在Lyft的互联网出口过滤服务

Unrestricted egress traffic from services poses a significant security risk as it allows external threats to exfiltrate data and download arbitrary payloads from untrusted, dangerous hosts. While ingress filtering from the Internet is ubiquitous using firewalls, it is far less common that companies are controlling and observing traffic leaving their network.

不受限制的服务出口流量带来了巨大的安全风险，因为它允许外部威胁从不受信任的危险主机中渗出数据和下载任意有效载荷。虽然使用防火墙对来自互联网的入口过滤无处不在，但公司控制和观察离开其网络的流量却远不常见。

As part of implementing traffic filtering, we achieved observability of our egress traffic, which has also enabled opportunities for our Security team to write detection rules based on anomalous traffic, perform network forensics, and conduct proactive threat hunting exercises.

作为实施流量过滤的一部分，我们实现了出口流量的可观察性，这也使我们的安全团队有机会根据异常流量编写检测规则，执行网络取证，并进行主动的威胁猎取演习。

In this post, we aim to cover how our Security team achieved egress filtering on behalf of all service owners at Lyft. We will go over design decisions, different proxy types, and how we leverage Envoy to act as our Internet Gateway (IGW).

在这篇文章中，我们旨在介绍我们的安全团队如何代表Lyft的所有服务所有者实现出口过滤。我们将讨论设计决策、不同的代理类型，以及我们如何利用Envoy作为我们的互联网网关（IGW）。

Note that this post addresses service filtering and not employee traffic filtering which is a different threat model in itself.

请注意，这篇文章讨论的是服务过滤，而不是员工流量过滤，后者本身就是一个不同的威胁模型。

Our primary goal is to disrupt malicious traffic by ensuring all Internet bound network traffic originating from Lyft services are filtered through Envoy.

我们的主要目标是通过确保所有来自Lyft服务的互联网网络流量通过Envoy过滤，来破坏恶意流量。

There are numerous ways to control egress traffic that Lyft weighed where the main challenges stemmed from obtaining observability of encrypted TLS traffic and preventing exfiltration via DNS.

有许多控制出口流量的方法，Lyft权衡了一下，其中主要的挑战来自于获得加密的TLS流量的可观察性和防止通过DNS渗出。

We focused on two main goals to drive our design decisions:

我们专注于两个主要目标来推动我们的设计决策。

Observability: we want to know the upstream Internet hosts our services communicate with and be able to attribute this traffic to individual downstream service...