Mais conteúdo relacionado Semelhante a Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAP (20) Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAP5. | ©2020 F5 NETWORKS - CONFIDENTIAL5
There’s two types of apps in this world….
Greenfield Brownfield
6. | ©2020 F5 NETWORKS - CONFIDENTIAL6
Ok, so maybe that’s an oversimplification….
Brownfield
Greenfield
7. | ©2020 F5 NETWORKS - CONFIDENTIAL7
And they often are mixed together
7
Monolithic Hybrid Microservices
Modernization
>60%
Core, legacy
business apps
~30%
Legacy with micro-
services add-ons
~10%
Modern apps
optimized for digital
Statistics from 2018 NGINX Brand Survey
Where most enterprises will be
for years to come
8. | ©2020 F5 NETWORKS - CONFIDENTIAL8
Current CNCF Landscape
9. | ©2020 F5 NETWORKS - CONFIDENTIAL9
Ok, that’s a lot.
What do I need to think about to start ramping towards actually
getting to production?
What flavor of Kubernetes am I going to leverage?
Cloud Services
Cloud Services
Hybrids
Vanilla
Agnostic
10. | ©2020 F5 NETWORKS - CONFIDENTIAL10
Ok, that’s still a little more complicated than expected
Is there anything I can do regardless of my platform choice?
Sure, and we’re about to focus on a couple of them.
Figure out your application routing, monitoring, and security strategy
Platform agnostic tool chain = solve the problem once, solve it for good
11. | ©2020 F5 NETWORKS - CONFIDENTIAL11
Ingress
Controller
pod
pod
pod
pod
pod
Per-Pod proxy
Per-Service
proxy
Kubernetes adds several more locations
to deploy Application Services
API Gateway
Load Balancer
App Security
Four locations to deploy Application Services:
• Edge: External load balancers and proxies
• Ingress Controller: Entry-point into Kubernetes
• Per-Service Proxy: Interior service proxy tier
• Per-Pod Proxy: Sidecar-style proxy per pod
Edge
12. | ©2020 F5 NETWORKS - CONFIDENTIAL12
Three criteria to determine where to deploy a
service
1. Is the service specific to an application, or general, for all applications?
Close to the Application Close to the Edge
3. The Technical Fit – what components offer the necessary functionality and APIs?
2. Is the service configuration owned by DevOps/DevSecOps, or by NetOps/SecOps?
Owned by Dev(Sec)Ops Owned by NetOps/SecOps
Not app components are equal, and different configuration and APIs meet needs of different users
13. | ©2020 F5 NETWORKS - CONFIDENTIAL13
• Native open-source integration
in container environments for F5
BIG-IP Ingress control
• Enable self-service selection in
orchestration for app services
• Scale and secure apps through
automated event discovery and
service insertion
• Scale and secure NGINX Ingress
controller
F5 Container Ingress Services (CIS)
F5 Container Ingress Services
Container Environments
Visibility and
Analytics
F5 BIG-IP
App Performance and
Security Services
F5 Container
Ingress Services
Orchestration
Dotted line = integration control plane
Solid line = traffic data plane
AppServicesAcrossNetwork
Node 2Node 1
Kubernetes
Openshift
14. | ©2020 F5 NETWORKS - CONFIDENTIAL14
• Single pod deployment, running
in Kubernetes as nodeport
• Rich, app-oriented configuration
using both Kubernetes and
NGINX Ingress Resources
• Supports DevOps use cases:
routing, B/G, circuit breaker
• Multi-tenant, secure RBAC
• Typically requires external LB
NGINX Ingress Controller
NGINX Ingress Controller
Container Environments
Visibility and
Analytics
Orchestration
Dotted line = integration control plane
Solid line = traffic data plane
AppServicesAcrossNetwork
Node 2Node 1
Kubernetes
Openshift
Tracing
15. | ©2020 F5 NETWORKS - CONFIDENTIAL15
Ingress Controller as point of control for App Protect
Ingress
Controller
Edge Services
pod
pod
pod
pod
pod
Customer
DevOps requests additional
capabilities using Ingress
Resource extensions
Kubernetes Control Plane
NGINX
Ingress
Resource
WAF policy
DNS policy
IPAM policy Ingress Controller automates
downstream services, within
boundaries controlled by NetOps
Automated discovery and
High-Performance Load Balancing
16. | ©2020 F5 NETWORKS - CONFIDENTIAL16
WAF Deployment on the Ingress Controller
DEPLOY WAF POLICIES ON THE INGRESS CONTROLLER, CONFIGURED USING KUBERNETES API
Ingress
Controller
pod
pod
pod
pod
pod
Per-Pod proxy
Per-Service
proxy
Edge
K8s NetOps/DevOps-Centric Approach
Appropriate solution when WAF policies are
under direction of NetOps or DevOps teams.
Policies are defined and associated with
services using Kubernetes API.
NGINX Ingress Controller RBAC allows:
• Admin users to enforce policies per listener
• DevOps users to select policy per Ingress
Resource
Leverage Container Ingress Services to
scale NGINX Ingress Controller and add other
application services (LB, DNS, DDoS, IAM).
Appropriate for Kubernetes-native NetOps or DevOps WAF
18. | ©2020 F5 NETWORKS - CONFIDENTIAL18
0
2000
4000
6000
8000
10000
12000
14000
16000
2010 2011 2012 2013 2014 2015 2016 2017 2018 2019
YoY Increase in CVEs
Note: Excludes any rejections or disputes.
New vulnerabilities are
discovered in all
manner of software all
the time
They are exploited by both
malicious bots and human attackers
Do you know how many affect your
application stack(s)?
Can you keep up with the pace of
published vulnerabilities?
Do you want to?
19. | ©2020 F5 NETWORKS - CONFIDENTIAL19
Strong App
Security
Built for
Modern Apps
CI/CD
Friendly
NGINX App Protect
20. | ©2020 F5 NETWORKS - CONFIDENTIAL20
Strong App Security
App security and controls built using
F5 Advanced WAF technology.
Blocks attacks and helps prevent
downtime.
Easy Install & Updates
OWASP Top 10
And More
Regulatory Compliance
IP Blocking Prevent sensitive
data loss
F5-based Layer 7
Attack Protection
API Security
21. | ©2020 F5 NETWORKS - CONFIDENTIAL21
Built for Modern Apps
High performance security with
performance and scale
Small Footprint, less than 2MB on disk
– ideal for Container workloads
Seamless integration into the #1 web application platform
High performance
Deployment options Minimizes tool
sprawl
Lightweight
footprint
Seamless NGINX
Integration
20X+ faster than
alternative OSS
22. | ©2020 F5 NETWORKS - CONFIDENTIAL22
CI/CD Friendly
Enable security to keep pace with
DevOps and Support “shift left”
initiatives
Declarative policies
Speed Time to
Market
Reduced cost
Enable AppDev
Feedback loops
Automate security
in CI/CD cycle
23. | ©2020 F5 NETWORKS - CONFIDENTIAL23 CONFIDENTIAL
Signature Differences
Attack Signature Threat Campaign
Generic form of attack Instance of a specific attack
Many false positives Near 100% accurate
Difficult to evade Sensitive to attack variations
Updated once in couple of weeks Multiple updates per week
No information if ever exploited Based on real observations
Generic attack information Provides Context (Intent/Risk)
Local attack indicator Global threat visibility
~4,000 ~200
24. | ©2020 F5 NETWORKS - CONFIDENTIAL24
Deployment
options /
Use Cases
Edge SW WAF
API WAF
Kubernetes IC WAF
Pod WAF
Microservice WAF
25. | ©2020 F5 NETWORKS - CONFIDENTIAL25
Ingress
Controller
pod
pod
pod
pod
pod
Per-Pod proxy
Per-Service
proxy
Kubernetes adds several more locations
to deploy Application Security
API Gateway
Load Balancer
App Security
Four locations to deploy Application Services:
• Edge: External load balancers and proxies
• Ingress Controller: Entry-point into Kubernetes
• Per-Service Proxy: Interior service proxy tier
• Per-Pod Proxy: Proxy embedded in pod
Edge
Standard App Protect
NGINX-Proxy deployment
26. | ©2020 F5 NETWORKS - CONFIDENTIAL26
Declarative Policy Helps CI/CD Motion
INFRASTRUCTURE AND SECURITY AS CODE
Source Code Repository CI/CD Pipeline Tool IT Automation
Application code/config for App X
security policy/config for App X
Pipeline for build/test/deploy of App X
Ansible playbook for deployment
of App X with its app services
Owned by SecOps Operated by DevOps
{
"entityChanges": {
"type": "explicit"
},
"entity": {
"name": "bak"
},
"entityKind": "tm:asm:policies:filetypes:filetypestate",
"action": "delete",
"description": "Delete Disallowed File Type"
}
30. | ©2020 F5 NETWORKS - CONFIDENTIAL30
Centos# yum install –y app-protect
Centos# yum install –y app-protect-attack-signatures
Centos# yum install –y app-protect-threat-campaigns
3 - Install AppProtect on Centos 7
Pre-Reqs
1. Need your NginxPlus Repo SSL nginx.crt and nginx.key
2. Add the App-Protect Signatures yum repo
Centos# wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-signatures-7.repo
31. | ©2020 F5 NETWORKS - CONFIDENTIAL31
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
load_module modules/ngx_http_app_protect_module.so; #Dynamic Module
…
server {
listen 80;
server_name localhost;
proxy_http_version 1.1;
app_protect_enable on; #Enable AppProtect
app_protect_policy_file "/etc/nginx/NginxDefaultPolicy.json"; #Policy Definition
app_protect_security_log_enable on; #Enable logging
app_protect_security_log "/etc/nginx/log-default.json”
syslog:server=10.1.20.6:5144; #Syslog IP:port
location / {
…
proxy_pass http://k8s.arcadia-finance.io:30274$request_uri;
}
}
5 – Configure Nginx.conf with AppProtect
32. | ©2020 F5 NETWORKS - CONFIDENTIAL32
Centos# systemctl restart nginx
Centos# cat /var/log/nginx/error.log
Centos# curl –k http://localhost
Centos# curl –k “http://localhost/?<script>”
7 – Running NginxPlus with AppProtect
33. | ©2020 F5 NETWORKS - CONFIDENTIAL33
Demo Ingress YAML with App Protect
35. | ©2020 F5 NETWORKS - CONFIDENTIAL35
Yum info app-protect
Name : app-protect
Arch : x86_64 Version : 22+3.90.2 Release : 1.el7.ngx
Size : 172 k
Repo : installed
From repo : nginx-plus
App Protect Repo
36. | ©2020 F5 NETWORKS - CONFIDENTIAL36
Yum info app-protect-attack-signatures
Name : app-protect-attack-signatures
Arch : x86_64 Version : 2020.08.19 Release : 1.el7.ngx
Size : 1.3 M
Repo : installed From repo : app-protect-signatures
Summary : app-protect-attack-signatures-rpm
License : Commercial
App Protect Signatures Repo
37. | ©2020 F5 NETWORKS - CONFIDENTIAL37
Yum info app-protect-threat-campaigns
Name : app-protect-threat-campaigns
Arch : x86_64 Version : 2020.08.24 Release : 1.el7.ngx
Size : 113 k
Repo : installed From repo : app-protect-signatures
Summary : app-protect-threat-campaigns-rpm
License : Commercial
Threat Campaign Repo
38. | ©2020 F5 NETWORKS - CONFIDENTIAL38
NGINX App Protect Performance
0
0.5
1
1.5
2
2.5
Throughput (MB/sec)
No Protection NGINX App Protect ModSec
0
2000
4000
6000
8000
10000
12000
14000
Requests/sec
No Protection NGINX App Protect ModSec
0
100
200
300
400
500
600
700
800
Latency (ms)
No Protection NGINX App Protect ModSec
Comprehensive security policy has no impact on latency, and offers better throughput and
requests/second when compared to ModSec
• ModSec Configuration: OWASP Top 10 (enable all CRS v3 rules)
• NGINX App Protect Configuration: OWASP Top 10 (Enable signatures), Evasion technique, Data Guard, Disallowed file types, HTTP
protocol compliance
39. | ©2020 F5 NETWORKS - CONFIDENTIAL39
Nginx App Protect Resources
● https://www.nginx.com/products/nginx-app-protect/
● https://docs.nginx.com/nginx-app-protect/admin-guide/#
● https://www.nginx.com/blog/nginx-app-protect-1-0-released/
Nginx Threat Campaigns
● https://www.f5.com/pdf/products/f5_threat_campaigns_waf.pdf
NGINX Ingress Controller with App Protect
● https://www.nginx.com/blog/securing-apps-in-kubernetes-nginx-app-protect/
● https://github.com/nginxinc/kubernetes-ingress/tree/master/examples/appprotect
● https://github.com/nginxinc/ansible-role-nginx-app-protect
Resources
40. | ©2020 F5 NETWORKS - CONFIDENTIAL40
Questions?
41. | ©2020 F541
September 15-17, 2020
VIRTUAL EVENT
Sprint is a three-day virtual event designed to inspire and
engage developers, architects, and operators looking to
use NGINX technologies to develop and deliver modern
applications at scale.
www.nginx.com/events/nginx-sprint-2020
GOALS
• Introduce solutions and evolution of NGINX.
• Engage with the NGINX community and users.
• Attract 1,500 live attendees/day.
42. | ©2020 F542
Day One: Keynotes
SEPTEMBER 15
Duration: 2 hours
Pre-recorded and streamed “live”
• Provide thought leadership,
roadmap review, and announce
new solutions
• Invite external influencers and
maybe customers to present
• Engage audience with post-keynote
analysis from Tech Field Day
Day Two: Demos
SEPTEMBER 16
Duration: 1.5 hours
Live, interactive session
• Provide 6-7 short demos showing of
NGINX and F5 products
• Have demos build on each other,
creating a single app by the end
• Use delegates from Tech Field Day
as audience proxy
Day Three: Hackathon
SEPTEMBER 17
Duration: 2-3 hours
Live streamed session
• Have teams present ideas and
prototypes
• Judge and award winners
43. | ©2020 F5 NETWORKS - CONFIDENTIAL43
Thank You!
46. | ©2020 F5 NETWORKS - CONFIDENTIAL46
Kibana Overview page
47. | ©2020 F5 NETWORKS - CONFIDENTIAL47
Kibana Log Entry details
50. | ©2020 F5 NETWORKS - CONFIDENTIAL50
Arcadia Ingress