Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to add security features to Envoy". The content in the article is simple and clear, and it is easy to learn and understand. Please follow the editor's ideas to study and learn "how to add security features to Envoy".

With the continuous development and wider adoption of Envoy [1], the next step is to make use of its inherent scalability to add security functions.

Robust security is clearly a critical requirement for any cloud native organization today. The threat is well-funded, skilled and ruthless. At the same time, organizations continue to expand their attack surface by deploying more applications, services, and API.

The commercial market provides a number of security solutions to filter and block malicious requests in incoming traffic. However, these are proprietary, closed-source products. For users who like open solutions, this is obviously not ideal.

To make matters worse, most proprietary solutions run outside the scope of the user environment. This means that the traffic flow must be routed to the vendor's infrastructure, decrypted, analyzed, and then re-encrypted before it can be sent to the user environment. This will not only cause additional delays, but also expose users' data and metrics to third parties, thus seriously compromising privacy.

Envoy gives us the opportunity to solve all these problems.

Envoy is an ideal web security mechanism. It can filter traffic on different scales; it can be used as an ingress gateway for the entire environment, or it can be used to filter a single microservice or any traffic in between. It uses the L3/L4 architecture to handle traffic on a byte basis-which allows application layer processing to be added to it.

Most importantly, it is extensible. It is designed to be easily extended with additional features such as web security.

However, adding security is not an easy task. Today's threat environment is broad and diverse; Envoy security extensions will require internal logic to analyze traffic in a variety of ways to identify many different types of possible attacks. This analysis needs to be stateful, not only within the session, but also across traffic sources. While some attacks, such as SQL injection, can be detected in a single request, other types of attacks are carried out using a series of separate seemingly harmless requests. )

In addition, the threat environment is constantly evolving. Therefore, this extension will need to consume threat intelligence information and be able to update its security posture automatically when new threats emerge.

In addition, Envoy is known for its best observability, so security extensions should be consistent with this. Users should be able to see what is happening in their environment and understand all the traffic filtering decisions being made and why.

Finally, this extension needs to support cloud native practices and work well in the ecosystem. Ideally, it should be open source.

Security extension of Curiefense:Envoy

Curiefense (https://www.curiefense.io/) is an OSS Envoy extension designed to meet these requirements.

Curiefense (named after the famous scientist Marie Curie [2]) adds a wide range of automated web security tools: WAF, DDoS protection, bot management, API security, rate limiting, session flow control, and so on. It contains features that can rival and in many cases surpass commercial closed-source security solutions.

Using Envoy extensions to filter traffic makes external third-party solutions unnecessary because security can be integrated into the environment itself. This means that cloud native organizations will no longer need to compromise on issues such as latency, openness, vendor locking, or privacy.

Curiefense is CNCF's sandbox project. The project aims to provide an open, scalable, adaptive and evolving GitOps platform-a platform that provides strong security while still preserving full privacy for users

Thank you for your reading, the above is the content of "how to add security features to Envoy". After the study of this article, I believe you have a deeper understanding of how to add security features to Envoy, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.