Audit, Scan, and Segment Running Containers & Hosts
NeuVector provides auditing and container compliance features to assist with security compliance. All running containers and host OS’s are automatically scanned for vulnerabilities and run the Docker Bench security tests. Network controls and firewall capabilities help to meet container compliance requirements for segmentation and isolation of critical systems.
Audits host and container security with Docker Bench for security tests
Implements network monitoring and firewall features to segment and isolate critical applications
Assists with PCI compliance for Docker containers.
Automated Auditing with Docker Bench for Security
The Docker Bench for Security checks for dozens of common best-practices around deploying Docker containers in production. It is open source and based on the CIS Docker 1.13 Benchmark. NeuVector automatically runs this audit on all Docker hosts and containers and produces a list of test results.
NeuVector also tests for compliance on the 100+ recommendations in the Kubernetes 1.6 CIS Benchmark for security. These test tools have been released as open source by NeuVector to help ensure secure Kubernetes deployments.
Automatically Scan All Running Containers & Hosts
All running containers and host OS’s are automatically scanned for vulnerabilities. The scanning tasks are distributed across Enforcers for a real-time, highly scalable image vulnerability analysis.
Scans running containers and hosts for vulnerabilities, preventing ‘back-door’ vulnerable images
Scales to hundreds or thousands of live containers with a highly available, distributed architecture
Identifies high priority vulnerabilities from CVE databases and also includes application specific vulnerabilities not included in CVE databases.
Implement Network Controls and Firewall Features
NeuVector provides a distributed firewall which provides segmentation and isolation based on L3/4 and Layer 7 application protocols. The policy provides a zero-trust, whitelist based rule list for allowing trusted connections between application containers, regardless of the underlying network, host, or data center. Unauthorized connections between containers or from/to external networks are logged and can be blocked if desired, without impacting valid connections to a container.
Behavioral learning and real-time application protocol inspection enables NeuVector to be highly scalable without the common problems associated with firewall rule and iptable maintenance.
Achieve PCI Compliance for Docker Containers
The NeuVector container security solution provides a number of features which can help organizations with their PCI compliance efforts. Below are a sample of specific PCI requirements. This is not meant to be an complete list of container compliance requirements and controls, but highlights the areas of network controls, host and Docker configuration, vulnerability scanning and application isolation.
1.2/1.3 Build firewall and router configurations that restrict connections between untrusted networks… NeuVector provides a distributed firewall which provides isolation based on L3/4 and Layer 7 application protocols. All unauthorized connections are dropped.
2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities… NeuVector automatically tests hosts and container configurations against industry standard security benchmarks such as the Docker Bench, and scans running hosts and containers for vulnerabilities.
2.2.1 Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. The general intent of this requirement is to prevent one compromised application from infecting another. NeuVector addresses this with host and container privilege escalation detection and application layer container isolation to prevent unauthorized connections between containers.