Presenters

Source

Navigating the Unseen: Deploying Keycloak in Air-Gapped Environments 🚀

In the high-stakes world of national security and critical infrastructure, systems need to be as invisible as a submarine in the deep or as impenetrable as a nuclear power plant. This is the realm of air-gapped environments – systems physically disconnected from external networks, prioritizing security above all else. But how do you deploy and manage complex software, like the identity and access management solution Keycloak, in these isolated spaces?

Sebastian and Michał from Defense Unicorns dive into this challenge, showcasing how they tackle the intricacies of air-gapped deployments with their open-source tool, ZarF, and highlight Keycloak’s crucial role in securing these environments.

The Air-Gap Conundrum: Security vs. Deployment 🔒

Air-gapping systems offers unparalleled security, but it introduces significant hurdles, especially when it comes to system installation. Modern software is often a symphony of interconnected pieces, requiring a declarative deployment approach. However, the readily available solutions for this are typically cloud-oriented, clashing with the offline nature of air-gapped systems.

Furthermore, field operators, who are responsible for installation and maintenance, often lack the deep technical expertise of the development teams. This means the installation process must be seamless and intuitive.

ZarF: Bridging the Gap for Air-Gapped Deployments 🛠️

Enter ZarF, a tool created by Defense Unicorns and now an open-source project under the OpenSSF. ZarF is designed to simplify the deployment of software in air-gapped environments. The core idea is elegantly simple:

  1. Package in the Connected World: You develop and package your software in a standard, connected environment.
  2. Verify and Transfer: ZarF helps you package everything needed into a single, verifiable file.
  3. Install in the Air-Gapped World: This secure package is then transferred to the air-gapped system for installation.

How ZarF Works its Magic ✨

  • zarf package create: This command, executed in the connected environment, consolidates all necessary components – container images, Helm charts, and more – into a single ZST archive. This unified file is easy to scan, verify, and transfer.
  • zarf.yaml Manifest: The entire deployment process is driven by a declarative manifest file, zarf.yaml. This file defines the system’s components, allows for customization through variables, and supports hooks for actions like post-deployment tasks.
  • zarf package deploy: This command, run within the air-gapped environment, intelligently pushes container images into an internal registry hosted on the target Kubernetes cluster and then uses Helm to deploy the services.
  • zarf init: To enable zarf deploy, the cluster needs preparation. zarf init sets up this internal registry, employing clever techniques like smuggling data via config maps and overriding image URLs to point to the internal registry.

Michał demonstrated this with a simple Keycloak package. After creating a zarf.yaml and Kubernetes manifests, he ran zarf package create to generate a single archive. Then, zarf package deploy seamlessly installed Keycloak, allowing him to access it via a web browser after port-forwarding the service.

Keycloak: The Identity Backbone of Critical Systems 🛡️

Keycloak is the identity provider of choice for many Department of Defense (DoD) systems, and for good reason, especially when national security is on the line:

  • Kubernetes Native: It runs flawlessly on Kubernetes, the foundation of modern declarative infrastructure.
  • Customization: Its support for custom themes allows for mission-specific branding, fostering a sense of belonging for operators.
  • FIPS Ready: This is a non-negotiable requirement for federal deployments, ensuring compliance with stringent security standards.
  • Extensibility via SPIs: The Service Provider Interface (SPI) architecture is a key differentiator, enabling powerful customizations.

Smart Cards and CACs: Merging Physical and Digital Identity 💳

A crucial aspect of DoD security is the Common Access Card (CAC), a type of smart card issued to every government employee and contractor. This card bridges the physical and digital worlds, serving as both a physical access key and a digital identity proof.

Technically, CACs appear to the operating system as X.509 certificates, enabling mutual TLS authentication. The card itself is ingeniously designed:

  • Secure Hardware: A small memory chip holds cryptographic key material, while a dedicated processor performs all cryptographic operations.
  • Key Material Isolation: The processor is the only entity that can communicate with the memory chip, ensuring the key material never leaves the card.
  • Tamper Resistance: Even physical disassembly won’t reveal the key material.
  • PIN Protection: An additional PIN is required to unlock the card’s functionality.

Sebastian showcased a Keycloak login flow using a CAC card. After selecting the client certificate from the CAC, Keycloak extracts user data, pre-filling fields. The user then enters their username and password to complete the authentication.

Under the Hood: Secure TLS Termination and Custom SPIs 💡

To achieve this secure integration:

  • TLS Termination: It’s recommended to terminate TLS as close to Keycloak as possible. This minimizes the trust domain, ensuring that every component between the termination point and Keycloak is within your secure perimeter.
  • Custom Headers: Avoid standard X-SSL headers. Instead, use custom headers for your platform to make life harder for attackers. Keycloak’s reverse proxy SPI allows for flexible header configuration.
  • Header Sanitization: Crucially, ensure the custom header is always sanitized at the TLS termination point. A forged header can lead to a complete security compromise.

The CAC Plugin Flow 🔄

The custom CAC plugin in Keycloak operates with these assumptions:

  • MFA with Password: CACs are treated as a Multi-Factor Authentication (MFA) method, complemented by password protection.
  • Unique Identification: CACs uniquely identify users.

The flow proceeds as follows:

  1. Certificate Validation: The CAC certificate is validated against DoD and federal PKI trust chains.
  2. Identity Extraction: Keycloak’s X.509 authenticator extracts the user’s identity, storing it as a CAC ID in a user attribute.
  3. Uniqueness Enforcement: The system enforces that this CAC ID attribute is unique across all users. Sharing a CAC would be a significant security risk.

Key Takeaways and the Future 🌐

The session underscored several vital points:

  • Air-gap software delivery is challenging but essential for mission-critical environments.
  • Keycloak is central to the authentication strategy for many DoD systems.
  • CACs remain the primary method for user identification, though newer methods are emerging.

What was presented is a glimpse into a complex problem space. Defense Unicorns also hinted at future presentations, including one focusing on signed JWT tokens issued by Kubernetes for authentication, which promises to be another exciting deep dive.

The journey of securing air-gapped systems is ongoing, and tools like ZarF, combined with robust solutions like Keycloak and secure hardware integrations, are paving the way for a safer digital future.

Appendix