#security (2020-10)

Archive: https://archive.sweetops.com/security/

2020-10-29

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
FBI, DHS, HHS Warn of Imminent, Credible Ransomware Threat Against U.S. Hospitals

On Monday, Oct. 27, KrebsOnSecurity began following up on a tip from a reliable source that an aggressive Russian cybercriminal gang known for deploying ransomware was preparing to disrupt information technology systems at hundreds of hospitals, clinics and medical care facilities across the United States. Today, officials from the FBI and the U.S. Department of…

2020-10-28

2020-10-27

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Blog on beyondcorp (using lots of cloudposse modules as always): https://transcend.io/blog/restrict-access-to-internal-websites-with-beyondcorp

Made it to number 3 on hackernews today which makes me pretty happy

btai avatar

anyone have a quick an easy way to integrate OIDC w/ a static s3 site?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
Authenticate users using an Application Load Balancer - Elastic Load Balancing

Learn how to configure an Application Load Balancer to authenticate users of your applications using their corporate or social identities before routing requests.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

IdP (Cognito, Okta, GSuite, etc.) -> ALB -> CloudFront -> S3

btai avatar

thank you @Andriy Knysh (Cloud Posse)

rei avatar

@Andriy Knysh (Cloud Posse) It is possible to use this scheme to authenticate and authorize users with an IdP at the ALB and allow access to infinite apps under https://<branch_slug>.dev.mydomain.com ?

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

ALB can authenticate access to all apps on the cluster. Authorization is a completely separate thing. Each app will get a list of actions that the user can perform (a list of roles for example). It’s the app’s task to do the authorization (allow or disallow the user access)

rei avatar

Yeah however it is possible to decouple it so the current app doesn’t need modification?

rei avatar

Sort of instead of using http basic auth, use and IdP at the ALB level

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

oly if you place some kind of a proxy in front of the app

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

the proxy will do it

rei avatar

To redirect to the correct branch?

rei avatar

I have been trying this the whole day without much success

rei avatar

Do you know any example or blog source with shows this method?

rei avatar

Or at least the Keywords for Google

rei avatar

Thank you!

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

there are many ways of doing it

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

at the cluster/namespace level,

Access to each cluster is controlled by the aws-auth ConfigMap, a file that maps IAM users/roles to Kubernetes RBAC groups
Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

in which case each app must be deployed with k8s RBAC

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
Consistent OIDC authentication across multiple EKS clusters using Kube-OIDC-Proxy | Amazon Web Services attachment image

Amazon Elastic Kubernetes Service (Amazon EKS) authenticates users against IAM before they’re granted access to an EKS cluster. Access to each cluster is controlled by the aws-auth ConfigMap, a file that maps IAM users/roles to Kubernetes RBAC groups. In this guest post from Josh Van Leeuwen from Jetstack, we look at how we can use […]

rei avatar

We currently only authenticate company users with gSuite. Thus the external IdP

btai avatar

@ i had this same exact problem that I wanted to solve. I ended up building a very small oidc reverse proxy that sits as sidecar in the ingress controller pod. So it looks like this: ALB -> oidc sidecar -> ingress controller -> service

Then we set up the oidc sidecar to cache the session as a wildcard cookie (*.[mydomain.com](http://mydomain.com)) with an expiration set at 1 day.

btai avatar

I can’t remember off the top of my head but I ran into a roadblock attempting to use ALB OIDC for my solution.

rei avatar

@btai thx for the hint. We’ll keep in mind. However we decided now to go for the vpn + internal alb/nlb solution

2020-10-21

2020-10-15

roth.andy avatar
roth.andy
05:37:29 PM

Thought some might find this interesting. Was just approved for public release.

Zach avatar

Got the source url handy?

roth.andy avatar
roth.andy

it was emailed to me. hang on I’ll see if I can find it

Zach avatar

oh ok I can search too in that case

roth.andy avatar
roth.andy

Looks like it isn’t posted yet but a link to it will likely end up here: https://software.af.mil/dsop/documents/

Zach avatar

yah was only finding the 2019 pre-release myself

Zach avatar

thanks!

andrey.a.devyatkin avatar
andrey.a.devyatkin

Thanks for sharing

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Protect teams with Browser Isolation | Cloudflare attachment image

Cloudflare Browser Isolation works with your native browser to protect remote teams and make web browsing safer and faster.

rei avatar

CF sniffs you TLS request, your DNS requests and now your clicks

Protect teams with Browser Isolation | Cloudflare attachment image

Cloudflare Browser Isolation works with your native browser to protect remote teams and make web browsing safer and faster.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Introducing Cloudflare Browser Isolation beta attachment image

Today, we’re excited to open up a beta of a third approach to keeping web browsing safe with Cloudflare Browser Isolation.

2020-10-14

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Argo Tunnels that live forever attachment image

Securely connecting your infrastructure to Cloudflare’s network just became easier.

imiltchman avatar
imiltchman

As a provider, IP Whitelisting is still the main way that firewall exceptions are made to us by our customers to access their protected applications. Is there a better solution to this use case than VPN? I’ve looked at Perimeter81, but I am not sold on the whole approach.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

This is a rich space these days. Perimeter being just one of dozens.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

The zero trust/beyondcorp model is more or less the gold standard today, with various vendors taking their own approach

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Last week cloudflare launched “one”

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Today HashiCorp announced boundary

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

What is your wire protocol for your apps?

imiltchman avatar
imiltchman

For this use case, just https

imiltchman avatar
imiltchman

I think that’s part of the problem. Everyone is going to be implementing their flavor of zero-trust and we’ll have to jump through hoops to set up our connectivity as opposed to having a single way of doing it with something universal like IP Whitelisting/VPN client

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

So with IP whitelisting, is the single way of doing it with Security Groups, NACLs, WAF, ingress, or in the application?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

So HTTP is the ideal case and perhaps the most demonstrated case for how to expose apps in the zero trust model with IAP (identity aware proxies). It’s more or less synonymous to VPNs. A VPN will require a user to identify and login. It then creates a point to point connection with the VPN server and sends layer 3 or 4 traffic over it. Then additional firewall rules and subnet routing policies need to be used to protect services from the VPN traffic.

In the IAP model, you have a point to point TCP connection (just like with the VPN). You’re speaking one wire protocol (HTTP), unlike with the VPN it can be anything. You identifying with Single Sign On (e.g. works well with Okta, Gsuite, etc). The proxy connects you to exactly one service, not the entire network so there’s no need for additional firewalling and routing rules.

1
    keyboard_arrow_up