Container Security

Enhancing OpenShift and Kubernetes Container Security for Business Critical Deployments

In this webinar from DevOps.com, Andrew Toth from Red Hat outlines typical threats and security measures to protect container deployments and will share information on built-in security features of OpenShift and Kubernetes. Glen Kosaka from NeuVector then presents how to enhance security for Kubernetes and OpenShift by using advanced Kubernetes container security features to improve visibility and protection in production.

An outline is provided below the video.

Here is an outline of the webinar:

Top attack targets during container application runtime

  • Data (secrets exfiltration)
  • Access (denial of service)
  • Infrastructure (system destruction)

Classic attack vectors targeting containers

  • Container breakouts
  • Poor Tenant isolation
  • Poisoned images
  • Host OS exploits
  • Kernel exploits

Top ways to increase container security

  • Namespaces
  • Linux capabilities
  • SELinux
  • Seccomp
  • Cgroups
  • R/O Mounts
  • Use minimal Host OS
  • Update system patches
  • Use trusted images
  • Use image security scanner
  • Quarantine poisoned images

Container security best practices

  • Use as many security layers as possible
  • Restrict access to your platforms and images
  • Minimize attack surface
  • Apply Host OS and Kernel security patches
  • Only run trusted up to date container images
  • Run containers with the least privileges possible
  • Use a container image security scanner

Security Enhanced Container Platform Ecosystem

  • Red Hat OpenShift
  • Red Hat Container Catalog
  • Red Hat CloudForms
  • Red Hat Satellite
  • Red Hat Enterprise Linux Atomic Host

Security Automation for OpenShift and Kubernetes [09:15 ]

  • Hyper Scale
  • East-West Traffic Explosion
  • Low Visibility
  • Open Source Vulnerabilities
  • Sophisticated Insider Attacks

Traditional Security: Blind To Container Attacks

  • Zero-Day
  • DDoS
  • DirtyCow
  • SQL injection
  • DNS Tunneling
  • WannaCry
  • Privilege escalation
  • Break out detection

OpenShift-Kubernetes Run-time Vulnerability Examples

  • Unauthorized Connections: Detect at Layer 3 – 7
  • Exploit Over Trusted IP/Ports: Detect at Layer 7
  • Known Application Attacks: Detect at Layer 7
  • Privilege Escalation: Detect in Pod / Host Process
  • Data Exfiltration: Reverse Shell / Tunneling
  • Unauthorized Egress/Ingress: Detect at Layer 3-7 for Non-Containerized Workloads

NeuVector OpenShift & Kubernetes Container Security Automation

  • Automatic Deployment & Updates
  • Continuous Auditing & Compliance
  • Run-Time Protections
  • Automated Threat Detection (DDoS, DNS, SQLi …)
  • Network Based Application Isolation (Layer 7)
  • Endpoint Process & Syscall Monitoring
  • Security Response

OpenShift-Kubernetes Container Security Enhancements

  • Build, Infrastructure & Deployment
  • Network Security
  • Endpoint Security
  • Compliance
  • Integration

NeuVector + OpenShift Architecture

NeuVector Demo [23:00]

 

About the Author

NeuVector delivers an application-aware container network security solution. The NeuVector containers deploy easily in minutes and discover running services and applications. A security policy is automatically created and updated when containers launch, scale up or scale down. NeuVector detects container threats, violations, and vulnerabilities.