Aspen Mesh - Service Mesh Security and Complinace

Aspen Mesh 1.3.6 Security Update

Aspen Mesh is announcing the release of 1.3.6 which addresses important Istio security updates. Below are the details of the security fixes taken from Istio 1.3.6 security update.

Security Update: 

ISTIO-SECURITY-2019-007: A heap overflow and improper input validation have been discovered in Envoy.

  • CVE-2019-18801: Fix a vulnerability affecting Envoy’s processing of large HTTP/2 request headers. A successful exploitation of this vulnerability could lead to a denial of service, escalation of privileges, or information disclosure.
  • CVE-2019-18802: Fix a vulnerability resulting from whitespace after HTTP/1 header values which could allow an attacker to bypass Istio’s policy checks, potentially resulting in information disclosure or escalation of privileges.

Bug Fix:

  • Fixed an issue where a duplicate listener was generated for a proxy’s IP address when using a headless TCP service. (Issue 17748)
  • Fixed an issue with the destination_service label in HTTP related metrics incorrectly falling back to request.host which can cause a metric cardinality explosion for ingress traffic. (Issue 18818)

Minor Enhancements:

  • Added support for Citadel to periodically check the root certificate remaining lifetime and rotate expiring root certificates. (Issue 17059)
  • Added PILOT_BLOCK_HTTP_ON_443 boolean environment variable to Pilot. If enabled, this flag prevents HTTP services from running on port 443 in order to prevent conflicts with external HTTP services. This is disabled by default. (Issue 16458)

Additionally, the Aspen Mesh 1.3.5 release contains bug fixes and minor enhancements from Istio release 1.3.5.  

The Aspen Mesh 1.3.6 binaries are available for download here.  


Aspen Mesh - Service Mesh Security and Complinace

Aspen Mesh 1.3.5 Security Update

Aspen Mesh is announcing the release of 1.3.5 which addresses important Istio security updates. Below are the details of the security fixes taken from the Istio 1.3.5 security update.

Security Update: 

ISTIO-SECURITY-2019-006: A DoS vulnerability has been discovered in Envoy.

  • CVE-2019-18817: An infinite loop can be triggered in Envoy if the option continue_on_listener_filters_timeout is set to True, which is the case in Istio. This vulnerability could be leveraged for a DoS attack. 

Bug Fix:

  • Fixed Envoy listener configuration for TCP headless services. (Issue #17748)
  • Fixed an issue which caused stale endpoints to remain even when a deployment was scaled to 0 replicas. (Issue #14436)
  • Fixed Pilot to no longer crash when an invalid Envoy configuration is generated. (Issue #17266)
  • Fixed an issue with the destination_service_name label not getting populated for TCP metrics related to BlackHole/Passthrough clusters. (Issue #17271)
  • Fixed an issue with telemetry not reporting metrics for BlackHole/Passthrough clusters when fall through filter chains were invoked. This occurred when explicit ServiceEntries were configured for external services. (Issue #17759)

Minor Enhancements:

  • Added support for Citadel to periodically check the root certificate remaining lifetime and rotate expiring root certificates. (Issue #17059)
  • Added PILOT_BLOCK_HTTP_ON_443 boolean environment variable to Pilot. If enabled, this flag prevents HTTP services from running on port 443 in order to prevent conflicts with external HTTP services. This is disabled by default. (Issue #16458)

Additionally, the Aspen Mesh 1.3.5 release contains bug fixes and minor enhancements from Istio release 1.3.4.  

The Aspen Mesh 1.3.5 binaries are available for download here.  


Managing Service Mesh Policy - Aspen Mesh

Managing Service Mesh Policy

Managing Service Mesh Policy - Aspen MeshPicture this: You’re the director of engineering at an enterprise organization. You have had a successful career managing small engineering teams and you’re now balancing the demands of managing an engineering organization while contributing to overall planning and strategy as part of senior staff.

You see a future with your company where you can grow your influence by more closely tying your organization’s work to the bottom line of the business. You have many responsibilities, including ensuring that your team is able to deliver well-behaved, resilient and intuitive applications that provide amazing user experiences.

Your policies are critical as they specify how your application responds after an action. When your policy works well, your stakeholders are happy. Sometimes, policies are guardrails, as well, so that the mistakes of engineers can’t cause failures on the user side. They could be optimizers, such as boosting network efficiency by automatically running clusters where it’s cheapest. They could also fix or mitigate faults, such as when an enhanced shopping cart is unhealthy, a more basic cart could be implemented instead. Security, access and scheduling policies all encode what response should happen automatically when an event occurs.

Your policy is obviously not working well when problems create more work for your team and cause your end-user to suffer. Among the greatest fears of those in the DevOps world is waking up to read about an outage or breach the team caused, either directly or indirectly, that you read about in the news.

Agility + Stability = Win

Agility is a company’s number-one business advantage — it’s the catalyst for digital transformation, enabling companies to define new ways of working. The need to stay agile is why companies like yours are looking to develop new architectures and embrace microservices and container technologies, such as Kubernetes and Istio.

Fun fact: According to F5’s “2019 State of Application Service Report,” 56% of the organizations surveyed were already employing containers and 69% were executing digital transformation by leveraging containers in order to meet increasing customer demands.”

But we all know that agility alone won’t help your company reach its goals. Agility plus stability will be your number one competitive advantage. When you’re able to meet evolving customer needs (while staying out of the news for downtime and security breaches), your competitors will be eating your dust.

Service Mesh and Policy

The result of companies embracing DevOps and microservice architectures is that teams can move faster and more autonomously than ever before. While that means faster time to market for applications, it also means more risk to the business.

So, who’s responsible for understanding and managing the company’s security and compliance requirements? You’ve got it — application teams that may not have the experience or desire to take on this burden.

The good news is that some service meshes allow you to remove the infrastructure burden from application teams in order to let platform operators handle it. Service mesh policy allows you to make disparate, ephemeral microservices act as a resilient system through controlling how services communicate with each other as well as with external systems. It also allows engineers to easily implement policies that can be mapped to application behavior outcomes, ensuring great end-user experiences.

Here are some additional benefits you can expect from the service mesh policy:

  • Provide a better user experience: Meet SLOs and SLAs and make it clear that business objectives are being met by system behavior.
  • Optimize cost: Service mesh can help you get the ideal mix of cost savings and uptime.
  • Decrease risk: Being secure and compliant and ensuring data integrity is key to your company’s success.
  • Drive progressive delivery: Decouple developers from the business side, so your dev team is free to develop as they like, but your business controls when customer-facing features are pushed.

Policy Frameworks: Making Policy Easier to Manage

Many companies cope with the headache of specifying policy in several different places using many different tools. This adds risks around failures in compliance, increases the effort to modify policies and creates challenges in ensuring policies are both correct and applied appropriately to applications. Policy frameworks can help to relieve that pain, making it easy to create, test, review and improve policy — even when it includes contributions from many different roles in an organization.

Look for options that allow you to build on policy features sets by providing:

  • Advanced policy frameworks that allow users to describe business goals that are enforced in the application’s runtime environment.
  • A tested and hardened policy catalog that makes it easy to implement policies without having to build them yourself.
  • Role-based policy management that enables teams within organizations to create and apply policies according to their needs.
  • Streamlined application deployment packages that provide a uniform approach to API authentication and authorization with JWTs, mutual TLS and secure Ingress.
  • Deploying and scaling applications globally obeying your compliance rules and business-driven cost optimization goals.
  • Integration into GitOps or other tech workflows and a graphical user interface.

In other words, a service mesh allows you to remove the burden of managing infrastructure from application teams. It is also emerging as an essential tool for platform operators to manage Kubernetes platforms. Other capabilities a service mesh offers includes being able to make disparate microservices act as a resilient system through controlling how services communicate with each other and with external systems while managing it through a single control plane. Additionally, a service mesh allows engineers to easily implement policies that can be mapped to application behavior outcomes, making it easy to ensure great end-user experiences.

The next time you’re thinking about how to solve these challenges, take a look at some service meshes and policy frameworks to see if they could help.

If you'd like to learn more about how policy frameworks can help you get more out of a service mesh, schedule a time to talk through more details with one of our experts.