running security service in gcloud

Copyright @ 2016 Aqua Security Software Ltd. All Rights Reserved.

Running a Security Service in gcloudMichael ChernyHead of Research

2

WHO AM I Head of Security Research at Aqua Security, a leader

in container security 20 years of building security products, development

and research Held senior security research positions at Microsoft,

Aoratoand Imperva. 

Presented at security conferences, among them, BlackHat Europe, RSA Europe and Virus Bulleting.

3

PEEKR Scans for known vulnerabilities (CVEs) Profiles container activities on host and network

Automatically runs the image and checks it against malicious behaviors

Highlights suspicious container behavior Free (no credit card needed for registration) https://peekr.aquasec.com

4

PEEKR

5

YOU WERE SAYING... Automatically runs the image and checks it against

malicious behaviors Meaning we are running arbitrary, unknown containers

on our infrastructure Every time we consulted people and organizations, we

got same response...

6

YOU ARE CRAZY

INSANE, NUTS, KOOKY, WACKY...

7

ARCHITECTURAL REQUIREMENTS Scalable web front end Scalable Scanner workers Asynchronous processing Security

8

SECURITY CONCERNS Web front end Malicious containers

Exploding containers Lateral movement  Attacking from our infrastructure

9

MALICIOUS CONTAINERS Local behavior

Fork Bomb Fallocate Resource consumption

Network East-West North-East

10

IMPLEMENTATION Kubernetes Security

Kubernetes Aqua

11

PEEKR ARCHITECTURE OVERVIEWFront end cluster

Front end Service

Web

Queue

CVEs

Back end cluster

Scanner

12

OVERALL SECURITY Log everything Use Kubectl to access containers, to limit ssh access Apply resource quota and limits with Kubernetes

namespaces Network segregation through Kubernetes clusters

13

PROTECTING AGAINST MALICIOUS CONTAINERS Local

Run unprivileged Run with user namespace Containers data (volumes) on separate partition Aqua

Network Deny network access No internet access to backend cluster Communication between clusters is limited to absolute minimum

14

FORK BOMB :(){ :|:& };: Exhausts PIDs System freezes

15

FORK BOMB PROTECTION nproc

ulimit –u 100 Limit per user per session Can be done either for docker daemon or per container Doesn’t enforce for root

PID cgroup Future, kernel 4.3

FORK BOMB DEMO

17

SO WITH A LITTLE HELP

THANK YOUMichael Chernycherny@aquasec.com@chernymi