can containers be secured in a paas?
TRANSCRIPT
© Copyright 2015 Pivotal. All rights reserved.
Can containers be secured in a PaaS?
Tom Kranz
1
© Copyright 2015 Pivotal. All rights reserved.
Introductions: who am I?
UNIX sysadmin
Technical architect
Principal Field Engineer
Account Manager
Security person
Get in touch on LinkedIn or Twitter
2
© Copyright 2015 Pivotal. All rights reserved.
Can containers be secured in a PaaS?
Maybe ….
Not about features
Context is important
And implementation is key!
And always remember:
You will get hacked. Eventually.
3
© Copyright 2015 Pivotal. All rights reserved.
So what’s the context?
Who are our attackers?
Where are they attacking from?
What are they attacking?
What data is at risk?
This gives us a risk profile we can use to evaluate the security of
an *implementation*
Evaluating the security of a product in isolation - without context
- is bad, and leads to bad risk profiles and poor decisions
4
© Copyright 2015 Pivotal. All rights reserved.
Who are our attackers?
Opportunists?
Someone with a grudge?
Professionals?
Nation states?
5
© Copyright 2015 Pivotal. All rights reserved.
August 2015 cyber attack stats
6
Stats from http://www.hackmageddon.com/
© Copyright 2015 Pivotal. All rights reserved.
Where are they attacking from?
Internal or external?
What are they attacking?
Infrastructure?
Applications?
Physical location?
All of the above?
7
SPARTA!
© Copyright 2015 Pivotal. All rights reserved.
What data is at risk?
Can use answers to the above to work out what data is
at risk and where it is
This can form your risk profile
This is what you can use to evaluate the security of an
implemented solution
Evaluate the implementation against the profile - not the
product against a checklist!
8
© Copyright 2015 Pivotal. All rights reserved.
Pivotal Cloud Foundry Architecture recap
Ops Manager UI
Ops Manager Director
Operations Manager
Service
Service Broker
Service Nodes
Service Broker
Service Nodes
Service
App Log Aggregator
Login Server
Dynamic Router
Cloud Controller
UAA
Health Manager
DEA Pool
Messaging (NATS)
Apps
Metrics Collection
Apps
HA Proxy LB
Elastic Runtime
Containers!
© Copyright 2015 Pivotal. All rights reserved.
Example: secure PCF implementation
10
© Copyright 2015 Pivotal. All rights reserved.
Why?
Leverage existing, tried and tested security solutions
where appropriate (isolation, firewalls)
Rely on platform security where appropriate
(containers, immutable infrastructure)
Change in application delivery also drives a change in
security mindset (application centric not server centric)
11
© Copyright 2015 Pivotal. All rights reserved.
Attack vectors - it’s the apps!
12
Stats from http://www.hackmageddon.com/
© Copyright 2015 Pivotal. All rights reserved.
Impact of attacks
Attacker compromises app, gets access to core data
Nothing to do with the platform, nothing we can do to stop this
Mitigation: WAF, code audit to help write secure code
Attacker compromises app, gets local container access
If they break anything, BOSH destroys and re-deploys the
container
Can’t break out the container to root VM (the DEA)
Can’t sniff network traffic
Can’t pivot east/west to attack other internal PCF components
13
© Copyright 2015 Pivotal. All rights reserved.
Gentlemen, we can rebuild him. We have the technology.
OWASP Top 10:
https://www.owasp.org/index.php/Category:OWASP_To
p_Ten_Project
Make Jenkins do the work: https://wiki.jenkins-
ci.org/display/JENKINS/OWASP+Dependency-
Check+Plugin
Also look at Web Application Attack and Audit
Framework: http://w3af.org/
14
© Copyright 2015 Pivotal. All rights reserved.
Containerception
15
© Copyright 2015 Pivotal. All rights reserved.
Current tech: Warden
16
© Copyright 2015 Pivotal. All rights reserved.
Future tech: Garden
17
More info at http://blog.pivotal.io/pivotal-cloud-foundry/features/cloud-foundry-container-technology-a-garden-overview
© Copyright 2015 Pivotal. All rights reserved.
Container security in PCF: the nitty gritty
Containers provide isolation of resources –
CPU, memory, file system, process space,
network
Containers have their own private network,
not accessible from outside the DEA
DEA
App App
App App
DEA
App App
App App
© Copyright 2015 Pivotal. All rights reserved.
Container Isolation
Routers forward requests from outside
using the app’s route to the assigned port
on the DEA, which does network
translation to the container’s internal IP
and port
Apps are prevented from communicating
directly with each other by container
firewall rules; they must communicate
through published routes
DEA
App App
App App
DEA
App App
App App
Dynamic Router
HA Proxy LB
© Copyright 2015 Pivotal. All rights reserved.
Warden/Garden networking in detail
20
© Copyright 2015 Pivotal. All rights reserved.
Container filesystems
21
Garden
container
with
Buildpacks
Garden
container
with Docker
image
© Copyright 2015 Pivotal. All rights reserved.
Why a different container tech?
ie. Why not Docker? Again, context is important:
PCF treats containers as disposable
ie We don’t care about them, and neither should you
Therefore we don’t allow access to them
Fundamental difference in design principles - we can
lock them down much more tightly
To see the implications:
http://reventlov.com/advisories/using-the-docker-
command-to-root-the-host
22
© Copyright 2015 Pivotal. All rights reserved.
To summarise - Key points
Yes containers can be secured in a PaaS
This can mitigate some attacks, doesn’t help with others
Doesn’t mean your apps are secure
Don’t rely on technology to solve security issues
Build security into your apps from the start
Profile the risk and mitigate what you can
Remember not all risk can be mitigated
Context is important!
You will get hacked, response is key - whole other topic!
23
© Copyright 2015 Pivotal. All rights reserved.
THANK [email protected]
https://www.linkedin.com/in/tomkranz
@whoopsie
24
© Copyright 2015 Pivotal. All rights reserved. 25