NeuVector helps to address some Docker security issues, which are not well resolved before. e.g, intelligently detect malicious traffic within servers of our critical envs, visualize network topology with large scale of docker envs, etc.
Original Article: https://dennyzhang.com/neuvector_container
Enclosed are a product review of NeuVector and an interview with their CEO.
Disclaimer: I don’t work for NeuVector.
The CEO, Fei Huang is one of my acquaintances. And I believe his product could be useful for our blog audience. Make Docker envs more secured in our DevOps practice.
Security concerns, based on survey in 2016:
- 53% of enterprises deploying containers cite Security as top concern (Forrester)
- VMs provide security and isolation which does not exist in containers (Gartner)
- Firewalls can’t keep up with the rapid pace and fluidity of container deployments
- 30% of all official container images contain high priority vulnerabilities
Personally I’ve been using Docker for over 2 years. Mostly it’s about testing or development cycle. Running Docker in prod env? Not yet. Security is one thing raising the biggest concern. docker_bench_security could be a big help to keep align with latest Docker security practices.
Still some gaps to fill, which makes NeuVector quite useful.
1. Mostly traffic within our VPC(virtual private cloud) is widely open.
It’s no secret. Most of us choose to trust all traffic within our data center. For simplicity. And many of us are using root. Again for simplicity.
Well, what does this mean? If one machine has been break-in, hackers can use it as a jumpbox to attack almost anything!
People may ask why we don’t enforce more strict firewall rules? It’s really hard. Firstly the inter-communication could be complicated and dynamic. Secondly, with container technology, container restart/recreation happen frequently. Usually the container ip won’t persist. However firewall is usually ip-address based. Thirdly, well-defined security policy takes a significant amount of effort. As a conclusion, it’s nearly impossible to keep the firewall rules up-to-date.
NeuVector tries to solve the problem in another way. It will automatically study the network traffic. Visualize them, and audit or block the suspicious ones. In below diagram, blue lines indicate the safe traffic. Lines in red are suspicious.
2. Large scale Docker env is dynamic and hard to manage.
Imagine we have hundreds of containers. We may see containers up and down all the time. Very likely, we can lose the trace. Let alone the possible security risks. We need a way to visualize the network topology and traffic.
Here is the one example provided by NeuVector. It follows “zero-configuration” model. We just need to start some extra containers, then the feature is ready. To disable it, simply stop dispose the container(s).
3. Too many security risks to crack.
We may have security issues in network layer, OS layer, application layer, etc. Just too much to follow for small teams.
Here NeuVector provides an all-in-one security toolkit. Much eaiser. Isn’t it?
Interview with NeuVector CEO, Fei Huang
- Q1: What your mission or main motivations for the startup project?
A: Containers have exploded in popularity in the last year but knowledge of how to monitor and secure them in production is severely lacking. Just like I saw when VMs first came out, there are many benefits which are causing companies to rush to deploy containers. But there are also new attack surfaces with containers just like there were with VMs. The difference today is that security teams can’t slow down deployment, updates, and scaling, which is happening at a much faster pace than before.
- Q2: What’re your main competitors, and how is NeuVector different than others?
A: There’s a number of companies trying to promote container management, monitoring, and security. It’s a new space so it can be very confusing to buyers. We recommend taking basic steps to lock down your OS and container platform and using tools such as vArmour and SeLinux. Then, just deploy NeuVector during test, staging, and production to make sure everything is visible and protected, just in case something gets through.
We’re really the only company focused on run-time container security from a networking perspective. Container networking can be complicated, especially with overlay networks and so much east-west data center traffic. Public cloud security and traditional firewalls can’t keep up with containers, so a security solution must be built with container networking in mind. Securing the entire networking stack from L3 to L7 is our specialty. NeuVector recognizes authorized application behavior and protects them without having to continuously update security rules.
- Q3: Docker.Inc keeps making security improvements. What is your play and extra value, considering the security update of Docker Inc itself?
A: We talked to the Docker security team, and they are definitely focusing on platform security which is reasonable as well. Docker and other platform vendors will need to keep hardening their engine, network and platforms to reduce the risks from the infrastructure layer. For example the latest Docker swarm has started supporting network encryption. NeuVector is focusing on the application side instead so it is not a conflict with the platforms. For example NeuVector’s network security works smoothly with Docker swarm encryption features. The extra value NeuVector provides is deep application knowledge based security and automation, visibility and protection between application containers, and the global or logical view of application stacks. So, NeuVector is providing strong container security because from a user point of view it is agnostic to platform, overlay network or infrastructure. And yes no vendor lock-in is another side benefit.
- Q4: How much I shall pay for using the service?
A: NeuVector is priced on a per host basis for annual subscriptions, which includes support. We offer free trials for qualified companies, and a starter kit is available for under $10K for 10 nodes. NeuVector is easy to download and deploy, just like any other container.
- Q5: How would I get started with NeuVector?
A: It’s really simple. Contact us on our website neuvector.com. And we’ll authorize you to download the containers from our private Docker Hub registry. There’s also a docs container so that makes it easy. Then it takes just minutes to deploy onto new environments or even ‘brownfield’ ones with production applications already running.
- Q6: Any special requirements to use NeuVector?
A: In general, NeuVector itself is a containerized solution so any container management platforms or tool will be able to manage NeuVector’s containers. No special requirements are needed. NeuVector will always provide a deep level of application and network awareness to protect your containers with built-in intelligence. The Docker -icc flag is not necessary but it doesn’t matter even if it’s turned on. To get advice for a layered security strategy for containers, check out our sharing “15 tips for a run-time container security strategy“.
So much for today’s session of NeuVector. If you have experience or feedback about this, please leave us comments or check NeuVector website directly.
Remeber to share the post with your peeps, if useful.