Conference:  Defcon 31

Authors: Maxime Clementz Cybersecurity Senior Manager, PwC Luxembourg

2023-08-01

VPN Always-On is a security control that can be deployed to mobile endpoints that remotely access corporate resources through VPN. It is designed to prevent data leaks and narrow attack surface of enrolled end-user equipment connected to untrusted networks. When it is enforced, the mobile device can only reach the VPN gateway and all connections are tunnelled. We will review the relevant Windows API, the practicalities of this feature, look at popular VPN software and... bypass them with ridiculously complex exfil methods but also with unexpectedly trivial tricks. We will exploit design, implementation and configurations issues to circumvent this control in offensive scenarios. We will then learn how to fix or harden VPN Always-On deployment to further limit the risks posed by untrusted networks.

Conference:  KubeCon + CloudNativeCon Europe 2022

Authors: Peter Kelly

2022-05-20

The presentation discusses the use of WireGuard and Project Calico to provide full mesh encryption in Kubernetes for compliance and zero-trust security.

• Encrypting data-in-transit is important for compliance and zero-trust security in Kubernetes
• Common encryption options include mutual TLS and IPsec
• Project Calico uses WireGuard for full mesh encryption at a layer below application workloads
• WireGuard is lightweight, fast, scalable, and easy to configure
• Calico's data plane components interact with WireGuard to manage the kernel and networking rules
• The implementation has some gaps and areas for improvement