docker security - continuous container security
TRANSCRIPT
DOCKER SECURITY CONTINUOUS CONTAINER SECURITYContainer Threat Landscape & Network Security
Dieter [email protected]@Quintus23M
Container Threat Landscape
Nor
th-S
outh
East-WestHost
Containers Containers
Host
Ransomware
DDoS
Kernel ‘Dirty Cow’
Privilege Escalations
Breakouts
DNS AttacksApplication Attacks
Docker daemon attack
Port scanning
Virus injection
Data stealing
Lateral movement
XSS, SQL injection Container phone home
Resource consumption
Heap corruption
Buffer overflow
Zero-day attacks
Malware
Unauthorized access
Image back doors
Continuous Container Security
Build Ship Run
Pre-Deployment Run-Time✓ Image Signing, e.g. Content Trust
✓ User Access Controls, e.g. Docker Trusted Registry
✓ Code Analysis
✓ Container Hardening
✓ Image Scanning
✓ Host OS Security✓ Kernel Security
✓ SELinux✓ AppArmour✓ Seccomp
✓ Access Controls✓ Secrets Management
✓ Container Network Security
Inspect - Protect - Monitor - Scale
Security Rules Can’t Keep Up
Container Network Security
▪ Inspect Network
▪ Protect - Containers - Container Hosts
▪ Monitor & Visualize
▪ Automate & Scale
Inspect Network Traffic
▪ Best Security Detection Point▪ North-South and East-West▪ Container Connections and Packets
- Layer 7, Application Protocol and Payload
▪ Traffic between Containers- Intra-Host, Inter-Host
Challenge – Dynamic Workloads
Containers
Host
Protect Application Containers
▪ Detect Violations▪ Detect Threats
- DDoS, XSS, DNS, SSL▪ Scan for Vulnerabilities▪ Respond
- Connection Blocking- Container Quarantine- Alert & Log
Challenge – Accuracy, False Positives
Containers
Host
Breakout
AttackPhone HomeLateral Spread
Vulnerable Container
Protect Container Hosts
▪ Implement Pre-Deployment Security- Kernel, Docker Engine
▪ Scan for Vulnerabilities▪ Detect Privilege Escalations▪ Perform Security Auditing
- CIS Benchmark
Challenge – Real-Time Host Monitoring
Containers
Host
Vulnerable Host
Host Breakout
Monitor & Visualize
▪ Container Network Connections▪ Application ‘Stacks’▪ Security Policy and Violations▪ Detailed Event Logging▪ Packet Capture
Challenge – Large & Complex Deployments
Automate & Scale
▪ Security Must Be Container Native- Integrated with Orchestration Platforms- Compatible (Agnostic) to Network Overlays &
Plug-Ins▪ Swarm, Flannel, Calico, Rancher, Weave, …
▪ Then Automate- Security Policy, Visualization
▪ And Scale- Constant Adaptation
Challenge – Rapid Network/Platform Evolution
Demo
▪ Deploy NeuVector onto running apps▪ Discover application behaviour▪ Auto-create security policy▪ Detect violations▪ Protect containers▪ Scan for vulnerabilities
Demo: Micro-Segmentation
▪ App#1: 3 tier Node.js web application (5 containers)▪ App#2: 2 tier WordPress application (2 containers)
- Automatic segmentation: Discover ! Monitor ! Protect
Host #2
NeuVector Enforcer(Security Service )
Node .js #1(web server )
Node .js #2(web server )
Node .js #3(web server )
Host #1
NeuVector AllInOne(Security Service )
Nginx(Load Balancer )
Redis(Database Service )
Wordpress(web server )
MySQL(Database Service )
External or Internet
Continuous Container Security Reference
Build Ship Run
Pre-Deployment Run-Time✓ Image Signing, e.g. Content Trust
✓ User Access Controls, e.g. Docker Trusted Registry
✓ Code Analysis
✓ Container Hardening
✓ Image Scanning
✓ Host OS Security✓ CIS Benchmark
✓ Kernel security✓ SELinux✓ AppArmour✓ Seccomp
✓ Secure Docker Engine✓ Access Controls✓ Secrets Management✓ TLS Encryption✓ Auditing w/ Docker
Bench✓ Orchestration –
Network, Security, Containers
✓ Network Inspection & Visualization
✓ Run-Time Vulnerability Scanning
✓ Process Monitoring✓ Threat Detection✓ Privilege Escalation Detection✓ Container Quarantine✓ Layer 7-based Application
Isolation✓ Packet Capture & Event
Logging
Container Security
GUIDE
THANK YOUFor more information contact me via Email [email protected], or Twitter @Quintus23M
Slides kindly borrowed from https://neuvector.com