Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Ensuring a secure foundation for your AWS Containers - Chris Swan's AWS Loft talk in London

422 views

Published on

Cohesive Networks - Ensuring a secure foundation for your AWS Containers
Chris Swan - AWS London Loft
29 September 2015

AWS has a few ways to run Docker - Elastic Container Service, Elastic Beanstalk or installing Docker into EC2 instances. Whichever you choose Docker makes it easy to build and ship software, so how do you make sure you're building on secure foundations and shipping without known vulnerabilities? Research has shown that many DockerHub images carry vulnerable software; how much of a problem is this for your usage pattern? It’s also possible to build your own images ‘FROM scratch’, what are the pros and cons of doing that? The Docker security benchmark contains recommendations on image contents (amongst many other sensible suggestions), how easy is it to comply with?

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Ensuring a secure foundation for your AWS Containers - Chris Swan's AWS Loft talk in London

  1. 1. Chris Swan, CTO, @cpswan Ensuring a secure foundation for your AWS Containers
  2. 2. © 2015 Why me? Used to do IT security for two major Swiss Banks Started using Docker July 2013 and decided to incorporate it into our VNS3 product as a plugin mechanism Docker became part of Cohesive Networks VNS3 in April 2014 real users in production before Docker itself went 1.0 Regular contributor to InfoQ on Docker, security and containers
  3. 3. © 2015 The Docker promise – Build, Ship, Run
  4. 4. © 2015 Running containers on EC2
  5. 5. © 2015 EC2 instances
  6. 6. © 2015 Elastic Beanstalk
  7. 7. © 2015 EC2 Container Service
  8. 8. © 2015 Where did that code come FROM (and is it secure)?
  9. 9. © 2015 Official Images with Vulnerabilities Image credit: Banyan Ops - http://www.banyanops.com/blog/analyzing-docker-hub/
  10. 10. © 2015 Packages in Official Images with High Priority Vulnerabilities Image credit: Banyan Ops - http://www.banyanops.com/blog/analyzing-docker-hub/
  11. 11. © 2015 General Images with Vulnerabilities Image credit: Banyan Ops - http://www.banyanops.com/blog/analyzing-docker-hub/
  12. 12. © 2015 Packages in General Images with High Priority Vulnerabilities Image credit: Banyan Ops - http://www.banyanops.com/blog/analyzing-docker-hub/
  13. 13. © 2015 It’s not as bad as it might look Image bloat can mean lots of potentially vulnerable code that never gets run leaves something of an unexploded minefield Taint inheritance fix the root cause – fix a lot of images Worst cases lie in deprecated versions but the continued use of known vulnerable old versions of things is how we end up with stuff that gets attacked so easily
  14. 14. © 2015 The manifest problem
  15. 15. © 2015 Take an example Dockerfile
  16. 16. © 2015 Each active line creates a layer Base OS Sources Update repos Install nginx Mod nginx.conf Mod index.html
  17. 17. © 2015 An images binds layers together
  18. 18. © 2015 The image is the unit of deployment
  19. 19. © 2015 What version of nginx is that?
  20. 20. © 2015 What version of OpenSSL is installed?
  21. 21. © 2015 And which bash?
  22. 22. © 2015 Problem 1 – non determinism Whilst we want things to be cached in the short term e.g.: apt-get install nginx We perhaps don’t want it cached in the long term What are those durations?
  23. 23. © 2015 Problem 2 – the manifest problem When I run: apt-get install nginx I don’t know which version of nginx I just got Should I? nginx –v > some.log Or maybe? apt-cache policy nginx > some.log Or should I have done this in the first place? apt-get install nginx=1.1.19-1ubuntu0.7
  24. 24. © 2015 NB – These are package manager problems But Docker is ‘the new package manager’ and it typically wraps the old ones
  25. 25. © 2015 So perhaps use a more sophisticated package manager
  26. 26. © 2015 Or avoid packages altogether FROM scratch
  27. 27. © 2015 Docker Content Trust
  28. 28. © 2015 Overview of Docker Content Trust Image credit: Diogo Mónica (Docker) - https://blog.docker.com/2015/08/content-trust-docker-1-8/
  29. 29. © 2015 Protection against image forgery Image credit: Diogo Mónica (Docker) - https://blog.docker.com/2015/08/content-trust-docker-1-8/
  30. 30. © 2015 Protection against replay attacks Image credit: Diogo Mónica (Docker) - https://blog.docker.com/2015/08/content-trust-docker-1-8/
  31. 31. © 2015 Protection against key compromise Image credit: Diogo Mónica (Docker) - https://blog.docker.com/2015/08/content-trust-docker-1-8/
  32. 32. © 2015 Key components of Docker Content Trust
  33. 33. © 2015 Docker Security Benchmark
  34. 34. © 2015 It’s a document
  35. 35. © 2015 And there’s an accompanying tool Image credit: https://www.docker.com/docker-security
  36. 36. © 2015 The benchmark covers 1.Host configuration 2.Docker daemon configuration 3.Docker daemon configuration files 4.Container Images and build file 5.Container runtime 6.Docker security operations
  37. 37. © 2015 Wrapping up
  38. 38. © 2015 For more detail https://www.docker.com/docker-security http://www.infoq.com/author/Chris-Swan
  39. 39. © 2015 And please check out Docker plugins to our VNS3 39 Isolated Docker containers within VNS3 allows Partners and Customers to embed features and functions safely and securely into their Cloud Network. Proxy Reverse Proxy Content Caching Load Balancer IDS Custom Container Router Switch Firewall Protocol Redistributor VPN Concentrator Scriptable SDN VNS3 Core Components
  40. 40. © 2015 Questions?

×