Cloud Security

Securing Container Deployments from Build to Ship to Run – Rancher Labs Online Meetup

Watch the meetup video for a comprehensive overview of Continuous Container Security. The meetup is hosted by Shannon Williams, co-founder of Rancher, with lots of Q&A, so it’s long (2 hrs!). Here’s the start times for the key sections of Securing Container Deployments:

  1. [08:11] Quick Security Tips from Rancher, Bill Maxwell Director of DevOps Rancher @cloudnautique
  2. [33:06] Continuous Container Network Security, Fei Huang, CEO NeuVector @NeuVector
  3. [1:05:20] NeuVector and Dirty Cow Exploit demo, Fei Huang, CEO NeuVector
  4. [1:22:18] Application Security for Open Source, Mike Pittenger VP for Security Strategy Black Duck Software @mwpittenger
  5. [1:37:25] Black Duck demo, Kaila Gervais, Sales Engineer Black Duck Software

Presentation Summary

Below are some of the key words from the presentation slides for the Securing Container Deployments online meetup.

  • Securing Container Deployments from Build to Ship to Run, August 30, 2017 #ranchermeetup
    1. Shannon Williams Co-Founder/VP Sales @smw355 1 Darren Shepherd Co-Founder/Chief Architect @ibuildthecloud
    2. Bill Maxwell Director of DevOps Rancher @cloudnautique
    3. Fei Huang CEO NeuVector @NeuVector
    4. Mike Pittenger VP for Security Strategy Black Duck Software @mwpittenger
    5. Kaila Gervais Sales Engineer Black Duck Software
  • First things first… This is a not a webinar!
    • There are rules for a meetup! • We won’t be done on time • Questions are always welcome • Demo, then demo some more • Things will break, be patient
    • Join the conversation on Twitter #ranchermeetup
  • Agenda • Quick Rancher Intro – Shannon • Best Practices for Securing your Rancher Deployment – Bill • Continuous Security for Containers – Fei • Demo – Deploying NeuVector on Rancher • Demo – Blocking a Dirty Cow exploit • Building Security into Applications – Mike • Demo – Black Duck – Kalia
  • Rancher Labs, The most complete container management platform. A simplified Linux distribution built from containers, for containers
    • OUR PRODUCTS. A project for microservices-based distributed block storage
    • A complete container management platform that makes it easy to…
      • INNOVATE WITH CONTAINERS without compromising flexibility by empowering developers with fast access to the latest tools
      • MANAGE APPLICATIONS by simplifying day to day application lifecycle management RUN CONTAINERS with the most complete set of container and infrastructure management capabilities
      • Production ready ✔ 60 million+ downloads ✔ Open platform for innovating ✔ Easy to use interface ✔ Multi-tenant ✔ Role based access ✔ 24X7 support ✔ And more….
    • Complete Container Management Platform
    • Application Catalog Container Orchestration and Scheduling
  • Securing Container Deployments from Build to Ship to Run
  • Quick tips for securing your Rancher deployment, Bill Maxwell
  • Cloud-Native Security Pipeline
    • Image Signing, e.g. Content Trust User access controls, e.g. registries Code analysis Hardening Image Scanning Open Source Auditing and management Host and kernel security SELinux, AppArmor Secure Docker daemon Access Controls Secrets Management Encryption Auditing w/ Docker Bench Orchestrate – network, security containers Network Inspection & Visualization Layer 7-based Application Isolation Threat Detection Privilege Escalation Detection Container Quarantine Run-Time Vulnerability Scanning Process Monitoring Packet Capture & Event Logging
  • Rancher Environment
    • Securing Overlay Networking Limit exposed ports on hosts Layer 7 routing to containers Network Policy Manager Compute NodeCompute NodeCompute Node Load Balancer L B L B L B App A App B Layer 7 routing Overlay Network Automate Delivery Pipeline Integrated Secrets Management
  • Basics Still Apply
    • Patching OS SE Linux/AppArmor Restrict Host Logins Use Orchestrator RBAC
  • Changing Traffic Patterns – And Risks
    •  Traffic Explosion  Open Source Vulnerabilities  Sophisticated Attacks MICROSERVICES E A S T- W E S T T R A F F I C ! ! ! ! DDoS SambyCry Wanna-Crypt
    • Traditional Security Tools Are Blind  Can’t See East-West  Can’t Keep Up  Low Accuracy ZERO-DAY ATTACKS INSIDER ATTACKS
  • Container Network Security
    •  Container-Native ‘Firewall’ – Network Visibility – L7 Inspection  Keeps Pace With Cloud-Native Apps – Scale, Update, New  Fits CI/CD Process, Non-Container Apps & SIEM Tools External & Legacy Apps
  • How Can Container Security Keep Up?
    • 1. Containers are Declarative – Names, labels, dependencies, links, ports, deployment options 2. Behavioral / Machine Learning – Network and container inspection enables auto- learning 3. Whitelist, not Blacklist – Policies define trusted behavior
  • NeuVector Security Container Features
    •  Deploy – Greenfield, Brownfield – Container Visualization  Audit – Docker Bench – Kubernetes CIS Benchmark – Vulnerability scans  Protect – Layer 7 Segmentation / Isolate Applications – Detect Privilege Escalations & Break Outs – Detect Container Threats  Respond – Alert, Block, Quarantine – Capture Sessions & Packets No Agents No Embedding No Coding
  • NeuVector Architecture
  • WannaCrypt Example: Detect Ransomware & Port Scanning
  • Example: Demo / Dirty Cow
    •  Exploits Affect Hosts and Containers CVE-2016-5195 Linux Root Escalation Exploit 1. Attacker exploits vulnerable application to inject code 2. Run Dirty Cow to gain root in container 3. Connect to external host 4. NeuVector detects a) root escalation b) unauthorized connection 5. Attacker breaks out to compromise host Demo ‘Kill Chain‘
  • Application Security in the age of Open Source © Black Duck Software 2016
    1. 8 of the top 10 Software Companies (70 of the top 100) 6 of the top 8 Mobile Handset Vendors 6 of the top 10 Investment Banks 24 Countries 350+ Employees 2,000Customers About Black Duck 40Founded 2002 Of The Fortune 100
  • Automating Five Critical Tasks and Having a Bill of Materials Provide Distinct Advantage
    • INVENTORY Open Source Software MAP Known Security Vulnerabilities IDENTIFTY License Compliance Risks TRACK Remediation Priorities & Progress ALERT New Vulnerabilities Affecting You Visibility AND Control
  • Open Source Changed the Way Applications are Built
    • 10% Open Source 20% Open Source 50% Open Source Up to 90% Open Source 1998 2005 2010 TODAY Open Source is the modern architectureCustom & Commercial Code Open Source Software
  • Containers can be vulnerable by virtue of the code that runs inside them
    • • OSS components running inside containers represent potential attack vectors • Could cause problems for the application itself • Could cause more problems if the container is running with the –privileged flag set Agile, Containers and DevOps
    • DockerHub Riddled with Vulnerabilities Open Source Adoption in Commercial Software 22% of applications had >50% open source Open Source is Not Risk Free
  • Why Aren’t We Finding These in Testing?
    • • Static analysis • Testing of source code or binaries for unknown security vulnerabilities in custom code • Advantages in buffer overflow, some types of SQL injection • Provides results in source code • Dynamic analysis • Testing of compiled application in a staging environment to detect unknown security vulnerabilities in custom code • Advantages in injection errors, XSS • Provides results by URL, must be traced to source What’s Missing? All possible security vulnerabilities FREAK! Static Analysis Dynamic Analysis
  • Black Duck and NeuVector Continuous Network Security for Containers
    • • Network inspection • Network traffic visibility and segmentation • ‘Layer 7’ application isolation & threat detection • Privilege escalation detection • Container quarantine • Run-time vulnerability scan Dev Build/CI Registry Deploy Run-Time Automated Visibility, Intelligence, and Control for Applications and Containers through Secure DevOps • Scanning of applications and containers • Component discovery and identification (“Bill of Materials”) • Analysis of known security vulnerabilities, license risks, and operational risks • Management of risk policies, enforcement, and remediation • Ongoing alerting of new vulnerabilities and policy violations • Knowledge Base of open source components and their risks Secure DevOps Secure in Production
  • Free Black Duck Container Tools Free Docker Container Security Scanner
    • •
  • Latest Release 48 Rancher 1.6.x Key Features: – Rancher EBS volume is now GA – Support ability to add catalogs per environment – Updated compose for new additional fields – Support to update LDAP without disabling auth – Support for RHEL 7.4 – Support for K8s 1.7.2 – Added more fixes to ipsec overlay networking – Enhanced release notes to include rollback instructions and fixes per infrastructure services
  • Next Release – Rancher 2.0 Tech Preview

About the Author

NeuVector delivers an application-aware container network security solution. The NeuVector containers deploy easily in minutes and discover running services and applications. A security policy is automatically created and updated when containers launch, scale up or scale down. NeuVector detects container threats, violations, and vulnerabilities.