Redis TLS Origination through the sidecar Author: Sam Stoelinga | Twitter: samosx | GitHub: samos123 Based on blog post: https://samos-it.com/posts/securing-redis-istio-tls-origniation-termination Architecture: K8s app using Redis over TLS only app-1 Namespace ms-1 K8s Pod External DB ms-2 K8s Pod ms-3 K8s Pod TLS only ● App with multiple microservices ● external Redis TLS only ● each microservice traffic Istio TLS Origination Architecture: K8s app using Redis over TLS only (TLS origination) app-1 Namespace ms-1 K8s Pod External DB container app container istio-proxy TCP TLS ● app talks

connection initialization settings Managing Master password Security in DBeaver PRO SSH configuration SSL configuration Proxy configuration Kubernetes configuration User Guide Table of contents Configure to route the connection through a specific proxy server. SSL Configuration Enable and if your connection requires encryption. configure SSL Kubernetes Configure Kubernetes settings if your database 2. Overview Setting up SSL configuration Setting up SSL configuration via Driver properties Setting up SSL configuration for Oracle connections Troubleshooting SSL issues DBeaver supports the

connection initialization settings Managing Master password Security in DBeaver PRO SSH configuration SSL configuration Proxy configuration User Guide Table of contents Configure connection Network configuration to route the connection through a specific proxy server. SSL Configuration Enable and if your connection requires encryption. configure SSL Kubernetes Configure Kubernetes settings if your database 2. Overview Setting up SSL configuration Setting up SSL configuration via Driver properties Setting up SSL configuration for Oracle connections Troubleshooting SSL issues DBeaver supports the

connection initialization settings Managing Master password Security in DBeaver PRO SSH configuration SSL configuration Proxy configuration Kubernetes configuration User Guide Table of contents Configure to route the connection through a specific proxy server. SSL Configuration Enable and if your connection requires encryption. configure SSL Kubernetes Configure Kubernetes settings if your database 2. Overview Setting up SSL configuration Setting up SSL configuration via Driver properties Setting up SSL configuration for Oracle connections Troubleshooting SSL issues DBeaver supports the

interface internode_encryption Enables or disables encryption of inter-node communication using TLS_RSA_WITH_AES_128_CBC_SHA as the cipher suite for authentication, key exchange and encryption of the Java Secure Socket Extension (JSSE), the Java version of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. The keystore contains the private key used to encrypt outgoing messages The port on which Cassandra listens from JMX connections • com.sun.management.jmxremote.ssl - Enable/disable SSL for JMX • com.sun.management.jmxremote.authenticate - Enable/disable remote authentication

policies on - ■ hardware Firewalls, Bare Metals, legacy OpenStack, etc. ● Transport Layer Security (TLS) ● Custom OpenID implementation for L7 AuthN #IstioCon Why Service Mesh? ● Current challenges include Enforcement ■ Updating hardware devices is slow ○ Achieving micro-segmentation at scale ○ Enabling TLS for all applications in a consistent way ● Service Mesh ○ An architectural pattern to implement common Observability, Service Routing & Discovery functions as features of the infrastructure - ○ Functions: TLS Termination, Traffic Management, Tracing, Rate Limiting, Protocol Adapter, Circuit breaker, Caching

Trust Strong identity for users, workloads, devices, etc. Encrypting inter-CNF traffic via mutual TLS (mTLS) Option to encrypt intra-CNF traffic via mTLS Autonomous PKI service for certificate lifecycle Intermediate CA ● Enable ECC certificates ● Configure workload certificate TTLs ● Enable strict mutual TLS (mTLS) instead of auto ● Use dedicated egress gateways Tuning Istio to Meet 5G Security Requirements

Impersonating ■ Secret clear in memory ■ Secret persistence ● Key protection ○ Private key for TLS ○ Signing key ○ … #IstioCon Performance Limitations ● Some not just limited on VMs, but ○ need across Pod/VMs on the same node #IstioCon QUIC ● A new transport protocol ● A little like TCP + TLS, but build on top of UDP ○ Uses UDP like TCP uses IP ○ Adds connections, resends and flow control

weight: 90 Knative Service Inspection #IstioCon - Security with Service Mesh enabled • mutual TLS is enabled to secure the user application traffic end to end in production • Allow platform to use