Talk at Docker Meetup Stuttgart, September 20th, 2017

1. DOCKER SECURITY
CONTINUOUS CONTAINER SECURITY
Container Threat Landscape &
Network Security
Dieter Reuter
dieter.reuter@bee42.com
@Quintus23M

2. Container Threat Landscape
North-South
East-West
Host
Containers Containers
Host
Ransomware
DDoS
Kernel ‘Dirty Cow’
Privilege Escalations
Breakouts
DNS AttacksApplication Attacks
Docker daemon attack
Port scanning
Virus injection
Data stealing
Lateral movement
XSS, SQL injection
Container phone home
Resource consumption
Heap corruption
Buffer overflow
Zero-day attacks
Malware
Unauthorized access
Image back doors

3. Continuous Container Security
Build Ship Run
Pre-Deployment Run-Time✓ Image
Signing, e.g.
Content Trust
✓ User Access
Controls, e.g.
Docker
Trusted
Registry
✓ Code
Analysis
✓ Container
Hardening
✓ Image
Scanning
✓ Host OS Security
✓ Kernel Security
✓ SELinux
✓ AppArmour
✓ Seccomp
✓ Access Controls
✓ Secrets Management
✓ Container
Network
Security
Inspect - Protect - Monitor - Scale

4. Security Rules Can’t Keep Up

5. Container Network Security
▪ Inspect Network
▪ Protect
- Containers
- Container Hosts
▪ Monitor & Visualize
▪ Automate & Scale

6. Inspect Network Traffic
▪ Best Security Detection Point
▪ North-South and East-West
▪ Container Connections and Packets
- Layer 7, Application Protocol and
Payload
▪ Traffic between Containers
- Intra-Host, Inter-Host
Challenge – Dynamic Workloads
Containers
Host

7. Protect Application Containers
▪ Detect Violations
▪ Detect Threats
- DDoS, XSS, DNS, SSL
▪ Scan for Vulnerabilities
▪ Respond
- Connection Blocking
- Container Quarantine
- Alert & Log
Challenge – Accuracy, False Positives
Containers
Host
Breakout
AttackPhone Home
Lateral Spread
Vulnerable
Container

8. Protect Container Hosts
▪ Implement Pre-Deployment Security
- Kernel, Docker Engine
▪ Scan for Vulnerabilities
▪ Detect Privilege Escalations
▪ Perform Security Auditing
- CIS Benchmark
Challenge – Real-Time Host Monitoring
Containers
Host
Vulnerable
Host
Host
Breakout

9. Monitor & Visualize
▪ Container Network Connections
▪ Application ‘Stacks’
▪ Security Policy and Violations
▪ Detailed Event Logging
▪ Packet Capture
Challenge – Large & Complex Deployments

10. Automate & Scale
▪ Security Must Be Container Native
- Integrated with Orchestration Platforms
- Compatible (Agnostic) to Network Overlays &
Plug-Ins
▪ Swarm, Flannel, Calico, Rancher, Weave, …
▪ Then Automate
- Security Policy, Visualization
▪ And Scale
- Constant Adaptation
Challenge – Rapid Network/Platform Evolution

11. Demo
▪ Deploy NeuVector onto running apps
▪ Discover application behaviour
▪ Auto-create security policy
▪ Detect violations
▪ Protect containers
▪ Scan for vulnerabilities

12. Demo: Micro-Segmentation
▪ App#1: 3 tier Node.js web application (5 containers)
▪ App#2: 2 tier WordPress application (2 containers)
- Automatic segmentation: Discover ! Monitor !
Protect
Host #2
NeuVectorEnforcer
(SecurityService )
Node .js #1
(webserver )
Node .js #2
(webserver )
Node .js #3
(webserver )
Host #1
NeuVectorAllInOne
(SecurityService )
Nginx
(LoadBalancer )
Redis
(DatabaseService )
Wordpress
(webserver )
MySQL
(DatabaseService )
ExternalorInternet

13. Continuous Container Security Reference
Build Ship Run
Pre-Deployment Run-Time✓ Image
Signing, e.g.
Content Trust
✓ User Access
Controls, e.g.
Docker
Trusted
Registry
✓ Code
Analysis
✓ Container
Hardening
✓ Image
Scanning
✓ Host OS Security
✓ CIS Benchmark
✓ Kernel security
✓ SELinux
✓ AppArmour
✓ Seccomp
✓ Secure Docker Engine
✓ Access Controls
✓ Secrets Management
✓ TLS Encryption
✓ Auditing w/ Docker
Bench
✓ Orchestration –
Network, Security,
Containers
✓ Network Inspection &
Visualization
✓ Run-Time Vulnerability
Scanning
✓ Process Monitoring
✓ Threat Detection
✓ Privilege Escalation Detection
✓ Container Quarantine
✓ Layer 7-based Application
Isolation
✓ Packet Capture & Event
Logging
Container Security
GUIDE

14. THANK YOU
For more information contact me
via Email dieter.reuter@bee42.com, or Twitter @Quintus23M
Slides kindly borrowed from https://neuvector.com