docker container security - a network view
Post on 17-Feb-2017
151 Views
Preview:
TRANSCRIPT
1
A NETWORK VIEW OF DOCKER CONTAINERSYou Can’t Secure What You Can’t See
2
AGENDA
▪Container Deployment Concerns▪Docker Security Basics▪Network View of Docker▪NACLs, Sec Groups, Flow
Logs etc…▪Summary
Sergey MotovylovetsSenior SW Operations Engineer | DevOpsCogniance
Glen KosakaVP Products & MarketingNeuVector
3
CONTAINERS: SECURITY CAN’T KEEP UPProduction Concerns▪Lack of Visibility▪Constant Change▪Transience▪DevOps Workflow
Mismatch▪Same Threats –
New Environment- DDOS, XSS… Persistent Attacks, Container
break-outs
4
THREATS – A REAL-WORLD EXAMPLE
5
DOCKER SECURITY - INTRO
Host and Docker daemon security
Images signingvulnerabilities scanning, content trust
Container runtime security
Network security
6
REVIEWING DOCKER BASICSBuilding blocks
cgroups(memory, CPU, block I/O and network limiting)
namespaces(PID, Network, Mount, UTS, IPC + User)
copy-on-write storage(layers represent differences)
7
DOCKER SECURITY BASICSHost and containers interaction
When combined with vDSO (virtual dynamic shared object) functionality - makes container breakout possible
Proof:
▪Containers don’t contain- not everything in Linux is
namespaced- kernel is shared
8
DOCKER SECURITY BASICSHost and daemon configuration
▪All-or-nothing default authorization model - limit access properly
▪Do centralized logging (and alerting)
▪Take advantage of TLS for registries and daemon itself
▪Keep software up to date!
9
DOCKER SECURITY BASICSImages signing, content trust
Enable content trust
Keep your registry up-to-date
Keep image minimal
Run security checks as a part of CI/CD pipelines, keep checking containers in a runtime
10
DOCKER SECURITY BASICSContainer runtime security
SELinux is your bro
Seccomp is another bro
Overlay is great for builds; production root fs should be running in read-only mode
11
NETWORK SECURITYSingle-node networking
▪Container network namespaces
▪Host network namespace
eth0 eth0
vethX vethY
docker0
eth0
12
NETWORK SECURITYMulti-node setup
eth0 eth0
vethX vethY
docker0
eth0
eth0 eth0
vethX vethY
docker0
eth0?
Node 1 Node 2
13
NETWORK SECURITY
OpenStack network architecture
14
NETWORK SECURITY
eth0 eth0
vethX vethY
docker0
eth0 eth0
vethX vethY
docker0Docker “security groups” applied here
Overlay network
15
NETWORK SECURITY
Separate network namespace
16
NETWORK SECURITY
▪tcpdump on host interface
▪and from within the overlay namespace
▪overlay network without encryption
17
NETWORK SECURITY
▪tcpdump on host interface
▪and from within the overlay namespace
▪encrypted overlay network
18
NETWORK SECURITY▪collecting traffic in a centralized manner
▪traffic is still encrypted though
19
NETWORK SECURITY▪figuring out an algorithm and encryption keys
▪decrypted traffic
20
CONTAINER MICROSEGMENTATION
▪Know container behavior▪Isolation at:
- Application (big)- Service (group))- Container (micro-
instance)
21
TAKEAWAYS▪Secure the Host and OS▪Secure the Container
Platform, Image, and Registry▪Monitor and Secure During
Run-time- Application specific- Network overlay agnostic- Real-time detection
Registry
ThreatsViolationsVulnerabilities
Run-
Tim
e D
ev /
Depl
oy
22
SOFTWARE OPERATIONS
▪System Architecture Development▪Security definitions and audit▪Monitoring and system metrics collection and analysis
▪Cloud Capacity planning and optimization▪Release Management and Deployment automation
▪Continuous Integration/ Delivery/ Deployment
23
QUESTIONS?For more information contact us:NeuVector: info@neuvector.com http://neuvector.comCogniance: hello@cogniance.com http://www.cogniance.com
top related