DockerCon17 – My Container Security Perspective
By Gary Duan, CTO, NeuVector
Last week was my first time going to the DockerCon conference, which I’ve heard is now attracting a more serious enterprise deployment audience. It was an exciting experience hearing about several major announcements and participating in interesting sessions. NeuVector was a sponsor and had a booth at the conference. It was great to meet some of our users and hear their perspectives and challenges in CI/CD, networking and security. We were also kept very busy answering questions for visitors interested in container network security.
Returning from the conference, I’d like to share some of my thoughts, especially from a security perspective.
LinuxKit and the Moby Project
Docker made two important announcements during the first day’s keynote. LinuxKit and Moby represent their continuous efforts on componentizing the Docker project. Moby provides a new host for various Open Source projects and enables the community to contribute and innovate with Docker’s technology without affecting Docker as a product. With LinuxKit, Docker allows system vendors to customize their Linux distributions to run Docker. At the same time, Docker also provides its own minimal and secured Linux OS. Some see LinuxKit and Moby as challenges, others see them as an opportunity. I am very interested to see the community reaction and activity level for these projects in the next months.
Modularization: Security Implications
Modularizing Docker has a profound implication for container security. As all the technologies are componentized, the community is able to keep on innovating and optimizing each component. At the same time end users and system integrators can pick components and create combinations that fit their own needs without unnecessarily increasing the attack surface of their applications. This is a good thing.
Is Security a ‘Total Recall’?
The Docker community has been extremely active in system security, so what about network security and application security? It makes sense that one of the hottest areas today in the container ecosystem is security, with many startups tackling different and sometimes overlapping layers of security. There are security solutions for different layers of the stack, from access control to image scanning to runtime security.
On the networking side, all this innovation activity made me feel like 15 years ago when I joined the security industry. At that time a firewall was just ACLs. Firewalls only understood IP addresses and port numbers without visibility into applications. IDS did exist at that time, but it provided essentially a packet-based signature matching logic, with very limited application context.
Firewalls and network security have been evolving rapidly in the past 15 years. The modern firewalls of today speak not only IPs and ports, but also services and applications. They understand how applications talk to each other and are able to allow a particular connection only when it is needed. They can correlate user identities with their network activities. At the application level, protocol streams can be reconstructed so that content can be inspected with the application context. With the help of the advanced packet forwarding technology, security functions can be done with minimal impact on performance.
Applying security to a containerized environment should not mean that we have to roll back the clock 15 years. We should build on the knowledge and lessons we have learned along the way, including security for virtual and cloud-based environments. Security doesn’t need to be a total recall but rather a reinvention.
What has changed in the cloud, especially in a containerized environment, in comparison to the traditional physical server and network environment? People using containers are more likely to adopt a microservice architecture. Microservices are highly orchestrated. Orchestration and scheduling take place at the global level, without worrying about the underlying details of servers, networks or even data centers. This provides a macro view of applications – how they are arranged, how they communicate with each other, and how they are expected to perform.
Instead of sitting in relatively isolated silos, like traditional network appliances in the physical data center, security solutions for containers should take advantage of this macro capability. Security policy configuration can be simplified and accuracy improved to decrease false positives by taking into account this macro level information.
Other types of information that are not available to traditional network security devices are the actual run-time state of workloads such as processes, syscalls, applications behavior and user interactions. This micro level information is also valuable when making security decisions. The rapidly changing container environment requires security solutions to dynamically adapt so that policies don’t break or become configuration nightmares.
With the combined macro view and micro details, an application-rich context and run-time insights can be constructed for containerized applications. This enables a security solution to analyze application behavior and identify attacks more effectively.
One interesting observation I have about discussing container security with developers, devops, and security people is their different perspectives. Developers and devops people are trying to learn how to build security into their process, and what are the most important things to tackle first. Traditional security and networking people are trying to figure out how to get visibility and security in a new container environment for all the traditional attacks and threats they know exist. For traditional security people there is a need for real-time, run-time container security tools, no matter how many security precautions have been built into the process before run-time. They know from experience that things do go wrong, and hackers often find ways around built-in controls.
We are excited to be part of the hyper growth in containers and security. And to adapt mature security concepts from firewalls, networking, and application security to a microservice based environment. As history has shown, success requires one part innovation and one part adaptation.
About the Author: Gary Duan
Gary is the Co-Founder and CTO of NeuVector. He has over 15 years of experience in networking, security, cloud, and data center software. He was the architect of Fortinet’s award winning DPI product and has managed development teams at Fortinet, Cisco and Altigen. His technology expertise includes IDS/IPS, OpenStack, NSX and orchestration systems. He holds several patents in security and data center technology.