Ensuring a secure foundation for your AWS Containers - Chris Swan's AWS Loft talk in London

Chris Swan, CTO, @cpswan

Ensuring a secure foundation for your AWS Containers

© 2015

Why me?

Used to do IT security for two major Swiss Banks Started using Docker July 2013 and decided to incorporate it into our VNS3 product as a plugin mechanism Docker became part of Cohesive Networks VNS3 in April 2014 real users in production before Docker itself went 1.0 Regular contributor to InfoQ on Docker, security and containers

© 2015

The Docker promise – Build, Ship, Run

© 2015

Running containers on EC2

© 2015

EC2 instances

© 2015

Elastic Beanstalk

© 2015

EC2 Container Service

© 2015

Where did that code come FROM (and is it secure)?

© 2015

Official Images with Vulnerabilities

Image credit: Banyan Ops - http://www.banyanops.com/blog/analyzing-docker-hub/

http://www.banyanops.com/blog/analyzing-docker-hub/

© 2015

Packages in Official Images with High Priority Vulnerabilities



© 2015

General Images with Vulnerabilities



© 2015

Packages in General Images with High Priority Vulnerabilities



© 2015

It’s not as bad as it might look

Image bloat can mean lots of potentially vulnerable code that never gets run leaves something of an unexploded minefield Taint inheritance fix the root cause – fix a lot of images Worst cases lie in deprecated versions but the continued use of known vulnerable old versions of things is how we end up with stuff that gets attacked so easily

© 2015

The manifest problem

© 2015

Take an example Dockerfile

© 2015

Each active line creates a layer

Base OS

Sources Update repos Install nginx

Mod nginx.conf Mod index.html

© 2015

An images binds layers together

© 2015

The image is the unit of deployment

© 2015

What version of nginx is that?

© 2015

What version of OpenSSL is installed?

© 2015

And which bash?

© 2015

Problem 1 – non determinism

Whilst we want things to be cached in the short term e.g.: apt-get install nginx

We perhaps don’t want it cached in the long term What are those durations?

© 2015

Problem 2 – the manifest problem

When I run: apt-get install nginx

I don’t know which version of nginx I just got Should I? nginx –v > some.log

Or maybe? apt-cache policy nginx > some.log

Or should I have done this in the first place? apt-get install nginx=1.1.19-1ubuntu0.7

© 2015

NB – These are package manager problems

But Docker is ‘the new package manager’ and it typically wraps the old ones

© 2015

So perhaps use a more sophisticated package manager

© 2015

Or avoid packages altogether

FROM scratch

© 2015

Docker Content Trust

© 2015

Overview of Docker Content Trust

Image credit: Diogo Mónica (Docker) - https://blog.docker.com/2015/08/content-trust-docker-1-8/

https://blog.docker.com/2015/08/content-trust-docker-1-8/

© 2015

And there’s an accompanying tool

Image credit: https://www.docker.com/docker-security

https://www.docker.com/docker-security

© 2015

The benchmark covers

1. Host configuration 2. Docker daemon configuration 3. Docker daemon configuration files 4. Container Images and build file 5. Container runtime 6. Docker security operations

© 2015

For more detail

https://www.docker.com/docker-security http://www.infoq.com/author/Chris-Swan

https://www.docker.com/docker-security

http://www.infoq.com/author/Chris-Swan




© 2015

And please check out Docker plugins to our VNS3

39

Isolated Docker containers within VNS3 allows Partners and Customers to embed features and functions safely and securely into their Cloud Network.

Proxy Reverse Proxy Content Caching Load Balancer IDS Custom Container

Router Switch Firewall Protocol Redistributor

VPN Concentrator

Scriptable SDN

VNS3 Core Components

Ensuring a secure foundation for your AWS Containers - Chris Swan's AWS Loft talk in London

Technology

Transcript of Ensuring a secure foundation for your AWS Containers - Chris Swan's AWS Loft talk in London