Encrypted Tunnels with NGINX Plus Combined with NeuVector Run-Time Network Security Protect Business Critical Container Applications
NGINX is one of the top container downloads from Docker hub, gaining widespread adoption. NGINX Plus adds enterprise-ready features offering even greater security, availability and manageability for production deployments of containers.
However, with the increase in east-west container to container traffic which can cross hosts and even data center boundaries, additional network layer visibility and security from NeuVector is also required. It’s always a pain when overlapping security features from different companies don’t work together, which is why we’ve integrated NGINX Plus security awareness into the NeuVector console. With this integration it’s easy to visualize which container connections use NGINX Plus security for encrypting container to container sessions. Other connections are monitored for threats and violations by NeuVector, and any attempt to bypass the NGINX Plus encrypted tunnel can be immediately detected by NeuVector.
To illustrate how this works, we set up a simple example of a web server tier behind the NGINX Plus load balancer, with a Redis datastore. The nodejs containers also have the N+ software built into them so an encrypted tunnel can be created between the front end NGINX Plus load balancer and each node. This is how the sample application looks.
The NeuVector container can be deployed even on running applications, as is the case below. After deploying NeuVector and generating traffic through the application, the console will immediately display a visual map of the containers, applications, and network connections. NeuVector automatically recognizes which containers are secured by the NGINX Plus encrypted SSL tunnel and displays them. Note that in this example, the connections from the nodes to Redis are not using encrypted tunnels.
This visualization is useful for understanding application behavior as well as the security posture of containers. In the picture above, notice that there is a blue line representing an unencrypted connection between NGINX Plus and node1. If this is expected normal behavior, then NeuVector can allow these types of connections. Or if containers were locked down in Monitor or Protect mode, this connection would show up as a violation, with a red line indicator.
By deploying together, NGINX Plus and NeuVector are able to provide a layered security solution for protecting running containers. Not all connections may need to be encrypted by NGINX Plus. But if they are, it’s an added layer of security which can be visualized in the NeuVector console. For unencrypted connections, NeuVector provides the automated segmentation and deep packet inspection to determine if the connections should be allowed between application containers. NeuVector also provides threat detection and vulnerability scanning for running containers.
For more information on NGINX Plus please visit www.nginx.com