こんにちは、みなさん。このセッションをご覧いただきありがとうございます。私の名前は吉浮田バターです。そして、USSオリジナルソリューションセントアブヒタチです。このセッションは、ライトウェイトゼルトラースネットワークインプリメンテーションとキックローク&NGXを使用しています。このセッションは、ライトウェイトゼルトラースネットワークインプリメンテーションをキックローク&NGXに配置されています。実は、多くのシステムが遅れに迷ったアイティクタクチュアを使用するためにそして、このシステムは、多くのアイティクタクチュアを使用するためにこのシステムのために、このインプリメンテーションの提供をでて、このセッションは、最も楽しい使用法を使用するためにまず、私自身をご紹介させてください。私の名前は吉浮田バターです。そして、私はソフトウェイトゼルトラースネットワークインプリメンテーションセントアブヒタチです。私はシステムに使用するためにサウトアントフォーエピアシステムAnd I've built various API systems,for example, a high-security banking API system.And I'm a contributor to 3-Scale,which is an OSS for API management.I've developed features around securityand access control,for example, edge limiting,roll-based access control,wall-cell materials, and so on.And I'm also a contributor to KeyCloud.I've developed featuresfor API use cases based on OOS and OIDC.For example, token revocation,refresh token setting pack Ryan,and so on.So let's get started.This is today's session's overview.In the traditional API system,the security boundary between the public networkand the private network is clear.So we only needed to focus on the security boundary.Inside the system is the private networkand outside of the system is the public network.API system is typically built byfollowing OOS 2.0,the default standard of API security.So a client applicationdelegates authenticationand authorization to the authorization server.And the client application gets an access token.And it calls the APIexposed by the API gateway.API gateway access controls API callsand if okay,proceeds to resource servers.These internal communications are recognizedas saved,so typically not encrypted.Previously,the componentsthat expose API are limited.So building a security boundary is quite easy.In the world of microservice,on the other hand,various services expose their API.So it's much difficult to define security boundarybetween the public network and the private network.In the world of microservice,as the same as traditional API systems,we need to build an API systemby following OOS 2.0.So there is an authorization server.And there are many services that expose their APIs.These APIs are not only calledby the client application,but also called by other services.So it's quite difficult to build a security boundaryin this case.So we need to consider introducing a ZELTRAS networkto secure each service independently.For example, both service or power pod.The typical way to achieve ZELTRAS networkis with service mesh.But actually there are many systemsto which it's a little hard to introducebecause it needs which resourcesfor its rich featuresand perfects the architecture a lot.So we propose lightweight ZELTRAS network implementationwhich needs fewer resources than service meshand is easier to be introduced than service mesh.These are today's contents.First,I describe what is ZELTRAS networkthis session targeted.Next,I describe how to achievethe underlying technology behind the ZELTRAS network.And then I describe the transitionfrom traditional security boundary definitionto both service or power pod definition.After that,I describe two additional topics.First,I describe how to achieveeast-west traffic.Then finally,I describe how to resolvethe choke point issue of policy decision point.So first,what is a ZELTRAS network?What is a ZELTRAS network is totweet the system internal networkthe same as the public network.This assumes that the implicittrust zone is only inside the serviceor inside the podand all networks including networksinside the system are not safe.The default standard of a service meshis Istio and according to Istiothe underlying technology behind ZELTRASnetwork is short validationand mutual TLS.Istio requires MTRSand short validationin the public networkand Istio only requires MTRSin the system internal networkbut short validationin the internal networkis said to bealso needed amongABA security professionals.This is because we need totweet the system internal networkthe same as the public network.I describe the underlyingtechnology behind the ZELTRASnetwork by using thetraditional ADS system.First,short validation.In the context ofOS 2.0what the jotwhich is presented duringan APH callmeans isOS 2.0 access tokenand the access tokenis issued by anOSization serveras representing anOSization.In typicalOS 2.0OS 2.0 authorizationcode flowfirst,a client applicationdelegatesOS authenticationand OSto theOSization server.Then the OSissues an access tokento the client applicationafter theOS authenticationand OSization.After that,the client applicationcalls APIof the APIGatewaywith the access token.Then the APIGateway validatesjot.Generally,the APIGateway validatesjotwith theOSization server.There isfollowingtalk introspectiondefined byrc7662.Whatvalidatearefor examplesignature.Validatingsignaturewe can checkthe jotis nottempered.And validatingexpire.We can checkthe jotis not expired.Validatingscopeswe can checkthe client wasauthorizedtocall the API.Validatingaudiencewe can checkwhich resourceserverorAPIGatewayis intendedtoreturnthe resource.This isthe jotvalidation.Next,mutual tiers.As the sameas authenticatingthe serverusingthe servercertificate,authenticatethe clientusingthe clientcertificate.Duringtrshandshake,the APIGatewaypresentitsservercertificateand the client'sapplicationpresentsitsgrantcertificate.APIGatewayverifiesthegrantcertificateusingtrustedsharecertificate.This ismutual tiers.There isanothermutual tiersin thecontextofoast2.0.In thecontextofoast2.0,mutual tiersmeansoast2.0mutual tiersgrantcertificateboundaccesstarkensdefinedbyRSCH750H705OsMTLScan preventaccess token theft.I briefly describeOsMTLS.First,when theclient applicationdelegatesauthenticationandauthorization,the client applicationpresentsitsgrant certificateduringtrshandshake.After authenticationandauthorization,theauthorization serverissues anaccess token,and this access tokenincludesthehash value of thegrant certificate.After that,the client applicationcalls APIwith the access token.And also at thistiming,the client applicationpresentsitsgrant certificateduringtrshandshake.Then APIGalwayverifiesthegrant certificateusingtrustedsharecertificates.And alsothe APIGalwaycan verify thatthehash valueof thegrant certificatecallsoneintheaccess token.So if anattacker getssomeone'saccess token,since hecannotpresentitsvalidgrant certificate,hecannotcall API.And more,if extendingtalk introspection,theappGalwaycan delegategrant certificatechecksto theauthorizationserver.Thebillowtableshowstheauthorizationserverandresourceservernewtomanagetrustedsharecertificates.But in thecase ofauthorizationservernewtomanage them.In thecase ofMTLS,we cannotpreventaccess tokenseft.But in thecase ofauthorizationservernewtopublicnetwork,we believeoosm-tLSmaysuitable.In thissession,I treat thesetechnologiesas theunderlyingtechnologybehind theZeltrussnetwork.Next,I describehow toachieve theunderlyingtechnologybehind theZeltrussnetwork.Toachievetheunderlyingtechnologybehind theZeltrussnetwork.Next,I briefly describewhat isKickLock.KickLock is anIdentity Management OSS and providesOOS 2.0authorizationserverfeatures.It'smeasurefeatures,for example,it supportsIdentityFederationcorrespondingtomeasure standards,such asAnd also,it supportsSocial Robin,for example,such as GitHub,Twitter,Facebook.KickLock is becomingthe default standardof the OSSauthorization server.So,let's go backto the main topic,how toachieve short validationwithKickLock andNGX.KickLock supportstalking introspectionas a standardOSRequestModulewhich implements clientauthorizationbased onthe resultofsubrequest.Thesubrequest returnslike 200 response code.Accessisarrowed.Ifit returnsfor theone orfor thethree,accessit is deniedwith thecorrespondinger code.NGX sends an introspectionrequest toKickLock'stalking introspectionpoint.And if theaccesstalk isactive,NGXproxiesto theresource server.If theaccesstalk isnotactive,NGXdeny toaccess.Next,how toachieveMTLSwithNGX.NGXverifiestrustedCAcertificatesin theSSLcurrentcertificatesyntax.NGXverifiescurrentcertificatesusingtrustedCAcertificates.Thenhow aboutachievingawesomeTLS.NGXsupportstheoptionalnoCAparameterat thistime.This is intended for use in cases when a service that is external toNGX performs the actual certificate verification.TheSSLcurrentsescapedshort-variable returns the current certificate in the PEM format for an established SSL connection.So,we can pass thisviables value to the external service.In thiscase,KeyClock hasinterfaces that extend its features called SPI.By using SPI,we can extend token introspection to check current certificates at KeyClock.WemakeNGX send the access token and the current certificate to the token introspection endpoint.Thisis how to achieve awesome TLS with KeyClock andNGX.So far,we can achieve the underlying technology behind the ZELTRAS network with KeyClock andNGX by using the traditional AD system.Fromhere,we transit from traditional security boundary definition to both service or part definition.I described security boundary transition scenario.So far,we explained how to use KeyClock andNGX to achieve the underlying technology behind ZELTRAS network.From a macro perspective,we may be able to say that this is ZELTRAS network because this achieved the underlying technology,but this is not the general grain size of ZELTRAS network.From here,we make the grain size of the security boundary final step by step.Compared other services or products,KeyClock andNGX can achieve this transition much easier.This is also one of the main reasons why we select KeyClock andNGX.Step one is to change the API gateway toNGX ingress controller.First of all,lifting the existing traditional API systems to the world of containers.Compared to cloud services inNGX,this API gateway lifting is very easy because we can reuse theNGX confi.For example,we can use server snippet and location snippet annotationsor using custom resources named virtual server.NGX ingress controller plays the role of API gatewaythat is violating JOT and verifying client certificatesand proxies API calls to the resource server services.Step two is to shift the security boundary to pass service.This step is useful if the resource server service takes a real time to bemodified to adapt it to the Zerotlas network.Again,in this step,we can reuse theNGX confi.To pass through client certificates atNGX ingress controller,we use custom resources named transport server to configure stream context.This time,NGX ingress controller only passes through API callsand proxies services play the role of API gatewayand proxies API calls to the resource server services.The grain size of the security boundary becamefiner to pass service.Step three is to shift the security boundary topapod.I believe this is a general grain size of Zerotlas network.This is achieved by the so called sidecar.Again,in this step,we can reuse theNGX confi.and we can reuse the transport server setting too.This time,NGX ingress controller only passes through API callsand proxy containers play the role of API gatewayand proxies API calls to the resource server containers.So an API call is first sent to the proxy containerand if all checks are passed proxy to theresource server container.The grain size of the security boundary becamefiner to a pod.By using key clock andNGX,we achieve the transition much easier like this.So move to additional topic one.How to achieve east-west traffic?So far,we targeted no-south traffic that is traffic from a client applicationto the resource server from external to internal.The client application calls the APIs of the resource serverthrough anNGX ingress controller and the proxy container.The east-west traffic means traffic from service toservice that is internal to internal.This traffic is needed,for example, when the resource server wants to get resourcesfrom other services.This is not so difficult.In this case,the resource server container just sends a request using againthe proxy container.Then,how to achieve jot validation in east-west traffic?To validate jot,the proxy container must send jot to another service.There are two options.Option A is to send the same access tokenwhich the client application send to the resource server.Option B is to send the different access tokenwhich is got from the authorization serverby following OAuth 2.0 token exchangedefined by RFC 8693.For both options,we need to get the user's consentto use the access token for another service.In east-west traffic case,the audience check is very important.This is because,without the audience check,the user's resources may be providedto a martial service.What is the audience check is to checkwhich resource server is intendedto return the resource.If the resource server doesn't check the audience,the resource server may return the user's resourcesto a martial service becausethe access token attached to the API callis a valid access token.So,the audience check is very important in this case.Then,how to achieve MTRSin east-west traffic?As the same in the case of north-south traffic,there are two methods,MTRS and also MTRS.But,different in the case of north-south traffic,the requesting parties are limited,so MTRS may be enoughand also MTRS may be over-engineered.We can add grand certificate and a keywith proxy SSL certificate syntaxand proxy SSL certificate key syntaxin the NGX proxy container.Finally,additional topic,too.How to resolve the check point issueof policy decision point.As the number of API callsincreases hugely,KeyClock may becomea check point of this architecturebecauseKeyClock is accessedby token introspection every timeAPI calls.Following the trust architecturedefined by NIST SP800207,KeyClock plays the roleof policy endingand NGX plays the roleof policy enforcement pointand policy administrator.From here,we considerhow to reduce the load of PEthat is KeyClock.Here,we consider usingOpenPolicyAgent,OPPA,the default standard OSS of policy engine.There are two optionsthe way to reduce the load of PE.OptionA is tocash token introspection responses.OptionB is tomake OPPA act as PEand KeyClock act asjust policy information point.So first,OptionAcasing token introspection responses.By casing token introspection responses,we can reduce the access frequencyto KeyClock.When the client application callsthe BI with an access token,NGXdelegates short validationto OPPA.Then OPPA checkscash and if cache miss,OPPA callsthe token introspection endpoint.And after receiving the token introspectionresponse,OPPAsaves the result.This can reduce the load ofKeyClock.Buteven if the access token isrevolved at KeyClock,it's notrevolved at the resource server immediatelybecause the resource server checkscash first,andif there is the cache,the resource server doesn't callthe token introspection endpoint.This is a security weak point.So we should makethe access token lifespan bea proper short value.OptionB is to makeOPPA act as PE andKeyClock act as PIP.In this case,the OPPAcontainer becomesPE completely,andKeyClock becomes PIP,whichonly provides information for decisionsto grant access.Not depending on the grant access.KeyClock notifiesthe change of resources.For example,user creation,grant deletion,signingkeyupdate,and so on.This notificationcan be achieved byusing SPI.We can extend the event listenerSPI to notify operationsto the converter.Then the convertersaves the data toDV.The convertercan be also achieved by using OPPA.When the grant applicationcodes an APIwith an access token,ngx delegates shortvariation to OPPA.Then OPPA checksDV and makes decisions to grantaccess.This optionalso can reduce the load ofkeyClock.This is a compilationof the two options to reducethe load of keyClock.Option B is anideal implementation,but it is expensive to implement.Option A,on the otherhand,has a security concernthat access token invocationcannot be synchronized immediately.Althoughthe implementation cost isminimal.If yousee these optionslook like little extremeideas,a hybrid proposalcan be considered.For example,the option liketo cache the resultsof token introspection and synchronizeonly token invocation notifications.There are many ways toreduce the load of keyClockby using OPPA,so you can choosea suitable one for your requirement.So finally,thisis today's sessions summary.The underlying technologybehind the ZELTRAS networkis shortvariation and MTRS.And also MTRSDefined by REC8705iswhores compatible with MTRS.By usingkeyClock and NGX,we canachieve the underlying technologyand transit fromtraditional security boundary definitionto post-service OPPA port definitionsmoothly.Not only north-south trafficbut also east-west trafficcan be covered.And by using OPPAwe can reduce the load of keyClock.Finally,this is a trademark.Thank you for listening.