can containers be secured in paas?
TRANSCRIPT
© Copyright 2015 Pivotal. All rights reserved.
Can containers be secured in a PaaS?Tom Kranz [email protected]
1
© Copyright 2015 Pivotal. All rights reserved.
Introductions: who am I?•UNIX sysadmin
• Technical architect
• Principal Field Engineer
•Account Manager
• Security person
•Get in touch on LinkedIn or Twitter
2
© Copyright 2015 Pivotal. All rights reserved.
Can containers be secured in a PaaS?•Maybe ….
•Not about features
•Context is important
•And implementation is key! And always remember:
You will get hacked. Eventually.
3
© Copyright 2015 Pivotal. All rights reserved.
So what’s the context?•Who are our attackers? •Where are they attacking from? •What are they attacking? •What data is at risk?
This gives us a risk profile we can use to evaluate the security of an *implementation*
Evaluating the security of a product in isolation - without context - is bad, and leads to bad risk profiles and poor decisions
4
© Copyright 2015 Pivotal. All rights reserved.
Who are our attackers?•Opportunists?
• Someone with a grudge?
• Professionals?
•Nation states?
5
© Copyright 2015 Pivotal. All rights reserved.
August 2015 cyber attack stats
6
Stats from http://www.hackmageddon.com/
© Copyright 2015 Pivotal. All rights reserved.
Where are they attacking from? • Internal or external?
What are they attacking? • Infrastructure?
•Applications?
• Physical location?
•All of the above?
7
SPARTA!
© Copyright 2015 Pivotal. All rights reserved.
What data is at risk?•Can use answers to the above to work out what data is at
risk and where it is
• This can form your risk profile
• This is what you can use to evaluate the security of an implemented solution
• Evaluate the implementation against the profile - not the product against a checklist!
8
© Copyright 2015 Pivotal. All rights reserved.
Pivotal Cloud Foundry Architecture recap
Ops Manager UI
Ops Manager DirectorOperations Manager
Service
Service Broker
Service Nodes
Service Broker
Service Nodes
Service
App Log Aggregator
Login Server
Dynamic Router
Cloud Controller
UAA
Health Manager
DEA Pool
Messaging (NATS)
Apps
Metrics Collection
Apps
HA Proxy LB
Elastic Runtime
Containers!
© Copyright 2015 Pivotal. All rights reserved.
Example: secure PCF implementation
10
Router with Firewall
PCF Admin Vlan
PCF Services Vlan
PCF Containers Vlan
Resource Pool A
Resource Pool B
Resource Pools C & D
Everyone Else& Bad People
© Copyright 2015 Pivotal. All rights reserved.
Why?• Leverage existing, tried and tested security solutions
where appropriate
• Rely on platform security where appropriate
•Change in application delivery also drives a change in security mindset
11
© Copyright 2015 Pivotal. All rights reserved.
Attack vectors - it’s the apps!
12
Stats from http://www.hackmageddon.com/
© Copyright 2015 Pivotal. All rights reserved.
Container security in PCF: the nitty gritty
Containers provide isolation of resources – CPU, memory, file system, process space, network
Containers have their own private network, not accessible from outside the DEA
DEA
App App
App App
DEA
App App
App App
© Copyright 2015 Pivotal. All rights reserved.
Container Isolation
Routers forward requests from outside using the app’s route to the assigned port on the DEA, which does network translation to the container’s internal IP and port
Apps are prevented from communicating directly with each other by container firewall rules; they must communicate through published routes
DEA
App App
App App
DEA
App App
App App
Dynamic Router
HA Proxy LB
© Copyright 2015 Pivotal. All rights reserved.
Impact of attacks•Attacker compromises app, gets access to core data
•Nothing to do with the platform, nothing we can do to stop this
•Mitigation: WAF, code audit to help write secure code
•Attacker compromises app, gets local container access
• If they break anything, BOSH destroys and re-deploys the container
•Can’t break out the container to root VM (the DEA)
•Can’t sniff network traffic
•Can’t pivot east/west to attack other internal PCF components
15
© Copyright 2015 Pivotal. All rights reserved.
Gentlemen, we can rebuild him. We have the technology.
•OWASP Top 10: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
•Make Jenkins do the work: https://wiki.jenkins-ci.org/display/JENKINS/OWASP+Dependency-Check+Plugin
•Also look at Web Application Attack and Audit Framework: http://w3af.org/
16
© Copyright 2015 Pivotal. All rights reserved.
Containerception
17
© Copyright 2015 Pivotal. All rights reserved.
Current tech: Warden
18
© Copyright 2015 Pivotal. All rights reserved.
Future tech: Garden
19
More info at http://blog.pivotal.io/pivotal-cloud-foundry/features/cloud-foundry-container-technology-a-garden-overview
© Copyright 2015 Pivotal. All rights reserved.
Warden/Garden networking in detail
20
© Copyright 2015 Pivotal. All rights reserved.
Container filesystems
21
Garden container
with Buildpacks
Garden container
with Docker image
Read Only root filesysteminherited from DEA
R/W root filesystem overlay
R/W user filesystem
Docker image filesystem
© Copyright 2015 Pivotal. All rights reserved.
Why a different container tech?ie. Why not Docker? Again, context is important:
• PCF treats containers as disposable
• ie We don’t care about them, and neither should you
• Therefore we don’t allow access to them
• Fundamental difference in design principles - we can lock them down much more tightly
• To see the implications: http://reventlov.com/advisories/using-the-docker-command-to-root-the-host
22
© Copyright 2015 Pivotal. All rights reserved.
Key points• Yes containers can be secured in a PaaS
• This can mitigate some attacks, doesn’t help with others
•Doesn’t mean your apps are secure
•Don’t rely on technology to solve security issues
•Build security into your apps from the start
• Profile the risk and mitigate what you can
• Remember not all risk can be mitigated
•Context is important!
• You will get hacked, response is key - whole other topic!
23
© Copyright 2015 Pivotal. All rights reserved.
THANK [email protected] https://www.linkedin.com/in/tomkranz @whoopsie
24