Securing Service Mesh with Microsegmentation

Istio Service Mesh and Prisma Cloud Microsegmentation

Developers and DevOps teams use cloud native technologies like microservices and containers to scale and maximize development efficiency. As applications become distributed into services, these services become increasingly interconnected. This creates the need for a sophisticated, reliable, and programmable network made to keep up with the speed of deployments and Istio is a service mesh technology that helps solve this cloud native networking problem.

To keep highly interconnected networks secure, organizations look for ways to enforce least privilege connectivity between applications and prevent potential lateral movement. Prisma Cloud offers Identity-Based Microsegmentation to protect cloud native applications via segmentation. When I talk with customers who are looking into Istio, or have already adopted it, I always get this question: how does Prisma Cloud compare against Istio?

The misconception is the two technologies are competitive when they are actually complementary.

The Use Case for Istio and Microsegmentation

A service mesh can be essential to cloud native environments. It enables DevOps teams to deploy application infrastructure (e.g., Kubernetes) with CI/CD pipelines and manage networks via code. When deployed, Istio provides service discovery, API observability, service-to-service routing, load balancing, and network resiliency.

Identity-Based Microsegmentation provides essential cloud native security controls via network isolation between microservices. The goal is to contain a cloud breach by preventing a cyberattacker from moving laterally across applications. Prisma Cloud enables DevOps to manage microsegmentation policy as code and integrate into deployment pipelines for frictionless network security.

In simple terms, Istio determines if two microservices can communicate and Identity-Based Microsegmentation decides if two microservices should be allowed to communicate.

 

Diving Into How Prisma Cloud Works in Istio Environments

Starting with the Architecture

Prisma Cloud can enforce Identity-Based Microsegmentation policy where the Enforcer agents are deployed. When deployed onto Kubernetes clusters as a daemonset, the agent can automatically detect when Istio is running.

Packet flow

For pods that have the Istio proxy/Envoy enabled, Prisma Cloud ensures connection requests are filtered by the Enforcer before they reach the Envoy proxy.

The Enforcer verifies connection requests between microservices using Zero Trust principles. First it authenticates the request by verifying the workload identity of the connecting microservice. Once verified, the Enforcer makes an authorization decision. If the request is authorized, the request is forwarded to Envoy.

This allows customers to:

  • Secure workloads at their individual level
  • Extend microsegmentation to heterogeneous environments (e.g., containers, virtual machines, PaaS)
  • Reduce latency by moving from L7 authorization to L3/L4 authentication and authorization
  • Extend identity to non K8s resources
  • Reduce the pressure on Envoy as flows are authorized earlier in the process
  • Obtain full visibility at the cluster level and at the cloud or datacenter level
  • Restrict applications that are misbehaving at the cni level

The image below represents the packet flow between the different components and the different actions that take place.

Packet flow with Identity-Based Microsegmentation
Packet flow with Identity-Based Microsegmentation

 

  1. Packet is sent from the source Kubernetes pod (or client pod) to the destination pod. Envoy is injected into the pods
  2. Packet is forwarded to the Enforcer
  3. The Enforcer adds cryptographic identity to the SYN packet and sends it to the destination Enforcer.
  4. The destination Enforcer verifies the client’s identity of the SYN request and responds with a SYN-ACK containing the server pod’s cryptographic identity
  5. For the remainder of the 3-way TCP handshake, the flow is mutually authenticated and authorized (or rejected) based on microsegmentation policy. If rejected, then the Enforcers will drop the flow. If authorized, the Enforcers apply connection tracking to the flow and forward the connection to Envoy.
  6. The remainder of the session is handled by Envoy which can apply its own policy and/or encryption.

All of the flow above is automatically handled by the Enforcer and no additional configuration is required.

 

How to Enable Microsegmentation and Istio Coexistence

Anyone familiar with service mesh understands that Istio can automatically inject sidecar proxy configurations into other pods in a Kubernetes cluster. For sidecar injection to work, the istio-system requires network access to pods in other namespaces. When microsegmentation is deployed, it is important that policies are in place to authorize sidecar injection.

Security and DevOps teams can manage microsegmentation policies, or rulesets, in Prisma Cloud. Here is an example policy management for sidecar injection:

This lab environment contains a kubernetes cluster with several applications. Each application belongs to its own Kubernetes namespace. This blog will focus on the bookinfo application which has Istio injected into the namespace.

Prisma Cloud provides an application dependency map to illustrate the live and historical network flows between pods or groups of pods. Below the app dependency map shows communications between istio-system and bookinfo namespaces for sidecar injection traffic.

 

Prisma Cloud App Dependency Map illustrating live flows between istio and bookinfo
Prisma Cloud App Dependency Map illustrating live flows between istio and bookinfo

 

The CLI output below confirms the injection status.

Kubectl CLI verifying istio injection is enabled for the bookinfo namespace
Kubectl CLI verifying istio injection is enabled for the bookinfo namespace

 

Prisma Cloud enables users to look at all pods in an application, or kubernetes namespace, to more granular flow visualization. The green flows shown on the map confirm that the bookinfo application is secured by microsegmentation rulesets and Istio is able to inject the pods.

 

App Dependency Map focused on bookinfo pods
App Dependency Map focused on bookinfo pods

 

The ruleset shown below applies to both the istio-system and bookinfo applications. Using identity-based tags, Prisma Cloud enforces least privilege microsegmentation with minimal complexity. This ruleset allows traffic from the istio-namespace and the bookinfo namespace pods in the specific ports selected (in this case, Envoy, Prometheus, and Jaeger ports).

 

Identity-Based Microsegmentation Ruleset
Identity-Based Microsegmentation Ruleset

 

Learn More

 

Prisma Cloud helps security and DevOps teams increase network defenses for host, container, and service mesh architectures without hindering cloud agility. Integrating with istio is simple and offers critical security capabilities such as pod-to-pod and hybrid application microsegmentation, flow analytics and low latency segmentation enforcement.

If you’re ready to get valuable hands-on experience with Prisma Cloud then sign up for an instructor-led cloud native security workshop or request a Cloud Network Security 30-day trial.