies are defined and associated with services using Kubernetes API. NGINX Ingress Controller RBAC allows: • Admin users to enforce policies per listener • DevOps users to select policy per Ingress Resource Leverage Container Ingress Services to scale NGINX Ingress Controller and add other application services (LB, DNS, DDoS, IAM). Appropriate for Kubernetes-native NetOps or DevOps WAF
  • 17. NGINX App Protect CHRIS AKKER TECHNICAL SOLUTIONS ARCHITECT NGINX BU / F5
  • 18. | ©2020 F5 NETWORKS - CONFIDENTIAL18 0 2000 4000 6000 8000 10000 12000 14000 16000 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 YoY Increase in CVEs Note: Excludes any rejections or disputes. New vulnerabilities are discovered in all manner of software all the time They are exploited by both malicious bots and human attackers Do you know how many affect your application stack(s)? Can you keep up with the pace of published vulnerabilities? Do you want to?
  • 19. | ©2020 F5 NETWORKS - CONFIDENTIAL19 Strong App Security Built for Modern Apps CI/CD Friendly NGINX App Protect
  • 20. | ©2020 F5 NETWORKS - CONFIDENTIAL20 Strong App Security App security and controls built using F5 Advanced WAF technology. Blocks attacks and helps prevent downtime. Easy Install & Updates OWASP Top 10 And More Regulatory Compliance IP Blocking Prevent sensitive data loss F5-based Layer 7 Attack Protection API Security
  • 21. | ©2020 F5 NETWORKS - CONFIDENTIAL21 Built for Modern Apps High performance security with performance and scale Small Footprint, less than 2MB on disk – ideal for Container workloads Seamless integration into the #1 web application platform High performance Deployment options Minimizes tool sprawl Lightweight footprint Seamless NGINX Integration 20X+ faster than alternative OSS
  • 22. | ©2020 F5 NETWORKS - CONFIDENTIAL22 CI/CD Friendly Enable security to keep pace with DevOps and Support “shift left” initiatives Declarative policies Speed Time to Market Reduced cost Enable AppDev Feedback loops Automate security in CI/CD cycle
  • 23. | ©2020 F5 NETWORKS - CONFIDENTIAL23 CONFIDENTIAL Signature Differences Attack Signature Threat Campaign Generic form of attack Instance of a specific attack Many false positives Near 100% accurate Difficult to evade Sensitive to attack variations Updated once in couple of weeks Multiple updates per week No information if ever exploited Based on real observations Generic attack information Provides Context (Intent/Risk) Local attack indicator Global threat visibility ~4,000 ~200
  • 24. | ©2020 F5 NETWORKS - CONFIDENTIAL24 Deployment options / Use Cases  Edge SW WAF  API WAF  Kubernetes IC WAF  Pod WAF  Microservice WAF
  • 25. | ©2020 F5 NETWORKS - CONFIDENTIAL25 Ingress Controller pod pod pod pod pod Per-Pod proxy Per-Service proxy Kubernetes adds several more locations to deploy Application Security API Gateway Load Balancer App Security Four locations to deploy Application Services: • Edge: External load balancers and proxies • Ingress Controller: Entry-point into Kubernetes • Per-Service Proxy: Interior service proxy tier • Per-Pod Proxy: Proxy embedded in pod Edge Standard App Protect NGINX-Proxy deployment
  • 26. | ©2020 F5 NETWORKS - CONFIDENTIAL26 Declarative Policy Helps CI/CD Motion INFRASTRUCTURE AND SECURITY AS CODE Source Code Repository CI/CD Pipeline Tool IT Automation Application code/config for App X security policy/config for App X Pipeline for build/test/deploy of App X Ansible playbook for deployment of App X with its app services Owned by SecOps Operated by DevOps { "entityChanges": { "type": "explicit" }, "entity": { "name": "bak" }, "entityKind": "tm:asm:policies:filetypes:filetypestate", "action": "delete", "description": "Delete Disallowed File Type" }
  • 27. Demo Highlights ENVIRONMENT OVERVIEW NGINX PLUS WITH APP PROTECT - EDGE NGINX PLUS KUBERNETES INGRESS WITH APP PROTECT ELK – KIBANA DASHBOARDS EXAMPLE
  • 28. 357 Demo 3 INSTALL COMMANDS 5 LINES OF CONFIGURATION 7 MINUTES TO RUNNING APP PROTECT
  • 30. | ©2020 F5 NETWORKS - CONFIDENTIAL30 Centos# yum install –y app-protect Centos# yum install –y app-protect-attack-signatures Centos# yum install –y app-protect-threat-campaigns 3 - Install AppProtect on Centos 7 Pre-Reqs 1. Need your NginxPlus Repo SSL nginx.crt and nginx.key 2. Add the App-Protect Signatures yum repo Centos# wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-signatures-7.repo
  • 31. | ©2020 F5 NETWORKS - CONFIDENTIAL31 user nginx; worker_processes auto; error_log /var/log/nginx/error.log notice; pid /var/run/nginx.pid; load_module modules/ngx_http_app_protect_module.so; #Dynamic Module … server { listen 80; server_name localhost; proxy_http_version 1.1; app_protect_enable on; #Enable AppProtect app_protect_policy_file "/etc/nginx/NginxDefaultPolicy.json"; #Policy Definition app_protect_security_log_enable on; #Enable logging app_protect_security_log "/etc/nginx/log-default.json” syslog:server=10.1.20.6:5144; #Syslog IP:port location / { … proxy_pass http://k8s.arcadia-finance.io:30274$request_uri; } } 5 – Configure Nginx.conf with AppProtect
  • 32. | ©2020 F5 NETWORKS - CONFIDENTIAL32 Centos# systemctl restart nginx Centos# cat /var/log/nginx/error.log Centos# curl –k http://localhost Centos# curl –k “http://localhost/?<script>” 7 – Running NginxPlus with AppProtect
  • 33. | ©2020 F5 NETWORKS - CONFIDENTIAL33 Demo Ingress YAML with App Protect
  • 34. NGINX App Protect WRAP UP SIZE ? PERFORMANCE ? RESOURCES
  • 35. | ©2020 F5 NETWORKS - CONFIDENTIAL35 Yum info app-protect Name : app-protect Arch : x86_64 Version : 22+3.90.2 Release : 1.el7.ngx Size : 172 k Repo : installed From repo : nginx-plus App Protect Repo
  • 36. | ©2020 F5 NETWORKS - CONFIDENTIAL36 Yum info app-protect-attack-signatures Name : app-protect-attack-signatures Arch : x86_64 Version : 2020.08.19 Release : 1.el7.ngx Size : 1.3 M Repo : installed From repo : app-protect-signatures Summary : app-protect-attack-signatures-rpm License : Commercial App Protect Signatures Repo
  • 37. | ©2020 F5 NETWORKS - CONFIDENTIAL37 Yum info app-protect-threat-campaigns Name : app-protect-threat-campaigns Arch : x86_64 Version : 2020.08.24 Release : 1.el7.ngx Size : 113 k Repo : installed From repo : app-protect-signatures Summary : app-protect-threat-campaigns-rpm License : Commercial Threat Campaign Repo
  • 38. | ©2020 F5 NETWORKS - CONFIDENTIAL38 NGINX App Protect Performance 0 0.5 1 1.5 2 2.5 Throughput (MB/sec) No Protection NGINX App Protect ModSec 0 2000 4000 6000 8000 10000 12000 14000 Requests/sec No Protection NGINX App Protect ModSec 0 100 200 300 400 500 600 700 800 Latency (ms) No Protection NGINX App Protect ModSec Comprehensive security policy has no impact on latency, and offers better throughput and requests/second when compared to ModSec • ModSec Configuration: OWASP Top 10 (enable all CRS v3 rules) • NGINX App Protect Configuration: OWASP Top 10 (Enable signatures), Evasion technique, Data Guard, Disallowed file types, HTTP protocol compliance​
  • 39. | ©2020 F5 NETWORKS - CONFIDENTIAL39 Nginx App Protect Resources ● https://www.nginx.com/products/nginx-app-protect/ ● https://docs.nginx.com/nginx-app-protect/admin-guide/# ● https://www.nginx.com/blog/nginx-app-protect-1-0-released/ Nginx Threat Campaigns ● https://www.f5.com/pdf/products/f5_threat_campaigns_waf.pdf NGINX Ingress Controller with App Protect ● https://www.nginx.com/blog/securing-apps-in-kubernetes-nginx-app-protect/ ● https://github.com/nginxinc/kubernetes-ingress/tree/master/examples/appprotect ● https://github.com/nginxinc/ansible-role-nginx-app-protect Resources
  • 40. | ©2020 F5 NETWORKS - CONFIDENTIAL40 Questions?
  • 41. | ©2020 F541 September 15-17, 2020 VIRTUAL EVENT Sprint is a three-day virtual event designed to inspire and engage developers, architects, and operators looking to use NGINX technologies to develop and deliver modern applications at scale. www.nginx.com/events/nginx-sprint-2020 GOALS • Introduce solutions and evolution of NGINX. • Engage with the NGINX community and users. • Attract 1,500 live attendees/day.
  • 42. | ©2020 F542 Day One: Keynotes SEPTEMBER 15 Duration: 2 hours Pre-recorded and streamed “live” • Provide thought leadership, roadmap review, and announce new solutions • Invite external influencers and maybe customers to present • Engage audience with post-keynote analysis from Tech Field Day Day Two: Demos SEPTEMBER 16 Duration: 1.5 hours Live, interactive session • Provide 6-7 short demos showing of NGINX and F5 products • Have demos build on each other, creating a single app by the end • Use delegates from Tech Field Day as audience proxy Day Three: Hackathon SEPTEMBER 17 Duration: 2-3 hours Live streamed session • Have teams present ideas and prototypes • Judge and award winners
  • 43. | ©2020 F5 NETWORKS - CONFIDENTIAL43 Thank You!
  • 45. | ©2020 F5 NETWORKS - CONFIDENTIAL45
  • 46. | ©2020 F5 NETWORKS - CONFIDENTIAL46 Kibana Overview page
  • 47. | ©2020 F5 NETWORKS - CONFIDENTIAL47 Kibana Log Entry details
  • 48. | ©2020 F5 NETWORKS - CONFIDENTIAL48
  • 49. | ©2020 F5 NETWORKS - CONFIDENTIAL49
  • 50. | ©2020 F5 NETWORKS - CONFIDENTIAL50 Arcadia Ingress