can containers be secured in paas?

© Copyright 2015 Pivotal. All rights reserved.

Can containers be secured in a PaaS?Tom Kranz [email protected]

1

mailto:[email protected]


Introductions: who am I?•UNIX sysadmin

• Technical architect

• Principal Field Engineer

•Account Manager

• Security person

•Get in touch on LinkedIn or Twitter

2


Can containers be secured in a PaaS?•Maybe ….

•Not about features

•Context is important

•And implementation is key! And always remember:

You will get hacked. Eventually.

3


So what’s the context?•Who are our attackers? •Where are they attacking from? •What are they attacking? •What data is at risk?

This gives us a risk profile we can use to evaluate the security of an *implementation*

Evaluating the security of a product in isolation - without context - is bad, and leads to bad risk profiles and poor decisions

4


Who are our attackers?•Opportunists?

• Someone with a grudge?

• Professionals?

•Nation states?

5


August 2015 cyber attack stats

6

Stats from http://www.hackmageddon.com/

http://www.hackmageddon.com/


Where are they attacking from? • Internal or external?

What are they attacking? • Infrastructure?

•Applications?

• Physical location?

•All of the above?

7

SPARTA!


What data is at risk?•Can use answers to the above to work out what data is at

risk and where it is

• This can form your risk profile

• This is what you can use to evaluate the security of an implemented solution

• Evaluate the implementation against the profile - not the product against a checklist!

8


Pivotal Cloud Foundry Architecture recap

Ops Manager UI

Ops Manager DirectorOperations Manager

Service

Service Broker

Service Nodes

Service Broker

Service Nodes

Service

App Log Aggregator

Login Server

Dynamic Router

Cloud Controller

UAA

Health Manager

DEA Pool

Messaging (NATS)

Apps

Metrics Collection

Apps

HA Proxy LB

Elastic Runtime

Containers!


Example: secure PCF implementation

10

Router with Firewall

PCF Admin Vlan

PCF Services Vlan

PCF Containers Vlan

Resource Pool A

Resource Pool B

Resource Pools C & D

Everyone Else& Bad People


Why?• Leverage existing, tried and tested security solutions

where appropriate

• Rely on platform security where appropriate

•Change in application delivery also drives a change in security mindset

11


Attack vectors - it’s the apps!

12

Stats from http://www.hackmageddon.com/

http://www.hackmageddon.com/


Container security in PCF: the nitty gritty

Containers provide isolation of resources – CPU, memory, file system, process space, network

Containers have their own private network, not accessible from outside the DEA

DEA

App App

App App

DEA

App App

App App


Container Isolation

Routers forward requests from outside using the app’s route to the assigned port on the DEA, which does network translation to the container’s internal IP and port

Apps are prevented from communicating directly with each other by container firewall rules; they must communicate through published routes

DEA

App App

App App

DEA

App App

App App

Dynamic Router

HA Proxy LB


Impact of attacks•Attacker compromises app, gets access to core data

•Nothing to do with the platform, nothing we can do to stop this

•Mitigation: WAF, code audit to help write secure code

•Attacker compromises app, gets local container access

• If they break anything, BOSH destroys and re-deploys the container

•Can’t break out the container to root VM (the DEA)

•Can’t sniff network traffic

•Can’t pivot east/west to attack other internal PCF components

15


Gentlemen, we can rebuild him. We have the technology.

•OWASP Top 10: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

•Make Jenkins do the work: https://wiki.jenkins-ci.org/display/JENKINS/OWASP+Dependency-Check+Plugin

•Also look at Web Application Attack and Audit Framework: http://w3af.org/

16

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

https://wiki.jenkins-ci.org/display/JENKINS/OWASP+Dependency-Check+Plugin

http://w3af.org/


Containerception

17


Current tech: Warden

18


Future tech: Garden

19

More info at http://blog.pivotal.io/pivotal-cloud-foundry/features/cloud-foundry-container-technology-a-garden-overview

http://blog.pivotal.io/pivotal-cloud-foundry/features/cloud-foundry-container-technology-a-garden-overview


Warden/Garden networking in detail

20


Container filesystems

21

Garden container

with Buildpacks

Garden container

with Docker image

Read Only root filesysteminherited from DEA

R/W root filesystem overlay

R/W user filesystem

Docker image filesystem


Why a different container tech?ie. Why not Docker? Again, context is important:

• PCF treats containers as disposable

• ie We don’t care about them, and neither should you

• Therefore we don’t allow access to them

• Fundamental difference in design principles - we can lock them down much more tightly

• To see the implications: http://reventlov.com/advisories/using-the-docker-command-to-root-the-host

22

http://reventlov.com/advisories/using-the-docker-command-to-root-the-host


Key points• Yes containers can be secured in a PaaS

• This can mitigate some attacks, doesn’t help with others

•Doesn’t mean your apps are secure

•Don’t rely on technology to solve security issues

•Build security into your apps from the start

• Profile the risk and mitigate what you can

• Remember not all risk can be mitigated

•Context is important!

• You will get hacked, response is key - whole other topic!

23


THANK [email protected] https://www.linkedin.com/in/tomkranz @whoopsie

24

mailto:[email protected]

https://www.linkedin.com/in/tomkranz

can containers be secured in paas?

Technology