Find and fix misconfigurations in your service mesh.
Service meshes are emerging as a popular solution for managing the different microservices that make up a cloud-native application. Among the alternatives, Istio is most widely used. Istio uses the Envoy service proxy to provide services such as traffic management, telemetry and security to complex cloud deployments.
As with any sufficiently complicated software system, a misconfiguration in service meshes can lead to security issues. That’s why we built Snowcat.
Snowcat Features Best Practices Reporting
Mutual TLS: Strict vs Permissive
By default, Istio does not require mTLS for all connections, but to further protect workloads within the mesh, additional controls are recommended.
Unsafe Authorization Policy Patterns
As with firewall rules, the safest approach is to configure “default deny” policies first and make exceptions for known good cases.
TLS Certificate Validation in DestinationRules
If egress TLS rules are used, they should explicitly define a set of `caCertificates` to use when validating certificates.
Weak Service Account Authentication
If the Istio JWT policy is set to “first-party-jwt”, the control plane will not validate the audience in JWTs.
Vulnerable Istio Versions
Monitor your cluster’s version and compare it against known Istio security issues.
Two Modes of Operation.
Snowcat is designed to work in unauthenticated and static analysis modes. A full description of the tool can be found in our blog post.
Open Source Commitment
At Praetorian, we’re committed to promoting and contributing to open source security projects and radically focused on developing technologies to enhance the overall state of cybersecurity. Snowcat is one example of our desire to seed the community with tools containing a set of baseline capabilities in the hope that it will spur further progression.Snowcat on Github