Plane Service mesh security architecture Cluster Workload Edge Operations Ingress Policies Egress Policies WAF / IDS Firewall User AuthN/Z Data Loss Prevention Certificate Authority K8s firewall to defend against DDoS, injection, remote execution attacks. Edge security Egress 2. Define egress security policies to defend against data exfiltration, botnet attacks. 3. Define firewall security Workload security Operation security best practices Service Proxy Ingress Egress 2. Automatically rejects invalid configurations. Gatekeeper GitOps 1. Automatically manage source

Talk to CNFs in the Mesh UDM Virtual Machine Namespace SMF SMF Frontend UDM Egress Gateway Redis DB SMF App X Control Plane UDM Identity 11 ©2021 Aspen Mesh Configure workload certificate TTLs ● Enable strict mutual TLS (mTLS) instead of auto ● Use dedicated egress gateways Tuning Istio to Meet 5G Security Requirements 12 ©2021 Aspen Mesh. All rights reserved

Default wide-open egress sidecar configuration does not scale ○ Results in high memory usage & convergence times since each sidecar knows about all services in the cluster ○ Disabled egress traffic to restrict

User cases: no service access cross user namespace. o The sidecar CR helps to limit the known egress hosts for sidecars, sidecar needs to knows mesh in his own user namespace only. o We can limit

adorable for legacy service owners sometimes #IstioCon Legacy VNF  CNF: Option 2 ● Dedicated Egress Gateway ○ Compatibility reasons ○ Performance & Security #IstioCon Legacy VNF  CNF: Option 3