Politecnico di Torino (logo)

Zero Trust networks with Istio

Matteo Pace

Zero Trust networks with Istio.

Rel. Antonio Lioy, Ignazio Pedone. Politecnico di Torino, Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering), 2021

PDF (Tesi_di_laurea) - Tesi
Licenza: Creative Commons Attribution Non-commercial No Derivatives.

Download (6MB) | Preview

Cloud computing has drastically changed the approach of deploying and accessing data and services, increasing their availability and flexibility. Transitioning to cloud solutions requires a more flexible approach for application development. For this purpose, microservices provide a new strategy: classical monolithic applications could be developed and deployed as a set of different components. Containers are usually adopted as lightweight virtualisation technology for operating them. These trends bring new security challenges and perspectives: the new de-perimetralized era deprecates the old "castle-and-moat" approach in favour of zero-trust. There are anymore defined and physical perimeters, but rather the whole network has to be treated as potentially compromised. Every access and action must be verified, removing any implicit trust. This leads to better visibility of the network and a reduction of the impact of breaches. This could be achieved by reducing the exposition of confidential data, limiting lateral movements and providing each network entity with a least privileged model. From a technological standpoint, Kubernetes is the de-facto standard for container orchestration and provides a solid base for microservices deployment and management. Furthermore, it could be extended to support external technologies and features. The Istio service-mesh, built on top of it, provides traffic management, observability and security capabilities. The latter permits to enforce zero-trust principles, providing a strong identity to all the microservices, encrypting internal traffic and applying authentication and authorization policies. These features have been analyzed and tested implementing a sample zero-trust architecture. Istio provides also custom functionalities: via the recent WebAssembly sandboxing technology, network and security controls can be developed. To test the maturity of this approach, this work shows the design and development of a Web Application Firewall based on ModSecurity and the OWASP Core Rule Set. Furthermore, Istio has been exploited to centralize its management, configuring and deploying it in a scalable and granular way inside the zero-trust architecture. Despite limitations due to the alpha phase of the extensibility feature, our results show that developing a security control using Istio and WebAssembly is possible and effective. Defense in depth is enhanced, complementing the built-in Istio security features and contributing towards zero-trust networks. Following Istio extensibility evolution, further work can be done to fully exploit ModSecurity logging and detection capabilities.

Relators: Antonio Lioy, Ignazio Pedone
Academic year: 2021/22
Publication type: Electronic
Number of Pages: 105
Corso di laurea: Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering)
Classe di laurea: New organization > Master science > LM-32 - COMPUTER SYSTEMS ENGINEERING
Aziende collaboratrici: UNSPECIFIED
URI: http://webthesis.biblio.polito.it/id/eprint/21170
Modify record (reserved for operators) Modify record (reserved for operators)