DOCKERSECURITY

Fernando Montenegro, CISSP -

Ricardo Gerardi -

@fsmontenegro

@ricardogerardi

TASK Jan 27, 2016

WHY ARE WE HERE?Google Trends: "Microservices"

Google Trends: "Docker"

Google Trends: "Kubernetes"

MICROSERVICES?

(Source: F5)

MICROSERVICES"Many development teams have found the microservices

architectural style to be a superior approach to amonolithic architecture. But other teams have found them

to be a productivity-sapping burden. Like any architecturalstyle, microservices bring costs and bene�ts. To make asensible choice you have to understand these and apply

them to your speci�c context.""Martin Fowler ( )http://martinfowler.com/articles/microservice-trade-o�s.html

SIGNIFICANT BENEFITSSupport CI/CD practicesEasier to achieve scaleOperational bene�ts of "DevOps"

DATADOG CONTAINER SURVEY( )https://www.datadoghq.com/docker-adoption/

Two schools of thought:

Containers as up&down microservicesContainers as "lightweight servers" that stay up

WHAT WE FOUND

ABOUT US - FERNANDO@fsmontenegro

Sales EngineerOnline FraudNetwork Security

CompSci ’94Greying hair Curious

Finance (DIY)Economics (EMH, Behaviour)Data Science (Coursera)

ABOUT US - RICARDO@ricardogerardi

Senior IT ConsultantNetworkManagement/Monitoring

IBM Netcool Certi�edUncerti�ed father (2x)Interests

Linux/UNIXEmerging technologiesData Science

DOCKER INTRO

WHAT IS DOCKER?DOCKER, THE PLATFORM

Docker is a container based platform used to packageand run applications in a variety of systems

DOCKER, THE COMPANYDocker Inc. (https://www.docker.com/company)

SOFTWARE PACKAGE ANDDISTRIBUTION CHALLENGEOLD WAY - HOSTED APPLICATIONS

VIRTUAL MACHINES

ENTER THE CONTAINER

WHY DOCKER?Linux containers

Around for a long time (Open VZ, LXC, etc)Not very "friendly"

Docker streamlines the process and makes it very easyto create and use containers

Speed (Development/Scalability)PortabilityDriver to DevOps and Microservices

WHAT DO YOU NEED TO RUNDOCKER?

Recent Linux Kernel (3.8+)NamespacescGroups

Network connection

DOCKER ARCHITECTURE IN ANUTSHELL

Source: https://www.docker.com/what-docker

Source: https://docs.docker.com/engine/introduction/understanding-docker/

DOCKER DEMO

DOCKERSECURITY

FIRST THINGS FIRST...Containers vs. VMs?

Containers not as isolated as VMs.but much more isolated than processes...cgroups & namespaces

Containers are OS-dependant.

Containers for multi-tenancy? Not so fast...

Containers & VMs :-)

SECURITY FOR DOCKERHow to secure the Docker "pipeline"

How to secure Docker containers themselves

SECURITY FOR DOCKER IMAGESSecure Registry/Mirror AccessGetting trustworthy images

trusted sources - docker hub, private registrybuilding secureDocker Content Trust (1.8) [Notary]

"only signed content in production"Yubico Keys

DOCKER'S PROJECT NAUTILUSDocker securing images on DockerHubImage securityComponent inventory/license managementImage optimizationBasic functional testing

CLAIR BY COREOSSecurity scanning of images -

Available on QuaySecurity Scanning Beta -

https://coreos.com/blog/vulnerability-analysis-for-containers/

https://blog.quay.io/security-scanning-beta/

OTHER CONSIDERATIONSContainers are stateless

Can mount additional volumesHow to do Secrets Management?

ENV variables - not recommendedKey/Value Pair solutions

Embedded in orchestration ( )Vault & Keywhiz

KubernetesCustom solutions

SECURITY FROM DOCKERHow to contain Docker & containers?

NAMESPACES & CGROUPSPID – process isolationNetwork – NICs, IPs, routing tabes et al.UTS – hostnamesMount – �lesystem layouts/ propertiesIPC – interprocess communication

User – users ("root" != root)

Control groups: resource utilization (RAM, swap, CPU,IO, controls)

ADDITIONAL FEATUREScapabilities - add or drop capabilitiesseccomp - �ltering of system callsnetwork isolation via iptables

limit inter-container communication

SECURITY BY DOCKERLeveraging Docker features for security

LEVERAGING DOCKER FOR SECURITYmicroservice -> reduced attack surfaceenforce content trust to protect productionr/o FileSystemsdrop capabilities when possibleseccomp - �ltering system callsjournaled changes

OPERATIONSAND ECOSYSTEM

WHERE TO DEPLOY DOCKER?ON PREMISESBaremetal (on Linux)Virtual MachinesIaaS, OpenStack, etc

PUBLIC CLOUD PROVIDERS

PAAS PROVIDERS

ORCHESTRATION /SCHEDULING

NETWORKINGBASIC NETWORKING

OVERLAY NETWORKING

MONITORINGCHALLENGES

Scalability (100s of containers in a single host)Host Monitoring x Container MonitoringContainer instrumentation (1 process/containerphilosophy)API instability

CONTAINER MONITORING SOLUTIONS

Sysdig CloudWeaveworksNew relic

Google cAdvisor

CONTAINER LOG MANAGEMENTELK StackSplunk

WRAPPING UP

LOOKING AT THE FUTURE

Containers exist in a continuum of options.

Unikernels

one degree furthercompile kernel for application

Undebuggable?

Serverless Architecture?

AWS LambdaAzure Service Fabric

potentially bad idea?

WRAPPING UP

Docker Security "Anti-Patterns"

free-for-all (unrestricted containers in Prod)treating containers as servers

Recommendations for Security

Don't try to stop it!!!recognize massive potential for disruptionno agents on containerswatch for outbound tra�ckeep up to date (news!)rethink approach ("cattle, not pets")

DOCKER ALL OVERLast few weeks of news:

Docker buys UnikernelArista announces Container support in EOSCitrix supports NetScaler as ContainerAmazon announces Docker 1.9 support

RESOURCES!Twitterfolk:

- AWS architect, tons ofDocker links

- Docker Security - Tons of Container work

- Pluralsight course - KeepingItClassless,

TechFieldDay

- WebScale @ Shopify - DevOps

- Shmoocon 2016 preso and - Company &

Conference - Kubernetes confab

Websites:

- Checklist - portal of all things "modern" stacks

- Network-focused approach - Open Container Initiative

@mattnowina

@diogomonica@frazelledazzell@nigelpoulton@mierdin

@Sirupsen@blinken_lichten@jaybeale@docker @dockercon

@kubeconio

DockerBenchTheNewStackPacket PushersRunC