1

A NETWORK VIEW OF DOCKER CONTAINERSYou Can’t Secure What You Can’t See

2

AGENDA

▪Container Deployment Concerns▪Docker Security Basics▪Network View of Docker▪NACLs, Sec Groups, Flow

Logs etc…▪Summary

Sergey MotovylovetsSenior SW Operations Engineer | DevOpsCogniance

Glen KosakaVP Products & MarketingNeuVector

3

CONTAINERS: SECURITY CAN’T KEEP UPProduction Concerns▪Lack of Visibility▪Constant Change▪Transience▪DevOps Workflow

Mismatch▪Same Threats –

New Environment- DDOS, XSS… Persistent Attacks, Container

break-outs

4

THREATS – A REAL-WORLD EXAMPLE

5

DOCKER SECURITY - INTRO

Host and Docker daemon security

Images signingvulnerabilities scanning, content trust

Container runtime security

Network security

6

REVIEWING DOCKER BASICSBuilding blocks

cgroups(memory, CPU, block I/O and network limiting)

namespaces(PID, Network, Mount, UTS, IPC + User)

copy-on-write storage(layers represent differences)

7

DOCKER SECURITY BASICSHost and containers interaction

When combined with vDSO (virtual dynamic shared object) functionality - makes container breakout possible

Proof:

▪Containers don’t contain- not everything in Linux is

namespaced- kernel is shared

8

DOCKER SECURITY BASICSHost and daemon configuration

▪All-or-nothing default authorization model - limit access properly

▪Do centralized logging (and alerting)

▪Take advantage of TLS for registries and daemon itself

▪Keep software up to date!

9

DOCKER SECURITY BASICSImages signing, content trust

Enable content trust

Keep your registry up-to-date

Keep image minimal

Run security checks as a part of CI/CD pipelines, keep checking containers in a runtime

10

DOCKER SECURITY BASICSContainer runtime security

SELinux is your bro

Seccomp is another bro

Overlay is great for builds; production root fs should be running in read-only mode

11

NETWORK SECURITYSingle-node networking

▪Container network namespaces

▪Host network namespace

eth0 eth0

vethX vethY

docker0

eth0

12

NETWORK SECURITYMulti-node setup

eth0 eth0

vethX vethY

docker0

eth0

eth0 eth0

vethX vethY

docker0

eth0?

Node 1 Node 2

13

NETWORK SECURITY

OpenStack network architecture

14

NETWORK SECURITY

eth0 eth0

vethX vethY

docker0

eth0 eth0

vethX vethY

docker0Docker “security groups” applied here

Overlay network

15

NETWORK SECURITY

Separate network namespace

16

NETWORK SECURITY

▪tcpdump on host interface

▪and from within the overlay namespace

▪overlay network without encryption

17

NETWORK SECURITY

▪tcpdump on host interface

▪and from within the overlay namespace

▪encrypted overlay network

18

NETWORK SECURITY▪collecting traffic in a centralized manner

▪traffic is still encrypted though

19

NETWORK SECURITY▪figuring out an algorithm and encryption keys

▪decrypted traffic

20

CONTAINER MICROSEGMENTATION

▪Know container behavior▪Isolation at:

- Application (big)- Service (group))- Container (micro-

instance)

21

TAKEAWAYS▪Secure the Host and OS▪Secure the Container

Platform, Image, and Registry▪Monitor and Secure During

Run-time- Application specific- Network overlay agnostic- Real-time detection

Registry

ThreatsViolationsVulnerabilities

Run-

Tim

e D

ev /

Depl

oy

22

SOFTWARE OPERATIONS

▪System Architecture Development▪Security definitions and audit▪Monitoring and system metrics collection and analysis

▪Cloud Capacity planning and optimization▪Release Management and Deployment automation

▪Continuous Integration/ Delivery/ Deployment

23

QUESTIONS?For more information contact us:NeuVector: info@neuvector.com http://neuvector.comCogniance: hello@cogniance.com http://www.cogniance.com