Cloud Security

NeuVector Builds on Istio Service Mesh Concepts to Secure Microservices

The Security Mesh deployed by NeuVector is compatible with the Istio service mesh and provides a roadmap for future integration

By Gary Duan

The service mesh concept behind the Istio project provides a powerful and useful set of services which are critical for managing, monitoring and securing container-based services, especially those built on Kubernetes. This infrastructure layer provides routing, load balancing, monitoring, authentication and other infrastructure functionality required to manage highly dynamic applications at scale. The best thing about the Istio service mesh and sidecar concept is that no changes to application code is required. That means developers can continue to develop, deploy and update  applications in containers without having to worry about the mechanics of how performance, routing, updates, and security will be implemented once in production.

Building on the Istio service mesh concepts, NeuVector has created a container security solution which has the same attributes as Istio and which can be deployed today. And in fact the NeuVector solution will compatible with Istio as service mesh deployments move into production in the next year. With NeuVector, devops and security teams are able to deploy a security mesh which provides deep intelligence and protection of all container processes and file system activities, network connections, and vulnerabilities. Like the Istio service mesh, the NeuVector security mesh requires no changes to application code. Also, like Istio, NeuVector provides specific functions and intelligence required to manage microservices – for NeuVector it’s from a security perspective instead. The NeuVector security mesh functions include:

  • Network inspection with layer 7 deep packet inspection
  • Threat protection for network based application attacks
  • Baselining process and file system activity and detection of suspicious processes and files
  • Vulnerability and security configuration scanning
  • Container and network connection visualization with security events
  • Automated threat response actions with customizability

 NeuVector + Istio: Complete Service Automation with Multi-Vector Security

The NeuVector container security solution is a container itself which is deployed with the same tools  which are used to deploy and manage application containers, such as Kubernetes. It layers neatly onto any container based infrastructure, including those with the Istio service mesh infrastructure layer deployed. For enterprises and their security teams who require multiple vectors of enterprise security for visibility, protection, monitoring, and logging the NeuVector solution is a perfect bridge between new cloud-native infrastructures and existing security controls.

The combination of NeuVector and Istio provides the highest level of run-time security for any container deployment. Security is built-in, integrated and automated so that security teams are confident about every deployment and update. And devops teams are confident that security policies are created, deployed and enforced as part of the CI/CD pipeline.

“Since its launch in 2017, Istio has gained tremendous momentum in the open community, and has laid the groundwork for a growing number of companies to easily manage and secure the complex architectures that cloud-native apps often require,” said Chris Rosen, Program Director, Offering Management, IBM Cloud Kubernetes Service. “As one of the companies that led the creation of Istio, it’s fantastic to see its ecosystem evolve. We look forward to collaborating with NeuVector and other teams in the open community to continue advancing Istio’s security capabilities as the adoption of containers and microservices grows.”

Working With Istio Project Team

NeuVector continues to work with the Istio project team to provide input and shape the future direction for security services enabled by Istio. There is a potentially rich data set of application and service connection behavior available through the Istio service mesh which can enhance security solutions such as NeuVector. In addition, the security detections built into the NeuVector solution could be taken into account to affect service mesh routing and other policies.

Future Integration with Istio

As the Istio project matures and initial production deployments are rolled out there will be integration points which enhance the overall security provided by the Istio service mesh in combination with the NeuVector security mesh.  Our NeuVector team is currently working with forward thinking enterprise customers to develop advanced security mesh integrations which will make sure that applications can be deployed on a high performance, highly available, and secure infrastructure.

About the Author

Gary Duan

Gary is the Co-Founder and CTO of NeuVector. He has over 15 years of experience in networking, security, cloud, and data center software. He was the architect of Fortinet’s award winning DPI product and has managed development teams at Fortinet, Cisco and Altigen. His technology expertise includes IDS/IPS, OpenStack, NSX and orchestration systems. He holds several patents in security and data center technology.