
How Uber, Facebook and Netflix Do SSH - yankcrime
https://gravitational.com/blog/how_uber_netflix_facebook_do_ssh/
======
the_duke
This is a ad disguised as a blog post.

The only remotely meaningful part is the plug for their product at the end.

~~~
mdeeks
No pricing anywhere on their site either. Huge pet peeve for me. That usually
means it is obscene for non trivial usage. Looks very promising but I'm
unwilling to carve out the time and mental energy on the remote chance that
it'll be something reasonable I can fit into our budget. I'm guessing this is
aiming at huge corporations.

~~~
y4mi
I asked for a previous employer for a quote (<500 servers).

I don't remember the exact number, but their smallest licence was supposedly
over 40k€.

Maybe it was a misunderstanding but I didn't pursue it at that point. Even a
tenth of that price would've been a hard sale.

------
batbomb
I'd like to see an MFA-version of Kerberos/kinit, and a PAM module that checks
for ticket revocation on login.

That's not so different from BeyondCorp and Uber's model.

Alternatively, some kind of OpenID Connect init (oidcinit) to get a JWT and
then a PAM module like the kerberos one (which also checks the JWT's Key Id
for revocation on authentication)

~~~
Boulth
From what I've read about BeyondCorp it's far more sophisticated than just
Teleport. It's also a service monitoring status of a device including boot
security throughout the entire life of the decide, private keys stored in TPM,
plus various tiers that depend on multiple factors.

~~~
jsilvers
Author here. Yes, Beyondcorp is a farther ranging approach to security, and
SSH is one piece of it.
[https://www.beyondcorp.com/](https://www.beyondcorp.com/)

------
ssteo
In the fifth paragraph, "No longer does the company rely on a network
perimeter, but rather exposes internal systems to the public internet.". This
is terribly misleading!

Zero trust model is often explained incorrectly and misunderstood as allowing
internal services like OpenSSH directly exposed to public all the time. In
actual, it also works similar to VPN having perimeter security but in a
dynamic way. There should be a proxy separate from actual service for
authentication and only authentication service is exposed to public traffic
all time, while internal resource only accepts inbound traffic from IP address
of user who has authenticated successfully and this is orchestrated in real-
time by the authentication service. The traffic from same user to internal
service is also denied the moment they log off, think of it like a dynamic
iptables system. Another emphasis of zero trust model is to authenticate
requests even when it's coming from the same internal subnet. Too many
articles are misleading people that zero trust model is to take away perimeter
security entirely.

Note: Exposing any internal services like SSH, message queues or databases
directly to public is not the right approach, because they can get compromised
when there's any RCE vulnerability.

------
mc32
>”This requires all systems employed within the BeyondCorp model to be built
with the same skill and hardening as required by any public internet
solution.”

Is that true of _every_ system? I can imagine they have at least some systems
which must be isolated, like BMS or other systems which typically run a decade
of more behind in technology, unless they build their own, but then what about
sites where they rent from WeWork competitors?

~~~
wmf
I think the article's description of BeyondCorp is missing a bunch of nuances.
AFAIK Google still firewalls their network; the difference is that they put
users outside the firewall not inside. And for applications it looks like only
a proxy is visible outside the firewall, not the whole app infrastructure.

