ensuring a secure foundation for your aws containers - chris swan's aws loft talk in london
TRANSCRIPT
© 2015
Why me?
Used to do IT security for two major Swiss Banks Started using Docker July 2013 and decided to incorporate it into our VNS3 product as a plugin mechanism Docker became part of Cohesive Networks VNS3 in April 2014 real users in production before Docker itself went 1.0 Regular contributor to InfoQ on Docker, security and containers
© 2015
Official Images with Vulnerabilities
Image credit: Banyan Ops - http://www.banyanops.com/blog/analyzing-docker-hub/
© 2015
Packages in Official Images with High Priority Vulnerabilities
Image credit: Banyan Ops - http://www.banyanops.com/blog/analyzing-docker-hub/
© 2015
General Images with Vulnerabilities
Image credit: Banyan Ops - http://www.banyanops.com/blog/analyzing-docker-hub/
© 2015
Packages in General Images with High Priority Vulnerabilities
Image credit: Banyan Ops - http://www.banyanops.com/blog/analyzing-docker-hub/
© 2015
It’s not as bad as it might look
Image bloat can mean lots of potentially vulnerable code that never gets run leaves something of an unexploded minefield Taint inheritance fix the root cause – fix a lot of images Worst cases lie in deprecated versions but the continued use of known vulnerable old versions of things is how we end up with stuff that gets attacked so easily
© 2015
Each active line creates a layer
Base OS
Sources Update repos Install nginx
Mod nginx.conf Mod index.html
© 2015
Problem 1 – non determinism
Whilst we want things to be cached in the short term e.g.: apt-get install nginx
We perhaps don’t want it cached in the long term What are those durations?
© 2015
Problem 2 – the manifest problem
When I run: apt-get install nginx
I don’t know which version of nginx I just got Should I? nginx –v > some.log
Or maybe? apt-cache policy nginx > some.log
Or should I have done this in the first place? apt-get install nginx=1.1.19-1ubuntu0.7
© 2015
NB – These are package manager problems
But Docker is ‘the new package manager’ and it typically wraps the old ones
© 2015
Overview of Docker Content Trust
Image credit: Diogo Mónica (Docker) - https://blog.docker.com/2015/08/content-trust-docker-1-8/
© 2015
Protection against image forgery
Image credit: Diogo Mónica (Docker) - https://blog.docker.com/2015/08/content-trust-docker-1-8/
© 2015
Protection against replay attacks
Image credit: Diogo Mónica (Docker) - https://blog.docker.com/2015/08/content-trust-docker-1-8/
© 2015
Protection against key compromise
Image credit: Diogo Mónica (Docker) - https://blog.docker.com/2015/08/content-trust-docker-1-8/
© 2015
And there’s an accompanying tool
Image credit: https://www.docker.com/docker-security
© 2015
The benchmark covers
1. Host configuration 2. Docker daemon configuration 3. Docker daemon configuration files 4. Container Images and build file 5. Container runtime 6. Docker security operations
© 2015
For more detail
https://www.docker.com/docker-security http://www.infoq.com/author/Chris-Swan
© 2015
And please check out Docker plugins to our VNS3
39
Isolated Docker containers within VNS3 allows Partners and Customers to embed features and functions safely and securely into their Cloud Network.
Proxy Reverse Proxy Content Caching Load Balancer IDS Custom Container
Router Switch Firewall Protocol Redistributor
VPN Concentrator
Scriptable SDN
VNS3 Core Components