C3Subtitles: 35c3: Sneaking In Network Security

Sneaking In Network Security

Enforcing strong network segmentation, without anyone noticing

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
Highly compartmentalized network segmentation is a long-held goal of most blue teams, but it's notoriously hard to deploy once a system has already been built. We leveraged an existing service discovery framework to deploy a large-scale TLS-based segmentation model that enforces access control while automatically learning authorization rules and staying out of the way of developers. We also did it without scheduling downtime or putting a halt to development. This talk covers how we engineered this, and shares lessons learned throughout the process.

The "hard-shell, soft-center" model of network security has been popular since the invention of networks--building proper internal controls is often skipped when organizations grow quickly, and by the time that scale has been achieved, security teams resort to defending the perimeter. In this talk, I'll show an example of how we took a large modern network to a significantly more secure model by building network segmentation into the existing service discovery framework in use.

Service discovery is a critical part of recent network design, and popular frameworks often offer security features. However, these tend to be difficult to implement after the network has already been established, and don't offer endpoint-to-endpoint solutions. We built a series of extensions to SmartStack, an open-source service discovery framework, that allow it to protect all communications with mutual TLS and offer both authentication and authorization. This was all done in a way that's transparent to the applications on either side, allowing us to migrate to this system without changing any application code or teaching developers the details of the system.

This talk will discuss the technologies used and the challenges encountered in doing this rollout, and will aim to provide useful guidance to other security engineers wishing to make a similar transition.

Talk ID
5:30 p.m.
Type of
Maximilian Burkhardt
0.0% Checking done0.0%
0.0% Syncing done0.0%
0.0% Transcribing done0.0%
100.0% Nothing done yet100.0%

English: Transcribed until

Last revision: unknown