Today, we’re putting our core web services behind the protections provided by U2F and Google’s account takeover and anomaly detection systems. Not only will this provide phishing resistance through the authentication proxy, but also authorization through IAM roles assigned to the user’s Google account.
- Google account
- U2F Yubikey enrolled and enforced for the users/groups that will be accessing the application.
- An hour or so.
- A global cloud that has been operating at billions of rps for decades. (Beyond the scope of this article.)
Deploy your app to whatever GCP service you’d like: single instance on Compute Engine, Container Engine, App Engine (note, if AE skip the load balancer and go strait to IAP, as AE provides the same LB layer automagically.) In this case, I am placing a single MISP instance behind the proxy, connected to managed Cloud SQL.
Set up a global HTTPS load balancer. This is an anycasted-IP globally-available load balancer, so this application can scale globally with the same configuration and protections; just add instance groups in other regions and add them to the LB. As an aside, this LB is impressive, doesn’t require warming, and can it 1 million rps in a few seconds, so it also provides pretty good DDoS protection. The load balancing is performed by a combination of Maglev and GFE (GFE also acts as the proxy).
Go to Identity-Aware Proxy, resolve any issues noted in the configuration column (it will tell you what to do and link to the places to do it), and click the switch under IAP.
Assigned access based on your IAM roles or user accounts on the right hand side of the page.
After a couple of seconds, your service will be behind the auth wall. Navigating to your serve will present a standard Google login page:
With a Yubikey since it’s required for my account:
Oops, this account isn’t authorized, so denied.
But if I login with the right person, I now get to the application.
App Engine apps are even simpler, since most of the work here is configuring the load balancer, which App Engine does behind the scenes.
If you’re into open source or want something similar somewhere else, you can do this yourself with things like https://github.com/bitly/oauth2_proxy, which supports other providers, though only facebook and github currently support U2F.
If you want even cooler functionality like remote attestation, star my issue at https://github.com/bitly/oauth2_proxy/issues/343. RA and additional contextual/behavioral capabilities are supposedly coming to Identity-Aware Proxy later this year, in line with BeyondCorp’s current capabilities.