NeuVector is serious about container security. Modern businesses that deploy container infrastructures need to ensure that they can maintain a high level of security, provide speed and agility for DevOps teams, and meet compliance requirements. NeuVector is the solution of choice to manage Kubernetes security risks and block threats.
Network Inspection + Container Firewall: The Key to Production-grade Security
Deep network visibility is the most critical part of run-time container security. In traditional perimeter-based security, administrators deploy firewalls to quarantine or block attacks before they reach the workload. Inspecting container network traffic reveals how an application communicates with other applications and it’s the only place that can stop attacks before they reach the application or workload. It’s also the last chance to prevent data breaches by exploited applications which send data out over the network. Proper network controls will limit the ‘blast radius’ of an attack.
This additional layer of protection surpasses other available container security solutions. NeuVector goes beyond static diagrams which are based on the inspection of the deployment manifests of container services and the open ports or syscalls during run-time, to deliver real-time analysis of true network traffic that is being filtered and inspected, rather than trying to guess network connections. NeuVector’s patented technology is the only solution to deliver production-grade container security with the following attributes:
- Perform Deep Packet Inspection (DPI)
NeuVector applies DPI to identify attacks, detect sensitive data, or verify application access to further reduce the attack surface. Only network layer analysis enables security to detect and verify the allowed protocols, helping security teams enforce business policy. - Deliver real-time protection with the industry’s only Container Firewall
NeuVector’s container firewall provides inspection, segmentation, and protection of all traffic into and out of a container. This includes container to container traffic as well as ingress from external sources to containers, and egress from containers to external applications and the internet. Our Layer 7 container firewall protects your applications from internal application level attacks such as DDoS and DNS. - Monitor ‘East-west’ and ‘North-south’ container traffic
Microservices and containers dramatically increase internal East-West traffic in a data center. Without application-aware container network security, an attacker can exploit containers once inside a data center. NeuVector detects and displays real-time connection info for all container traffic, internal, ingress and egress. - Capture Packets for Debugging and Threat Investigation
NeuVector makes it easy to view summary connection data and drill down into actual packet details for each container, even as they scale up and down. When a threat is detected, NeuVector will automatically capture and display the packet info, making it easy to investigate.
End-to-end Container Security for Known and Unknown Vulnerabilities
NeuVector is the only Kubernetes-native container security solution that offers a comprehensive risk profile of known vulnerabilities and delivers immediate protection from both known and unknown vulnerabilities.
Serious container security starts with complete vulnerability management. NeuVector continuously assesses vulnerabilities throughout the container lifecycle. However, not every CVE has a patch available. You have applications that need to be pushed to production. How do you evaluate the risk/benefit? With NeuVector, you can deploy your apps at DevOps speed and stay secure.
- Attain 360° degree visibility across the container lifecycle with unparalleled combination of profiling and protection
- Block known and unknown threats from Day 1 with unique virtual patch capability that stops anomalous behavior before it impacts your business.
- Protect your data from zero days and insider threats with the industry’s only Layer 7 firewall and deep packet inspection that enables inline blocking on production applications.
- Increase protection and save time.
Security as Code
Enforcing security and compliance requirements in modern cloud-native pipelines can be a challenge. The increased attack surface of container infrastructures makes security even more important, but security and DevOps teams can’t afford to slow the pipeline with manual processes. NeuVector starts from the ‘left-side’ of development with vulnerability and compliance scanning then progresses to the right with real-time network, container, and host protections.
- Automate the creation of security policies to protect application workloads in production. Run-time security policies, especially firewall rules, have up to now largely required manual configuration in legacy data center-based infrastructures.
- Deploy Security as Code. Automate and maintain run-time security policies using Kubernetes custom resource definitions (CRDs)
- Declare an application security policy at any stage in the pipeline
- Enforce global security policies across multiple Kubernetes clusters using CRDs.
- Employ behavioral learning to learn and characterize an application’s behavior to automatically draft a security policy CRD. Dev, DevOps and Security teams can review and edit the CRD as needed, and checked into the change management system before it is deployed into production.
Compliance
Compliance is a critical concern as organizations move to Kubernetes and new cloud infrastructures. What was straightforward in perimeter-based network security becomes more complex in modern, hybrid environments.
NeuVector’s Kubernetes security solution offers the detection capabilities and security policy enforcement that prevent PHI and PII exposure, exceed requirements, and simplify reporting for PCI-DSS, GDPR, HIPAA and more.
- Track critical vulnerabilities and compliance violations, and quickly identify any that require immediate patching or follow-up alerts.
- Scan and inspect images and containers for embedded secrets.
- Manage vulnerability and compliance scan results, with no required integration to external workflow tools.
- Track dates, status, and other metadata to accelerate DevOps with organizing, prioritizing, and following up on image and run-time scan results.
- Detect threats, block attacks, and capture forensic network data with patented network segmentation and industry’s ONLY container firewall that enforces strict PCI requirements in a cloud-native containerized environment.
Example of a well-contained CDE within a containerized environment