Highly compartmentalized network segmentation is a long-held goal of most blue teams, but it's notoriously hard to deploy once a system has already been built. We leveraged an existing service discovery framework to deploy a large-scale TLS-based segmentation model that enforces access control while automatically learning authorization rules and staying out of the way of developers. We also did it without scheduling downtime or putting a halt to development. This talk covers how we engineered this, and shares lessons learned throughout the process.
The "hard-shell, soft-center" model of network security has been popular since the invention of networks--building proper internal controls is often skipped when organizations grow quickly, and by the time that scale has been achieved, security teams resort to defending the perimeter. In this talk, I'll show an example of how we took a large modern network to a significantly more secure model by building network segmentation into the existing service discovery framework in use.
Service discovery is a critical part of recent network design, and popular frameworks often offer security features. However, these tend to be difficult to implement after the network has already been established, and don't offer endpoint-to-endpoint solutions. We built a series of extensions to SmartStack, an open-source service discovery framework, that allow it to protect all communications with mutual TLS and offer both authentication and authorization. This was all done in a way that's transparent to the applications on either side, allowing us to migrate to this system without changing any application code or teaching developers the details of the system.
This talk will discuss the technologies used and the challenges encountered in doing this rollout, and will aim to provide useful guidance to other security engineers wishing to make a similar transition.