NeuVector is a startup company in Bay Area, focusing on run-time container security. In our previous post, we find docker-bench-security useful to avoid many common Docker pitfalls.
NeuVector helps to address some Docker security issues, which are not well resolved before. e.g, intelligently detect malicious traffic within servers of our critical envs, visualize network topology with large scale of docker envs, etc.
Enclosed are a product review of NeuVector and an interview with their CEO.
Disclaimer: I don’t work for NeuVector.
The CEO, Fei Huang is one of my acquaintances. And I believe his product could be useful for our blog audience. Make Docker envs more secured in our DevOps practice.
Security concerns, based on survey in 2016:
- 53% of enterprises deploying containers cite Security as top concern (Forrester)
- VMs provide security and isolation which does not exist in containers (Gartner)
- Firewalls can’t keep up with the rapid pace and fluidity of container deployments
- 30% of all official container images contain high priority vulnerabilities
Personally I’ve been using Docker for over 2 years. Mostly it’s about testing or development cycle. Running Docker in prod env? Not yet. Security is one thing raising the biggest concern. dockerbenchsecurity could be a big help to keep align with latest Docker security practices.
Still some gaps to fill, which makes NeuVector quite useful.
1. Mostly traffic within our VPC(virtual private cloud) is widely open.
It’s no secret. Most of us choose to trust all traffic within our data center. For simplicity. And many of us are using root. Again for simplicity.
Well, what does this mean? If one machine has been break-in, hackers can use it as a jumpbox to attack almost anything!
People may ask why we don’t enforce more strict firewall rules? It’s really hard. Firstly the inter-communication could be complicated and dynamic. Secondly, with container technology, container restart/recreation happen frequently. Usually the container ip won’t persist. However firewall is usually ip-address based. Thirdly, well-defined security policy takes a significant amount of effort. As a conclusion, it’s nearly impossible to keep the firewall rules up-to-date.
NeuVector tries to solve the problem in another way. It will automatically study the network traffic. Visualize them, and audit or block the suspicious ones. In below diagram, blue lines indicate the safe traffic. Lines in red are suspicious.
2. Large scale Docker env is dynamic and hard to manage.
Imagine we have hundreds of containers. We may see containers up and down all the time. Very likely, we can lose the trace. Let alone the possible security risks. We need a way to visualize the network topology and traffic.
Here is the one example provided by NeuVector. It follows “zero-configuration” model. We just need to start some extra containers, then the feature is ready. To disable it, simply stop dispose the container(s).
3. Too many security risks to crack.
We may have security issues in network layer, OS layer, application layer, etc. Just too much to follow for small teams.
Here NeuVector provides an all-in-one security toolkit. Much eaiser. Isn’t it?