Docker container deployments bring new security concerns, even when deployed on VMs. In addition, getting adequate visibility and security for containers as they rapidly scale up or across hosts is virtually impossible without specialized tools. When containers run in a virtualized environment it can be difficult to keep track of application connections to determine whether these should be allowed or blocked. A layered security strategy should include both platform security as well as application security.
VMware has developed its container technology to promote simple and secure container deployments. The vSphere Integrated Containers, commonly known as VIC, enable containers to run on a specialized vSphere container platform that allow customers to use their existing VMware tooling. The environment provides robust platform level security for container deployments and leverages vSphere management and monitoring tools.
An application security layer can ensure that connections are inspected and analyzed for threats and violations which might otherwise bypass traditional network firewalls and segmentation. To provide this, the NeuVector container security platform is flexible enough to be deployed on a wide array of container platforms, including VIC. When deployed in a nested VIC environment, NeuVector can provide its flagship container security features to secure VIC based applications. These include:
- Discovering hosts and containers and visually mapping containers running on VIC
- Inspecting container network connections and using behavioral learning to create the security policy
- Detecting and preventing violations and threats for containers utilizing layer 7 network inspection
- Running the Docker bench security audit on VIC docker hosts
- Scanning running containers in VIC for vulnerabilities
- Monitoring container and host process and detecting privilege escalations and other suspicious processes.
NeuVector provides several layers of run-time security for containers. In addition to application layer network inspection, NeuVector also provides host security, compliance auditing, and vulnerability scanning. NeuVector has demonstrated these features in a deployment using the images and scripts provided by Ben Corrie at https://github.com/corrieb/bensdoings/tree/master/dind. By deploying several Debian hosts in a VIC environment and running sample applications on them, NeuVector was able to deploy its security containers to monitor and protect them.
Going forward, NeuVector will continue to work with VMware to provide enhanced application layer security for VIC and Photon based containers.