Redis TLS Origination through the sidecar Author: Sam Stoelinga | Twitter: samosx | GitHub: samos123 Based on blog post: https://samos-it.com/posts/securing-redis-istio-tls-origniation-termination Architecture: K8s app using Redis over TLS only app-1 Namespace ms-1 K8s Pod External DB ms-2 K8s Pod ms-3 K8s Pod TLS only ● App with multiple microservices ● external Redis TLS only ● each microservice traffic Istio TLS Origination Architecture: K8s app using Redis over TLS only (TLS origination) app-1 Namespace ms-1 K8s Pod External DB container app container istio-proxy TCP TLS ● app talks

policies on - ■ hardware Firewalls, Bare Metals, legacy OpenStack, etc. ● Transport Layer Security (TLS) ● Custom OpenID implementation for L7 AuthN #IstioCon Why Service Mesh? ● Current challenges include Enforcement ■ Updating hardware devices is slow ○ Achieving micro-segmentation at scale ○ Enabling TLS for all applications in a consistent way ● Service Mesh ○ An architectural pattern to implement common Observability, Service Routing & Discovery functions as features of the infrastructure - ○ Functions: TLS Termination, Traffic Management, Tracing, Rate Limiting, Protocol Adapter, Circuit breaker, Caching

Trust Strong identity for users, workloads, devices, etc. Encrypting inter-CNF traffic via mutual TLS (mTLS) Option to encrypt intra-CNF traffic via mTLS Autonomous PKI service for certificate lifecycle Intermediate CA ● Enable ECC certificates ● Configure workload certificate TTLs ● Enable strict mutual TLS (mTLS) instead of auto ● Use dedicated egress gateways Tuning Istio to Meet 5G Security Requirements

Impersonating ■ Secret clear in memory ■ Secret persistence ● Key protection ○ Private key for TLS ○ Signing key ○ … #IstioCon Performance Limitations ● Some not just limited on VMs, but ○ need across Pod/VMs on the same node #IstioCon QUIC ● A new transport protocol ● A little like TCP + TLS, but build on top of UDP ○ Uses UDP like TCP uses IP ○ Adds connections, resends and flow control

weight: 90 Knative Service Inspection #IstioCon - Security with Service Mesh enabled • mutual TLS is enabled to secure the user application traffic end to end in production • Allow platform to use

Use self signed certificate (non-secure) Acceptance of self-signed certificates. Force TLS 1.2 Enforce using TLS version 1.2. DBeaver Ultimate User Guide 24.2.ea. Page 97 of 1171. 4. 1. 2. Verify of 1171. You can also read about . security in DBeaver PRO Use TLS protocol If you enable this checkbox, the connection will use TLS (Transport Layer Security) to encrypt the data that is transmitted may depend on the mail service you use. Use the latter if the service offers SSL and Host Port TLS ports. Gmail, for example, uses host and port . An example of a configured profile: smtp.gmail.com

Use self signed certificate (non-secure) Acceptance of self-signed certificates. Force TLS 1.2 Enforce using TLS version 1.2. DBeaver User Guide 24.2.ea. Page 97 of 1171. 4. 1. 2. Verify server of 1171. You can also read about . security in DBeaver PRO Use TLS protocol If you enable this checkbox, the connection will use TLS (Transport Layer Security) to encrypt the data that is transmitted may depend on the mail service you use. Use the latter if the service offers SSL and Host Port TLS ports. Gmail, for example, uses host and port . An example of a configured profile: smtp.gmail.com

Use self signed certificate (non-secure) Acceptance of self-signed certificates. Force TLS 1.2 Enforce using TLS version 1.2. DBeaver Lite User Guide 24.2.ea. Page 94 of 1010. 4. 1. 2. Verify of 1010. You can also read about . security in DBeaver PRO Use TLS protocol If you enable this checkbox, the connection will use TLS (Transport Layer Security) to encrypt the data that is transmitted

interface internode_encryption Enables or disables encryption of inter-node communication using TLS_RSA_WITH_AES_128_CBC_SHA as the cipher suite for authentication, key exchange and encryption of the Extension (JSSE), the Java version of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. The keystore contains the private key used to encrypt outgoing messages. keystore_password