Chris Swan, CTO, @cpswan Ensuring a secure foundation for your AWS Containers
Ensuring a secure foundation for your AWS Containers - Chris Swan's AWS Loft talk in London
Jan 27, 2017
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Chris Swan, CTO, @cpswan
Ensuring a secure foundation for your AWS Containers
© 2015
Why me?
Used to do IT security for two major Swiss Banks Started using Docker July 2013 and decided to incorporate it into our VNS3 product as a plugin mechanism Docker became part of Cohesive Networks VNS3 in April 2014 real users in production before Docker itself went 1.0 Regular contributor to InfoQ on Docker, security and containers
© 2015
The Docker promise – Build, Ship, Run
© 2015
Running containers on EC2
© 2015
EC2 instances
© 2015
Elastic Beanstalk
© 2015
EC2 Container Service
© 2015
Where did that code come FROM (and is it secure)?
© 2015
Official Images with Vulnerabilities
Image credit: Banyan Ops - http://www.banyanops.com/blog/analyzing-docker-hub/
© 2015
Packages in Official Images with High Priority Vulnerabilities
Image credit: Banyan Ops - http://www.banyanops.com/blog/analyzing-docker-hub/
© 2015
General Images with Vulnerabilities
Image credit: Banyan Ops - http://www.banyanops.com/blog/analyzing-docker-hub/
© 2015
Packages in General Images with High Priority Vulnerabilities
Image credit: Banyan Ops - http://www.banyanops.com/blog/analyzing-docker-hub/
© 2015
It’s not as bad as it might look
Image bloat can mean lots of potentially vulnerable code that never gets run leaves something of an unexploded minefield Taint inheritance fix the root cause – fix a lot of images Worst cases lie in deprecated versions but the continued use of known vulnerable old versions of things is how we end up with stuff that gets attacked so easily
© 2015
The manifest problem
© 2015
Take an example Dockerfile
© 2015
Each active line creates a layer
Base OS
Sources Update repos Install nginx
Mod nginx.conf Mod index.html
© 2015
An images binds layers together
© 2015
The image is the unit of deployment
© 2015
What version of nginx is that?
© 2015
What version of OpenSSL is installed?
© 2015
And which bash?
© 2015
Problem 1 – non determinism
Whilst we want things to be cached in the short term e.g.: apt-get install nginx
We perhaps don’t want it cached in the long term What are those durations?
© 2015
Problem 2 – the manifest problem
When I run: apt-get install nginx
I don’t know which version of nginx I just got Should I? nginx –v > some.log
Or maybe? apt-cache policy nginx > some.log
Or should I have done this in the first place? apt-get install nginx=1.1.19-1ubuntu0.7
© 2015
NB – These are package manager problems
But Docker is ‘the new package manager’ and it typically wraps the old ones
© 2015
So perhaps use a more sophisticated package manager
© 2015
Or avoid packages altogether
FROM scratch
© 2015
Docker Content Trust
© 2015
Overview of Docker Content Trust
Image credit: Diogo Mónica (Docker) - https://blog.docker.com/2015/08/content-trust-docker-1-8/
© 2015
Protection against image forgery
Image credit: Diogo Mónica (Docker) - https://blog.docker.com/2015/08/content-trust-docker-1-8/
© 2015
Protection against replay attacks
Image credit: Diogo Mónica (Docker) - https://blog.docker.com/2015/08/content-trust-docker-1-8/
© 2015
Protection against key compromise
Image credit: Diogo Mónica (Docker) - https://blog.docker.com/2015/08/content-trust-docker-1-8/
© 2015
Key components of Docker Content Trust
© 2015
Docker Security Benchmark
© 2015
It’s a document
© 2015
And there’s an accompanying tool
Image credit: https://www.docker.com/docker-security
© 2015
The benchmark covers
1. Host configuration 2. Docker daemon configuration 3. Docker daemon configuration files 4. Container Images and build file 5. Container runtime 6. Docker security operations
© 2015
Wrapping up
© 2015
For more detail
https://www.docker.com/docker-security http://www.infoq.com/author/Chris-Swan
© 2015
And please check out Docker plugins to our VNS3
39
Isolated Docker containers within VNS3 allows Partners and Customers to embed features and functions safely and securely into their Cloud Network.
Proxy Reverse Proxy Content Caching Load Balancer IDS Custom Container
Router Switch Firewall Protocol Redistributor
VPN Concentrator
Scriptable SDN
VNS3 Core Components
© 2015
Questions?
Related Documents
