Securing the network for VMs or Containers

Securing Securing KVM / containerKVM / container

networksnetworks

Marian HackMan MarinovMarian HackMan Marinov<mm@siteground.com><mm@siteground.com>

Chief System ArchitectChief System ArchitectSiteGroundSiteGround

Who am I?Who am I? Who am I?Who am I?

❖ Chief System Architect of Siteground.com

❖ Sysadmin since 1996

❖ Organizer of OpenFest, BG Perl Workshops,

LUG-BG and similar :)

❖ Teaching Network Security and Linux System

Administration at Sofia University

DISCLAMERDISCLAMER DISCLAMERDISCLAMER

❖ I'll be looking only at the network on the host machine

❖ The only proper way of securing the network between your VMs / containers and the host machine is to know your infrastructure.

This includes MAC, IP addresses and their actual location.

❖ Basic things that have to protect from

arp spoofing

ip spoofing

traffic leaking / sniffing

KVM networkingKVM networking KVM networkingKVM networking

❖What network options does KVM give us?

vnet device on the host

macvtap

Virtual Distributed Ethernet (VDE)

assign a physical device (SR-IOV) Single Root I/O Virtualization (SR-IOV)

assign a physical device (eth, wlan)

KVM networkingKVM networking KVM networkingKVM networking

❖What network options does KVM give us?

Routing

Bridge

OpenVswitch

ProxyARP

Container networkingContainer networking Container networkingContainer networking

❖What network options are available for containers?

macvlan (tap & tun)

veth pair (routing or NAT)

VDE (using tap devices)

move any network device into the container (eth, tun/tap, vlan, wlan, etc.)

Container networkingContainer networking Container networkingContainer networking

❖What network options are available for containers?

Bridge

OpenVswitch

Routing

ProxyARP

Protections?Protections? Protections?Protections?

❖ How can we secure all those options?

Routing

Static ARP

Routing

Static ARP

iptables

Routing

Static ARP

iptables

ebtables

Routing

Static ARP

iptables

ebtables

arptables

Routing

Static ARP

iptables

ebtables

arptables

ip6tables

Network setupNetwork setup Network setupNetwork setup

VM-1VM-1LXC-1LXC-1

VM-2VM-2LXC-2LXC-2

Using a Router

VM-1VM-1LXC-1LXC-1

VM-2VM-2LXC-2LXC-2

Using a Bridge

Attacking the Attacking the bridged network bridged network Attacking the Attacking the bridged network bridged network

❖ arp poisoning

VM-1 arp cache poison of the HOST

VM-1 arp cache poison of VM-2

As simple as:

# ip a a 10.0.0.1/24 dev eth0

# arping -i eth0 -U 10.0.0.1

Can be even easier:

# arpspoof -i eth0 -t 10.0.0.1 -r 10.0.0.15

Protecting the Protecting the bridged network bridged network Protecting the Protecting the bridged network bridged network

❖ Preventing arp poison on the HOST

adding static ARP entries:

# ip n a 10.0.0.15 lladdr 01:81:36:ec:05:ee nud permanent dev vnet1

Protecting the Protecting the bridged network bridged network Protecting the Protecting the bridged network bridged network

❖ Preventing arp spoofing to the VMs/Containers

configure ARPTABLES

# arptables -P OUT DROP

# arptables -A OUT -j ACCEPT -s GW \ -i eth0 -z xx:xx:xx:xx:xx:xx

# arptables -A OUT -j ACCEPT -s 10.0.0.15 \

-i vnet1 -z xx:xx:xx:xx:xx:xx

# arptables -A OUT -j ACCEPT -o vnet1

VM-1VM-1LXC-1LXC-1

VM-2VM-2LXC-2LXC-2

Using a Bridge

eth0: 10.12.0.12# brctl showbridge bridge id interfacesbr0 8000.028037ec0200 eth0

vnet1 vnet2

VM-1VM-1LXC-1LXC-1

VM-2VM-2LXC-2LXC-2Using a Bridge

eth0: 10.12.0.12VM1: ping -c1 10.12.0.12PING 10.12.0.12 (10.12.0.12) 56(84) bytes of data.64 bytes from 10.12.0.12: icmp_seq=1 ttl=64 time=0.086 ms

VM-1VM-1LXC-1LXC-1

eth0: 10.12.0.12VM1: ping -c1 10.12.0.12PING 10.12.0.12 (10.12.0.12) 56(84) bytes of data.64 bytes from 10.12.0.12: icmp_seq=1 ttl=64 time=0.086 ms

VM-1VM-1LXC-1LXC-1

❖ We now have many options

we can use bridge vlan filteringusing ingress policyusing ebtablesusing namespacesebtables filter (drop all traffic on that interface)arptables filteriptables filter (drop all traffic on that interface)

don't forget about IPv6 ☺

VM-1VM-1LXC-1LXC-1

# echo 1 > /sys/class/net/br0/bridge/vlan_filtering# bridge vlan del dev br0 vid 1 self# bridge vlan showport vlan idseth0 1 PVID Egress Untaggedvnet1 1 PVID Egress Untaggedvnet2 1 PVID Egress Untaggedbr0 None

VM-1VM-1LXC-1LXC-1

# echo 1 > /sys/class/net/br0/bridge/vlan_filtering# bridge vlan del dev br0 vid 1 self# bridge vlan showport vlan idseth0 1 PVID Egress Untaggedvnet1 1 PVID Egress Untaggedvnet2 1 PVID Egress Untaggedbr0 None

VM-1VM-1LXC-1LXC-1

ingress filter# tc qdisc add dev br0 handle ffff: ingress# tc filter add dev br0 parent ffff: u32 \ match u8 0 0 action drop

ebtables:# ebtables -A INPUT --logical-in br0 -j DROP

VM-1VM-1LXC-1LXC-1

VM-2VM-2LXC-2LXC-2

Using a Bridge

vm-bridge

# ip netns add vm-bridge# ip link set netns vm-bridge eth0# ip link set netns vm-bridge vnet1# ip link set netns vm-bridge vnet2# ip link del dev br0# ip netns exec vm-bridge brctl addbr br0# for i in eth0 vnet1 vnet2; do> ip netns exec vm-bridge brctl addif br0 $i> ip netns exec vm-bridge ip link set up dev $i> done# ip netns exec vm-bridge ip link set up dev br0

Disabling ARP on bridge br0:

# ip link set arp off dev br0# ip l l dev br08: br0: <BROADCAST,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000 link/ether 50:54:33:00:00:04 brd ff:ff:ff:ff:ff:ff

VM-1VM-1LXC-1LXC-1

VM-2VM-2LXC-2LXC-2

Using a Router

VM1: 10.0.0.4/30VM2: 10.0.0.8/30HOST: 10.0.0.0/30

VM-1VM-1LXC-1LXC-1

VM-2VM-2LXC-2LXC-2If you want flexibility, If you want flexibility,

you add a routing protocolyou add a routing protocol

bgp1bgp1 bgp2bgp2

VM-1VM-1LXC-1LXC-1

VM-2VM-2LXC-2LXC-2If you want flexibility, If you want flexibility,

you add a routing protocolyou add a routing protocol

You now need to protect the BGPs from bogus announcements

bgp1bgp1 bgp2bgp2

Protect the HOSTProtect the HOST Protect the HOSTProtect the HOST

Prevent access to the host node with policy routing

# echo “200 vnet1” >> /etc/iproute2/rt_tables# ip route add 0/0 via x.x.x.x table vnet1# ip route add 10.0.0.15 dev vnet1 table vnet1# ip rule add iif vnet1 table vnet1# ip rule add oif vnet1 table vnet1

Prevent spoofing of IPsPrevent spoofing of IPs Prevent spoofing of IPsPrevent spoofing of IPs

Limit the source IPs of all clients:

# iptables -P FORWARD DROP# iptables -A FORWARD -j ACCEPT -i vnet1 -s 10.0.0.15# iptables -A FORWARD -j ACCEPT -i vnet2 -s 10.0.0.16

THANK YOU THANK YOU THANK YOU THANK YOU

Marian HackMan Marinov<mm@siteground.com>

Securing the network for VMs or Containers

Engineering

Transcript of Securing the network for VMs or Containers

CQSTR: Securing Cross-Tenant Applications with Cloud ...pages.cs.wisc.edu/~swift/papers/socc16-cqstr.pdf · CQSTR: Securing Cross-Tenant Applications with Cloud Containers Yan Zhai

TX-2016.TIER New and Next - Internet2 · • Docker containers • Virtual machine images to run the containers • Focus on automation tools • Build containers and VMs ... TIER

Securing MAXPRO VMS & NVR Software - Honeywell...† MAXPRO® VMS Server VMware ESXi Spec V2 † MAXPRO® VMS SQL Server Installation Reference Guide. pdf Support For information about

VMworld 2014: The Software-Defined Datacenter, VMs, and Containers

Docker 101 101 Russ Taylor Containers vs. VMs What are these ‘container’ things? Less Overhead Isolated (Mostly) ...

Containers vs VMs for Secure Cloud Applications ID: #RSAC MODERATOR: PANELISTS: Containers vs VMs for Secure Cloud Applications ASD-W04 Simon Crosby Scott Johnston Mark Russinovich

Securing Containers, Serverless and VMs for Cloud Native ...€¦ · AWS Lambda functions, provides protection against malicious executables, controls the types of executables that

Containers and Kubernetes Put a Lid on It: Securing for ... · Put a Lid on It: Securing Containers and Kubernetes on vSphere and AWS Steve Hoenisch, VMware, Inc. Nolan Karpinski,

Microservices for Enterprises - Consistent Network & Security services for Containers and VMs

More Containers, More Problemsevents.static.linuxfound.org/sites/events/files/slides/More Containers More...Then we got... APIs around hosted VMs (cloud) Then we got... even more servers

Containers and VMs and Clouds: Oh My. by Mike Coleman

MGT1776BU vRealize Automation Solves the Container or ... · vRealize Automation Solves the Container Onboarding Conundrum VMworld 2017 ... VMs vs. Containers 9 • Containers share

Game of Hosts - Containers, VMs and Microscaling

From VMs to Containers: Introducing Docker Containers for Linux and Windows Server

Heavy and Light Virtualizationurvoy/docs/VICC/1_0_vicc.pdfAround virtualization: management of VMs, containers, virtual network Orchestration of containers Single server level: Docker,

Containers At Scaleslides.eightypercent.net/GlueCon 2014 - Containers At Scale.pdf · Container VMs in Google Compute Engine Cloud VMs optimized for Containers Easiest way to use

Securing the Lids on Containers in the Cloud · Securing the Lids on Containers in the Cloud Raymond Lay 10thApril 2017. Hello Motto. WHY Container Technology HOW Secure is it WHAT

Understanding Containers and SAS 9.4 Container Deploymentsupport.sas.com/.../papers/understanding-containers... · Understanding Containers and SAS ... must limit how many VMs run

Securing Cloud Containers through Intrusion Detection and ... · Securing Cloud Containers through Intrusion Detection and Remediation Amr Sayed Omar Abed GENERAL AUDIENCE ABSTRACT

GLOBAL SPONSORS - Dell · GLOBAL SPONSORS #containers Is THE END of VMs finally here? @JurajGvoth Account Systems Engineer. 3 In the next 30 minutes •#containers What&Why •Docker