running security service in gcloud
TRANSCRIPT
Copyright @ 2016 Aqua Security Software Ltd. All Rights Reserved.
Running a Security Service in gcloudMichael ChernyHead of Research
2
WHO AM I Head of Security Research at Aqua Security, a leader
in container security 20 years of building security products, development
and research Held senior security research positions at Microsoft,
Aoratoand Imperva.
Presented at security conferences, among them, BlackHat Europe, RSA Europe and Virus Bulleting.
3
PEEKR Scans for known vulnerabilities (CVEs) Profiles container activities on host and network
Automatically runs the image and checks it against malicious behaviors
Highlights suspicious container behavior Free (no credit card needed for registration) https://peekr.aquasec.com
4
PEEKR
5
YOU WERE SAYING... Automatically runs the image and checks it against
malicious behaviors Meaning we are running arbitrary, unknown containers
on our infrastructure Every time we consulted people and organizations, we
got same response...
6
YOU ARE CRAZY
INSANE, NUTS, KOOKY, WACKY...
7
ARCHITECTURAL REQUIREMENTS Scalable web front end Scalable Scanner workers Asynchronous processing Security
8
SECURITY CONCERNS Web front end Malicious containers
Exploding containers Lateral movement Attacking from our infrastructure
9
MALICIOUS CONTAINERS Local behavior
Fork Bomb Fallocate Resource consumption
Network East-West North-East
10
IMPLEMENTATION Kubernetes Security
Kubernetes Aqua
11
PEEKR ARCHITECTURE OVERVIEWFront end cluster
Front end Service
Web
Queue
CVEs
Back end cluster
Scanner
12
OVERALL SECURITY Log everything Use Kubectl to access containers, to limit ssh access Apply resource quota and limits with Kubernetes
namespaces Network segregation through Kubernetes clusters
13
PROTECTING AGAINST MALICIOUS CONTAINERS Local
Run unprivileged Run with user namespace Containers data (volumes) on separate partition Aqua
Network Deny network access No internet access to backend cluster Communication between clusters is limited to absolute minimum
14
FORK BOMB :(){ :|:& };: Exhausts PIDs System freezes
15
FORK BOMB PROTECTION nproc
ulimit –u 100 Limit per user per session Can be done either for docker daemon or per container Doesn’t enforce for root
PID cgroup Future, kernel 4.3
FORK BOMB DEMO
17
SO WITH A LITTLE HELP
THANK YOUMichael [email protected]@chernymi