Scanning, Auditing and Compliance
Continuous Scanning, Auditing & Container Compliance
Full Life-Cycle Vulnerability Scanning, Network Controls with Container DLP, and CIS Benchmark Testing to Assist with Container Compliance
Audit, Scan, and Segment Containers & Hosts
NeuVector delivers a complete security platform for the entire Build, Ship, and Run CI/CD pipeline. Blazing-fast vulnerability scanning can be automated during the image build phase with our Jenkins plugin and registry scanning. Scan results can be used in admission control rules. Auditing and container compliance is supported with automated CIS security benchmark testing and vulnerability scanning of all production systems and containers. Network controls and firewall capabilities with Container DLP help to meet container compliance requirements for segmentation and isolation of critical systems. And risk reports and scores help assess and reduce the risk of attack.
- Enforce end-to-end vulnerability management and policies
- Implements network monitoring and firewall features to segment and isolate critical applications
- Enables & enforces PCI compliance for containers
Automated Auditing with Kubernetes & Docker CIS Benchmarks
The Kubernetes and Docker CIS benchmarks for security check for dozens of common best-practices around deploying Docker containers in production. NeuVector automatically runs these tests on all Docker hosts and containers and produces a comprehensive report of the results. The NeuVector Kubernetes CIS benchmark implementation has been released as open source by NeuVector to help ensure secure Kubernetes deployments for the community.
End-to-End Scanning & Vulnerability Management for Containers
NeuVector provides the industry’s fastest vulnerability detection and management throughout the CI/CD pipeline. The Jenkins plug-in enables policy based build success/failure criteria, preventing vulnerabilities from being introduced into registries. As a further safeguard, all major registries such as AWS ECR, Docker, Red Hat/OpenShift, Azure ACR, and jFrog Artifactory can be monitored and auto-scanned. Running containers and host OS’s are also automatically scanned for vulnerabilities, and containers can be auto-quarantined based on a vulnerability criteria.
- Integrate & automate scanning with Jenkins plug-in and registry scanning
- Prevent deployment of vulnerable images with admission control
- Scans running containers and hosts for vulnerabilities, preventing ‘back-door’ vulnerable images
Implement Network Controls and Firewall Features
NeuVector provides a distributed multi-vector container firewall which provides segmentation and isolation based on L3/4 and Layer 7 application protocols. The policy provides a zero-trust, whitelist based rule list for allowing trusted connections between application containers, regardless of the underlying network, host, or data center. Unauthorized connections between containers or from/to external networks are logged and can be blocked if desired, without impacting valid connections to a container.
Behavioral learning and real-time application protocol inspection enables NeuVector to be highly scalable without the common problems associated with firewall rule and iptable maintenance.
Review and Reduce Container Security Run-Time Risk
Risk Scores and Reports help container security teams better assess the security posture of deployed services in production. Widgets and downloadable reports provide security risk scores for the most critical run-time attack risks: network-based attacks and vulnerability exploits in containers, including east-west attacks, ingress/egress connections, and damaging vulnerability exploits.
- Review overall and individual risk scores for vulnerability exploits and network attacks, complete with advice on how to improve score
- Generate pdf risk reports, security incident details, and vulnerability scanning
- Evaluate all application protocols including network usage for each protocol in gigabytes
Achieve PCI Compliance for Docker Containers
NeuVector is the ONLY container security solution which can enforce the strict firewall and segmentation requirements of PCI, in a cloud-native containerized environment. With Container DLP, NeuVector detects credit card PAN data in network payloads to help enforce data privacy and compliance. Other requirements such as vulnerability scanning and exploit detection are also supported by the NeuVector Multi-Vector container security platform. Below are a sample of specific PCI requirements.
- 1.2/1.3 Build firewall and router configurations that restrict connections between untrusted networks… NeuVector provides a distributed firewall which provides isolation based on L3/4 and Layer 7 application protocols. All unauthorized connections are dropped.
- 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities… NeuVector automatically tests hosts and container configurations against industry standard security benchmarks such as the Docker Bench, and scans running hosts and containers for vulnerabilities.
- 2.2.1 Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. The general intent of this requirement is to prevent one compromised application from infecting another. NeuVector addresses this with host and container privilege escalation detection and application layer container isolation to prevent unauthorized connections between containers.