visualizing security boundaries in docker swarm overlay
play

visualizing security boundaries in docker swarm overlay networks - PowerPoint PPT Presentation

Sep 28, 2022 •412 likes •743 views

Marcel Brouwers July 3, 2017 Master of System and Network Engineering University of Amsterdam Supervisor: Esan Wit visualizing security boundaries in docker swarm overlay networks Mode for managing a cluster of docker nodes The Swarm

  1. Marcel Brouwers July 3, 2017 Master of System and Network Engineering University of Amsterdam Supervisor: Esan Wit visualizing security boundaries in docker swarm overlay networks

  2. ∙ Mode for managing a cluster of docker nodes ∙ The Swarm keeps services running and distributes containers over the nodes ∙ Has a feature for overlay networks between containers 1 Introduction Docker Swarm

  3. ∙ Containers can be connected to multiple Swarm overlay networks ∙ Networks are created from the manager nodes 1 https://tools.ietf.org/html/rfc7348 2 https://github.com/docker/libnetwork/blob/master/drivers/ overlay/ov_serf.go 2 Docker Swarm overlay network ∙ VxLAN 1 based overlay networks. (Layer 2 over Layer 3) ∙ Serf used for mapping 2

  4. ∙ RFC 7348 ∙ Layer 2 over layer 3 ∙ 24 bits Virtual Network Identified (VNI) ∙ UDP port 4789 3 VxLAN

  5. ∙ Which security measures are there for Docker Swarm overlay networks and what can be done on the overlay network if a container or host gets compromised? ∙ Which strategies are there to find out what gets exposed by containers and hosts in (overlay) networks? ∙ Is it feasible to consolidate all the information about exposure and visualize it in a comprehensible way? 4 Research question ∙ What gets exposed when using Docker Swarm overlay networks and is there a way to visualize what gets exposed?

  6. ∙ Which security measures are there for Docker Swarm overlay networks and what can be done on the overlay network if a container or host gets compromised? ∙ Which strategies are there to find out what gets exposed by containers and hosts in (overlay) networks? ∙ Is it feasible to consolidate all the information about exposure and visualize it in a comprehensible way? 4 Research question ∙ What gets exposed when using Docker Swarm overlay networks and is there a way to visualize what gets exposed?

  7. ∙ Which security measures are there for Docker Swarm overlay networks and what can be done on the overlay network if a container or host gets compromised? ∙ Which strategies are there to find out what gets exposed by containers and hosts in (overlay) networks? ∙ Is it feasible to consolidate all the information about exposure and visualize it in a comprehensible way? 4 Research question ∙ What gets exposed when using Docker Swarm overlay networks and is there a way to visualize what gets exposed?

  8. ∙ Which security measures are there for Docker Swarm overlay networks and what can be done on the overlay network if a container or host gets compromised? ∙ Which strategies are there to find out what gets exposed by containers and hosts in (overlay) networks? ∙ Is it feasible to consolidate all the information about exposure and visualize it in a comprehensible way? 4 Research question ∙ What gets exposed when using Docker Swarm overlay networks and is there a way to visualize what gets exposed?

  9. ∙ Layer 2 attacks on a VxLAN overlay network, Author: G. Peneda, March 11, 2014 ∙ Secure Virtual Network Configuration for Virtual Machine (VM) Protection Author: NIST, March 2016 ∙ Docker swarm mode overlay network security model Author: 3 https://docs.docker.com/engine/userguide/networking/ overlay-security-model/ 5 Related work Docker Project, 2017 3

  10. ∙ Encryption for overlay network not used by default ∙ Encryption possible: IPSEC tunnel 6 Security measures for Swarm overlays

  11. ∙ Tested: ARP spoofing, MAC flooding ∙ Tested using: Arpspoof tool (Dsniff), Ettercap, Macof (Dsniff) ∙ Using non-privileged containers and privileged containers ∙ Monitored ARP tables and sniffed network traffic ∙ Result: Not possible. 7 What’s possible?

  12. ∙ Tested: ARP spoofing, MAC flooding ∙ Tested using: Arpspoof tool (Dsniff), Ettercap, Macof (Dsniff) ∙ Using non-privileged containers and privileged containers ∙ Monitored ARP tables and sniffed network traffic ∙ Result: Not possible. 7 What’s possible?

  13. 8 1 4 https://tools.ietf.org/html/rfc7348#page-21 FDB gets populated using a gossip protocol “Serf”. schemes possible for the distribution of the VTEP IP to VM MAC “In addition to a learning-based control plane, there are other ageing 300 l3miss srcport 0 0 dstport 4789 proxy l2miss id 4097 vxlan 4 1 f f : f f : f f : f f : f f : f f brd <BROADCAST , MULTICAST , UP , LOWER_UP> mtu 1450 qdisc noqueue master br0 d l i n k show vxlan1 2 1 1 : 46: e6 : 4 8 : 5 d : dd :92 vxlan1 : state UNKNOWN mode DEFAULT group default 3 l i n k /ether Why was that not possible? root@manager1 : ~ # ip netns exec 1 − 7x3gglxlba ip − link − netnsid 0 promiscuity Listing 1: Proxy ARP configured on VTEP mapping information”’ 4

  14. ∙ Tested: Replay of packets ∙ Using Tcpreplay ∙ ICMP from container A to container B on host A and B ∙ Replayed ICMP request from node C ∙ Works, ICMP reply arrives at container A ∙ Also works when source ip is changed ∙ Replay also works for an encrypted Swarm overlay network ∙ VNIs predictable: start at 4096 ∙ UDP port 4789 (and tcp/udp 7946 for Serf) 9 What’s possible?

  15. ∙ Tested: Replay of packets ∙ Using Tcpreplay ∙ ICMP from container A to container B on host A and B ∙ Replayed ICMP request from node C ∙ Works, ICMP reply arrives at container A ∙ Also works when source ip is changed ∙ Replay also works for an encrypted Swarm overlay network ∙ VNIs predictable: start at 4096 ∙ UDP port 4789 (and tcp/udp 7946 for Serf) 9 What’s possible?

  16. ∙ Tested: Replay of packets ∙ Using Tcpreplay ∙ ICMP from container A to container B on host A and B ∙ Replayed ICMP request from node C ∙ Works, ICMP reply arrives at container A ∙ Also works when source ip is changed ∙ Replay also works for an encrypted Swarm overlay network ∙ VNIs predictable: start at 4096 ∙ UDP port 4789 (and tcp/udp 7946 for Serf) 9 What’s possible?

  17. ∙ Tested: Replay of packets ∙ Using Tcpreplay ∙ ICMP from container A to container B on host A and B ∙ Replayed ICMP request from node C ∙ Works, ICMP reply arrives at container A ∙ Also works when source ip is changed ∙ Replay also works for an encrypted Swarm overlay network ∙ VNIs predictable: start at 4096 ∙ UDP port 4789 (and tcp/udp 7946 for Serf) 9 What’s possible?

  18. ∙ Tested: Replay of packets ∙ Using Tcpreplay ∙ ICMP from container A to container B on host A and B ∙ Replayed ICMP request from node C ∙ Works, ICMP reply arrives at container A ∙ Also works when source ip is changed ∙ Replay also works for an encrypted Swarm overlay network ∙ VNIs predictable: start at 4096 ∙ UDP port 4789 (and tcp/udp 7946 for Serf) 9 What’s possible?

  19. ∙ Have each container report netstat output and firewall status ∙ Pro: Can be fast and complete ∙ Con: Overhead by running on each container ∙ Con: Required adapting docker files and redeploying. ∙ Scan the network ∙ Pro: One container that runs a scanner ∙ Con: Should be connected to all overlay networks ∙ Con: Scan can take a long time ∙ Have each host report netstat output and firewall status for the containers ∙ Pro: Containers can not be overlooked ∙ Pro: Can be relatively fast 10 Strategies for finding out what gets exposed

  20. ∙ Have each container report netstat output and firewall status ∙ Pro: Can be fast and complete ∙ Con: Overhead by running on each container ∙ Con: Required adapting docker files and redeploying. ∙ Scan the network ∙ Pro: One container that runs a scanner ∙ Con: Should be connected to all overlay networks ∙ Con: Scan can take a long time ∙ Have each host report netstat output and firewall status for the containers ∙ Pro: Containers can not be overlooked ∙ Pro: Can be relatively fast 10 Strategies for finding out what gets exposed

  21. ∙ Have each container report netstat output and firewall status ∙ Pro: Can be fast and complete ∙ Con: Overhead by running on each container ∙ Con: Required adapting docker files and redeploying. ∙ Scan the network ∙ Pro: One container that runs a scanner ∙ Con: Should be connected to all overlay networks ∙ Con: Scan can take a long time ∙ Have each host report netstat output and firewall status for the containers ∙ Pro: Containers can not be overlooked ∙ Pro: Can be relatively fast 10 Strategies for finding out what gets exposed

  22. ∙ Visualizations in the browser ∙ D3.js ∙ Collected data using Swarm API and scripts on hosts 11 Visualizing

  23. 12 Visualizing

  24. 13 Visualizing

  25. 14 Visualizing

  26. 15 Visualizing

  27. 16 Visualizing

  28. 17 Demo Visualizing

  29. ∙ Layer 2 attacks based on ARP injecting seems not possible on a Swarm overlay network ∙ It is possible to inject something in a Swarm overlay network when standard configuration is used ∙ Encrypted Swarm overlay traffic can be successfully replayed ∙ Creating visualizations of the Swarm overlay networks taking security boundaries into account is possible 18 Conclusion

  30. ∙ Work on visualizations for single nodes showing more detail for ∙ Research the mechanism that updates the mapping for the VTEPs firewall configuration 19 Future work

  31. 20 Questions?

Recommend

docker service is the new docker run Getting Started with Docker Clustering Mike Goelzer /

docker service is the new docker run Getting Started with Docker Clustering Mike Goelzer /

docker service is the new docker run Getting Started with Docker Clustering Mike Goelzer / mgoelzer@docker.com / @mgoelzer Docker Inc. docker service is the new docker run docker run nginx 2013-14 docker run -p 3375:2375 swarm ; 2014-15

688 views • 34 slides
Docker Security Workshop Goals of this Workshop Understand and get Understand and get

Docker Security Workshop Goals of this Workshop Understand and get Understand and get

Docker Security Workshop Goals of this Workshop Understand and get Understand and get comfortable with Docker comfortable with Linux security technologies security technologies Swarm Mode Security AppArmor Secrets Management seccomp

1.94k views • 147 slides
Brendan Jackson Vice President, Analytics PDI Virtual Desktop In Docker Innovate In Your Swarm

Brendan Jackson Vice President, Analytics PDI Virtual Desktop In Docker Innovate In Your Swarm

Brendan Jackson Vice President, Analytics PDI Virtual Desktop In Docker Innovate In Your Swarm PDI Virtual Desktop in Docker Containerize PDI to have visual development power in your swarm Seasoned healthcare finance and technology

349 views • 11 slides
Orchestration in Docker Swarm mode, Docker services and declarative application deployment Mike

Orchestration in Docker Swarm mode, Docker services and declarative application deployment Mike

Orchestration in Docker Swarm mode, Docker services and declarative application deployment Mike Goelzer &amp; Victor Vieux Docker Orchestration Overview Mike Goelzer / mgoelzer@docker.com / gh: mgoelzer Orchestration in Docker Orchestration

599 views • 39 slides
Add picture Swarm here Bret Fisher DevOps Consultant Docker Captain, Dell {code} Catalyst

Add picture Swarm here Bret Fisher DevOps Consultant Docker Captain, Dell {code} Catalyst

Going Production with Docker and Add picture Swarm here Bret Fisher DevOps Consultant Docker Captain, Dell {code} Catalyst Author of Udemy's Docker Mastery Slides! bretfisher.com/slides Add picture here Tweets!

769 views • 63 slides
Orchestra)on Tool Roundup - Docker Swarm vs. Kubernetes,

Orchestra)on Tool Roundup - Docker Swarm vs. Kubernetes,

Orchestra)on Tool Roundup - Docker Swarm vs. Kubernetes, TerraForm vs. TOSCA/Cloudify vs. Heat Agenda Orchestra)on 101.. Different approaches for

1.1k views • 77 slides
USING DOCKER SAFELY ADRIAN MOUAT NLUUG 28 MAY 2015 LOT OF NEGATIVE COMMENTS ON DOCKER SECURITY

USING DOCKER SAFELY ADRIAN MOUAT NLUUG 28 MAY 2015 LOT OF NEGATIVE COMMENTS ON DOCKER SECURITY

USING DOCKER SAFELY ADRIAN MOUAT NLUUG 28 MAY 2015 LOT OF NEGATIVE COMMENTS ON DOCKER SECURITY &quot;Containers Don't Contain&quot; Daniel Walsh, RedHat https://opensource.com/business/14/7/docker- security-selinux &quot;... total systemic

502 views • 48 slides
Containers, Docker, and Security: State of the Union 1 / 38 Who am I? Jrme Petazzoni

Containers, Docker, and Security: State of the Union 1 / 38 Who am I? Jrme Petazzoni

Containers, Docker, and Security: State of the Union 1 / 38 Who am I? Jrme Petazzoni (@jpetazzo) French software engineer living in California Joined Docker (dotCloud) more than 4 years ago (I was at Docker before it was cool! ) I built

420 views • 38 slides
Docker cker Ov Overlay rlay Networks tworks Performance analysis in high-latency environments

Docker cker Ov Overlay rlay Networks tworks Performance analysis in high-latency environments

Docker cker Ov Overlay rlay Networks tworks Performance analysis in high-latency environments Students: s: Siem Hermans Patrick de Niet Resea earc rch Project ect 1 Supervi rviso sor: Dr. Paola Grosso System and Network Engineering

438 views • 18 slides
CONTAINER ORCHESTRATION WITH SWARM MODE, MESOS/MARATHON AND KUBERNETES ADRIAN MOUAT WHO AM I?

CONTAINER ORCHESTRATION WITH SWARM MODE, MESOS/MARATHON AND KUBERNETES ADRIAN MOUAT WHO AM I?

CONTAINER ORCHESTRATION WITH SWARM MODE, MESOS/MARATHON AND KUBERNETES ADRIAN MOUAT WHO AM I? Chief Scientist at Container Solutions Wrote &quot;Using Docker&quot; for O'Reilly 40% discount with code AUTHD Docker Captain @adrianmouat WHAT

1.4k views • 59 slides
Setup docker rm $(docker ps -aq) docker network rm my_net Demo - Install and activate yum -y

Setup docker rm $(docker ps -aq) docker network rm my_net Demo - Install and activate yum -y

Setup docker rm $(docker ps -aq) docker network rm my_net Demo - Install and activate yum -y install docker s ystemctl start docker systemctl enable docker docker images - Launch pre-canned container: hello-world (busybox is another good

480 views • 4 slides
Docker Networking Workshop Agenda 1. Detailed Overview 2. Docker Networking Evolution 3. Use

Docker Networking Workshop Agenda 1. Detailed Overview 2. Docker Networking Evolution 3. Use

Docker Networking Workshop Agenda 1. Detailed Overview 2. Docker Networking Evolution 3. Use Cases Single-host networking with the Bridge driver Multi-host networking with the Overlay driver Connecting to existing VLANs with the

1.32k views • 93 slides
Deliver Docker Containers Continuously on AWS Philipp Garbe @pgarbe Google Container So many

Deliver Docker Containers Continuously on AWS Philipp Garbe @pgarbe Google Container So many

Deliver Docker Containers Continuously on AWS Philipp Garbe @pgarbe Google Container So many choices... Engine Azure Container Services Cloud Foundrys Amazon ECS Diego Kubernetes Docker Swarm Mesosphere CoreOS Marathon Fleet

465 views • 45 slides
1 Agenda Docker world Containers VS Virtual machine Security concerns Conclusion Whoami

1 Agenda Docker world Containers VS Virtual machine Security concerns Conclusion Whoami

12.03.2019 Docker security 1 Agenda Docker world Containers VS Virtual machine Security concerns Conclusion Whoami M.Sc Computer Security M.Sc Software Development Worked previously as an embedded software developer Actually

586 views • 54 slides
L2 Overlay L2 Overlay

L2 Overlay L2 Overlay

L2 Overlay L2 Overlay July 30, 2019 A. Gerrard, What Is Kubernetes?

536 views • 24 slides
The Modern Platform in 2020 Justin Cormack Who am I? Engineer at Docker in Cambridge, UK. Docker

The Modern Platform in 2020 Justin Cormack Who am I? Engineer at Docker in Cambridge, UK. Docker

The Modern Platform in 2020 Justin Cormack Who am I? Engineer at Docker in Cambridge, UK. Docker developers Work on security, systems software, applications, LinuxKit, containers @justincormack 2 From OS to languages? From OS to

843 views • 39 slides
INTRODUCTION TO DOCKER ADRIAN MOUAT SO WHAT IS DOCKER? SIMILAR TO A LIGHTWEIGHT VM Both

INTRODUCTION TO DOCKER ADRIAN MOUAT SO WHAT IS DOCKER? SIMILAR TO A LIGHTWEIGHT VM Both

INTRODUCTION TO DOCKER ADRIAN MOUAT SO WHAT IS DOCKER? SIMILAR TO A LIGHTWEIGHT VM Both provide isolated environments Docker is much more efficient 64-bit Linux only (currently) CONTAINERIZATION A Docker container is a portable store for a

674 views • 29 slides
Docker Provider The Docker provider is used to interact with Docker containers and images. It uses

Docker Provider The Docker provider is used to interact with Docker containers and images. It uses

Docker Provider The Docker provider is used to interact with Docker containers and images. It uses the Docker API to manage the lifecycle of Docker containers. Because the Docker provider uses the Docker API, it is immediately compatible not only

553 views • 34 slides
ironing out Docker at ironPeak services ironpeak.be 1. $ whoami Niels Hofmans role

ironing out Docker at ironPeak services ironpeak.be 1. $ whoami Niels Hofmans role

ironing out Docker at ironPeak services ironpeak.be 1. $ whoami Niels Hofmans role Independent Cybersecurity Consultant work Code Security, App Security, Hardening, F5 BIG-IP interest Go, Docker, Cloud, Media contact hello@ironpeak.be

189 views • 16 slides
CONTAINER AND MICROSERVICE SECURITY ADRIAN MOUAT Chief Scientist @ Container Solutions Wrote

CONTAINER AND MICROSERVICE SECURITY ADRIAN MOUAT Chief Scientist @ Container Solutions Wrote

CONTAINER AND MICROSERVICE SECURITY ADRIAN MOUAT Chief Scientist @ Container Solutions Wrote &quot;Using Docker&quot; for O'Reilly 40% Discount with AUTHD code Free Docker Security minibook http://www.oreilly.com/webops-perf/free/docker-

1.06k views • 68 slides
Docker: Testing the Waters LA-UR 15-25901 1 LA-UR 15-25901 Docker: Theres No Containing

Docker: Testing the Waters LA-UR 15-25901 1 LA-UR 15-25901 Docker: Theres No Containing

Eric Holm Skyler Manzanares Yuxin (Kelly) Wang http://gerardable.com/wp-content/uploads/2014/12/docker-whale-home-logo.png Docker: Testing the Waters LA-UR 15-25901 1 LA-UR 15-25901 Docker: Theres No Containing this Whale! Free,

997 views • 28 slides
Isolating Processes using Docker User Namespaces and Seccomp 4 October 2016 Paul Novarese

Isolating Processes using Docker User Namespaces and Seccomp 4 October 2016 Paul Novarese

Isolating Processes using Docker User Namespaces and Seccomp 4 October 2016 Paul Novarese Technical Account Manager Docker, Inc. pvn@docker.com @pvn Agenda Preliminaries Container Security Considerations Containment

585 views • 20 slides
Docker Orchestration: Beyond the Basics Aaron Lehmann Software Engineer, Docker About me

Docker Orchestration: Beyond the Basics Aaron Lehmann Software Engineer, Docker About me

Docker Orchestration: Beyond the Basics Aaron Lehmann Software Engineer, Docker About me Software engineer at Docker Maintainer on SwarmKit and Docker Engine open source projects Focusing on distributed state, task scheduling,

1.29k views • 62 slides
Docker meets Python A look on the Docker SDK for Python pip install docker Jan Wagner

Docker meets Python A look on the Docker SDK for Python pip install docker Jan Wagner

Docker meets Python A look on the Docker SDK for Python pip install docker Jan Wagner Data Science Consultant accantec group | Alstertor 17 | 20095 Hamburg | Tel.: +49 (40) 67 59 59 0 | Fax.: +49 (40) 67 59 59 29 | www.accantec.de |

664 views • 29 slides

More recommend