Docker Container Security - A Network View
Transcript of Docker Container Security - A Network View
![Page 1: Docker Container Security - A Network View](https://reader035.fdocuments.in/reader035/viewer/2022062400/58a6e5f61a28abcf0e8b46b9/html5/thumbnails/1.jpg)
1
A NETWORK VIEW OF DOCKER CONTAINERSYou Can’t Secure What You Can’t See
![Page 2: Docker Container Security - A Network View](https://reader035.fdocuments.in/reader035/viewer/2022062400/58a6e5f61a28abcf0e8b46b9/html5/thumbnails/2.jpg)
2
AGENDA
▪Container Deployment Concerns▪Docker Security Basics▪Network View of Docker▪NACLs, Sec Groups, Flow
Logs etc…▪Summary
Sergey MotovylovetsSenior SW Operations Engineer | DevOpsCogniance
Glen KosakaVP Products & MarketingNeuVector
![Page 3: Docker Container Security - A Network View](https://reader035.fdocuments.in/reader035/viewer/2022062400/58a6e5f61a28abcf0e8b46b9/html5/thumbnails/3.jpg)
3
CONTAINERS: SECURITY CAN’T KEEP UPProduction Concerns▪Lack of Visibility▪Constant Change▪Transience▪DevOps Workflow
Mismatch▪Same Threats –
New Environment- DDOS, XSS… Persistent Attacks, Container
break-outs
![Page 4: Docker Container Security - A Network View](https://reader035.fdocuments.in/reader035/viewer/2022062400/58a6e5f61a28abcf0e8b46b9/html5/thumbnails/4.jpg)
4
THREATS – A REAL-WORLD EXAMPLE
![Page 5: Docker Container Security - A Network View](https://reader035.fdocuments.in/reader035/viewer/2022062400/58a6e5f61a28abcf0e8b46b9/html5/thumbnails/5.jpg)
5
DOCKER SECURITY - INTRO
Host and Docker daemon security
Images signingvulnerabilities scanning, content trust
Container runtime security
Network security
![Page 6: Docker Container Security - A Network View](https://reader035.fdocuments.in/reader035/viewer/2022062400/58a6e5f61a28abcf0e8b46b9/html5/thumbnails/6.jpg)
6
REVIEWING DOCKER BASICSBuilding blocks
cgroups(memory, CPU, block I/O and network limiting)
namespaces(PID, Network, Mount, UTS, IPC + User)
copy-on-write storage(layers represent differences)
![Page 7: Docker Container Security - A Network View](https://reader035.fdocuments.in/reader035/viewer/2022062400/58a6e5f61a28abcf0e8b46b9/html5/thumbnails/7.jpg)
7
DOCKER SECURITY BASICSHost and containers interaction
When combined with vDSO (virtual dynamic shared object) functionality - makes container breakout possible
Proof:
▪Containers don’t contain- not everything in Linux is
namespaced- kernel is shared
![Page 8: Docker Container Security - A Network View](https://reader035.fdocuments.in/reader035/viewer/2022062400/58a6e5f61a28abcf0e8b46b9/html5/thumbnails/8.jpg)
8
DOCKER SECURITY BASICSHost and daemon configuration
▪All-or-nothing default authorization model - limit access properly
▪Do centralized logging (and alerting)
▪Take advantage of TLS for registries and daemon itself
▪Keep software up to date!
![Page 9: Docker Container Security - A Network View](https://reader035.fdocuments.in/reader035/viewer/2022062400/58a6e5f61a28abcf0e8b46b9/html5/thumbnails/9.jpg)
9
DOCKER SECURITY BASICSImages signing, content trust
Enable content trust
Keep your registry up-to-date
Keep image minimal
Run security checks as a part of CI/CD pipelines, keep checking containers in a runtime
![Page 10: Docker Container Security - A Network View](https://reader035.fdocuments.in/reader035/viewer/2022062400/58a6e5f61a28abcf0e8b46b9/html5/thumbnails/10.jpg)
10
DOCKER SECURITY BASICSContainer runtime security
SELinux is your bro
Seccomp is another bro
Overlay is great for builds; production root fs should be running in read-only mode
![Page 11: Docker Container Security - A Network View](https://reader035.fdocuments.in/reader035/viewer/2022062400/58a6e5f61a28abcf0e8b46b9/html5/thumbnails/11.jpg)
11
NETWORK SECURITYSingle-node networking
▪Container network namespaces
▪Host network namespace
eth0 eth0
vethX vethY
docker0
eth0
![Page 12: Docker Container Security - A Network View](https://reader035.fdocuments.in/reader035/viewer/2022062400/58a6e5f61a28abcf0e8b46b9/html5/thumbnails/12.jpg)
12
NETWORK SECURITYMulti-node setup
eth0 eth0
vethX vethY
docker0
eth0
eth0 eth0
vethX vethY
docker0
eth0?
Node 1 Node 2
![Page 13: Docker Container Security - A Network View](https://reader035.fdocuments.in/reader035/viewer/2022062400/58a6e5f61a28abcf0e8b46b9/html5/thumbnails/13.jpg)
13
NETWORK SECURITY
OpenStack network architecture
![Page 14: Docker Container Security - A Network View](https://reader035.fdocuments.in/reader035/viewer/2022062400/58a6e5f61a28abcf0e8b46b9/html5/thumbnails/14.jpg)
14
NETWORK SECURITY
eth0 eth0
vethX vethY
docker0
eth0 eth0
vethX vethY
docker0Docker “security groups” applied here
Overlay network
![Page 15: Docker Container Security - A Network View](https://reader035.fdocuments.in/reader035/viewer/2022062400/58a6e5f61a28abcf0e8b46b9/html5/thumbnails/15.jpg)
15
NETWORK SECURITY
Separate network namespace
![Page 16: Docker Container Security - A Network View](https://reader035.fdocuments.in/reader035/viewer/2022062400/58a6e5f61a28abcf0e8b46b9/html5/thumbnails/16.jpg)
16
NETWORK SECURITY
▪tcpdump on host interface
▪and from within the overlay namespace
▪overlay network without encryption
![Page 17: Docker Container Security - A Network View](https://reader035.fdocuments.in/reader035/viewer/2022062400/58a6e5f61a28abcf0e8b46b9/html5/thumbnails/17.jpg)
17
NETWORK SECURITY
▪tcpdump on host interface
▪and from within the overlay namespace
▪encrypted overlay network
![Page 18: Docker Container Security - A Network View](https://reader035.fdocuments.in/reader035/viewer/2022062400/58a6e5f61a28abcf0e8b46b9/html5/thumbnails/18.jpg)
18
NETWORK SECURITY▪collecting traffic in a centralized manner
▪traffic is still encrypted though
![Page 19: Docker Container Security - A Network View](https://reader035.fdocuments.in/reader035/viewer/2022062400/58a6e5f61a28abcf0e8b46b9/html5/thumbnails/19.jpg)
19
NETWORK SECURITY▪figuring out an algorithm and encryption keys
▪decrypted traffic
![Page 20: Docker Container Security - A Network View](https://reader035.fdocuments.in/reader035/viewer/2022062400/58a6e5f61a28abcf0e8b46b9/html5/thumbnails/20.jpg)
20
CONTAINER MICROSEGMENTATION
▪Know container behavior▪Isolation at:
- Application (big)- Service (group))- Container (micro-
instance)
![Page 21: Docker Container Security - A Network View](https://reader035.fdocuments.in/reader035/viewer/2022062400/58a6e5f61a28abcf0e8b46b9/html5/thumbnails/21.jpg)
21
TAKEAWAYS▪Secure the Host and OS▪Secure the Container
Platform, Image, and Registry▪Monitor and Secure During
Run-time- Application specific- Network overlay agnostic- Real-time detection
Registry
ThreatsViolationsVulnerabilities
Run-
Tim
e D
ev /
Depl
oy
![Page 22: Docker Container Security - A Network View](https://reader035.fdocuments.in/reader035/viewer/2022062400/58a6e5f61a28abcf0e8b46b9/html5/thumbnails/22.jpg)
22
SOFTWARE OPERATIONS
▪System Architecture Development▪Security definitions and audit▪Monitoring and system metrics collection and analysis
▪Cloud Capacity planning and optimization▪Release Management and Deployment automation
▪Continuous Integration/ Delivery/ Deployment
![Page 23: Docker Container Security - A Network View](https://reader035.fdocuments.in/reader035/viewer/2022062400/58a6e5f61a28abcf0e8b46b9/html5/thumbnails/23.jpg)
23
QUESTIONS?For more information contact us:NeuVector: [email protected] http://neuvector.comCogniance: [email protected] http://www.cogniance.com