Protecting resources behind an authenticating proxy

Today, we’re putting our core web services behind the protections provided by U2F and Google’s account takeover and anomaly detection systems. Not only will this provide phishing resistance through the authentication proxy, but also authorization through IAM roles assigned to the user’s Google account.

Prerequisites:

  • Google account
  • U2F Yubikey enrolled and enforced for the users/groups that will be accessing the application.
  • An hour or so.
  • A global cloud that has been operating at billions of rps for decades. (Beyond the scope of this article.)

Deploy your app to whatever GCP service you’d like: single instance on Compute Engine, Container Engine, App Engine (note, if AE skip the load balancer and go strait to IAP, as AE provides the same LB layer automagically.) In this case, I am placing a single MISP instance behind the proxy, connected to managed Cloud SQL.

Set up a global HTTPS load balancer. This is an anycasted-IP globally-available load balancer, so this application can scale globally with the same configuration and protections; just add instance groups in other regions and add them to the LB. As an aside, this LB is impressive, doesn’t require warming, and can it 1 million rps in a few seconds, so it also provides pretty good DDoS protection. The load balancing is performed by a combination of Maglev and GFE (GFE also acts as the proxy).

Screenshot from 2017-03-21 09-49-03

Go to Identity-Aware Proxy, resolve any issues noted in the configuration column (it will tell you what to do and link to the places to do it), and click the switch under IAP.

Screenshot from 2017-03-21 09-52-43

Assigned access based on your IAM roles or user accounts on the right hand side of the page.

Screenshot from 2017-03-21 09-53-40

After a couple of seconds, your service will be behind the auth wall. Navigating to your serve will present a standard Google login page:

Screenshot from 2017-03-21 10-15-35

With a Yubikey since it’s required for my account:

Screenshot from 2017-03-21 10-15-59.png

Oops, this account isn’t authorized, so denied.

Screenshot from 2017-03-21 10-16-38

But if I login with the right person, I now get to the application.

Screenshot from 2017-03-21 10-17-41

Screenshot from 2017-03-21 10-18-37

App Engine apps are even simpler, since most of the work here is configuring the load balancer, which App Engine does behind the scenes.

If you’re into open source or want something similar somewhere else, you can do this yourself with things like https://github.com/bitly/oauth2_proxy, which supports other providers, though only facebook and github currently support U2F.

If you want even cooler functionality like remote attestation, star my issue at https://github.com/bitly/oauth2_proxy/issues/343. RA and additional contextual/behavioral capabilities are supposedly coming to Identity-Aware Proxy later this year, in line with BeyondCorp’s current capabilities.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s