Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Chris Swan, CTO, @cpswan
Ensuring a secure foundation
for your AWS Containers
© 2015
Why me?
Used to do IT security for two major Swiss Banks
Started using Docker July 2013
and decided to incorporate ...
© 2015
The Docker promise – Build, Ship, Run
© 2015
Running containers on EC2
© 2015
EC2 instances
© 2015
Elastic Beanstalk
© 2015
EC2 Container Service
© 2015
Where did that code come FROM
(and is it secure)?
© 2015
Official Images with Vulnerabilities
Image credit: Banyan Ops - http://www.banyanops.com/blog/analyzing-docker-hub/
© 2015
Packages in Official Images with High Priority Vulnerabilities
Image credit: Banyan Ops - http://www.banyanops.com/...
© 2015
General Images with Vulnerabilities
Image credit: Banyan Ops - http://www.banyanops.com/blog/analyzing-docker-hub/
© 2015
Packages in General Images with High Priority Vulnerabilities
Image credit: Banyan Ops - http://www.banyanops.com/b...
© 2015
It’s not as bad as it might look
Image bloat can mean lots of potentially vulnerable code that never gets run
leave...
© 2015
The manifest problem
© 2015
Take an example Dockerfile
© 2015
Each active line creates a layer
Base OS
Sources
Update repos
Install nginx
Mod nginx.conf
Mod index.html
© 2015
An images binds layers together
© 2015
The image is the unit of deployment
© 2015
What version of nginx is that?
© 2015
What version of OpenSSL is installed?
© 2015
And which bash?
© 2015
Problem 1 – non determinism
Whilst we want things to be cached in the short term e.g.:
apt-get install nginx
We per...
© 2015
Problem 2 – the manifest problem
When I run:
apt-get install nginx
I don’t know which version of nginx I just got
S...
© 2015
NB – These are package manager problems
But Docker is ‘the new package manager’
and it typically wraps the old ones
© 2015
So perhaps use a more sophisticated package manager
© 2015
Or avoid packages altogether
FROM scratch
© 2015
Docker Content Trust
© 2015
Overview of Docker Content Trust
Image credit: Diogo Mónica (Docker) - https://blog.docker.com/2015/08/content-trus...
© 2015
Protection against image forgery
Image credit: Diogo Mónica (Docker) - https://blog.docker.com/2015/08/content-trus...
© 2015
Protection against replay attacks
Image credit: Diogo Mónica (Docker) - https://blog.docker.com/2015/08/content-tru...
© 2015
Protection against key compromise
Image credit: Diogo Mónica (Docker) - https://blog.docker.com/2015/08/content-tru...
© 2015
Key components of Docker Content Trust
© 2015
Docker Security Benchmark
© 2015
It’s a document
© 2015
And there’s an accompanying tool
Image credit: https://www.docker.com/docker-security
© 2015
The benchmark covers
1.Host configuration
2.Docker daemon configuration
3.Docker daemon configuration files
4.Conta...
© 2015
Wrapping up
© 2015
For more detail
https://www.docker.com/docker-security
http://www.infoq.com/author/Chris-Swan
© 2015
And please check out Docker plugins to our VNS3
39
Isolated Docker containers within VNS3 allows Partners and Custo...
© 2015
Questions?
Upcoming SlideShare
Loading in …5
×

Ensuring a secure foundation for your AWS Containers - Chris Swan's AWS Loft talk in London

415 views

Published on

Cohesive Networks - Ensuring a secure foundation for your AWS Containers
Chris Swan - AWS London Loft
29 September 2015

AWS has a few ways to run Docker - Elastic Container Service, Elastic Beanstalk or installing Docker into EC2 instances. Whichever you choose Docker makes it easy to build and ship software, so how do you make sure you're building on secure foundations and shipping without known vulnerabilities? Research has shown that many DockerHub images carry vulnerable software; how much of a problem is this for your usage pattern? It’s also possible to build your own images ‘FROM scratch’, what are the pros and cons of doing that? The Docker security benchmark contains recommendations on image contents (amongst many other sensible suggestions), how easy is it to comply with?

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Ensuring a secure foundation for your AWS Containers - Chris Swan's AWS Loft talk in London

  1. 1. Chris Swan, CTO, @cpswan Ensuring a secure foundation for your AWS Containers
  2. 2. © 2015 Why me? Used to do IT security for two major Swiss Banks Started using Docker July 2013 and decided to incorporate it into our VNS3 product as a plugin mechanism Docker became part of Cohesive Networks VNS3 in April 2014 real users in production before Docker itself went 1.0 Regular contributor to InfoQ on Docker, security and containers
  3. 3. © 2015 The Docker promise – Build, Ship, Run
  4. 4. © 2015 Running containers on EC2
  5. 5. © 2015 EC2 instances
  6. 6. © 2015 Elastic Beanstalk
  7. 7. © 2015 EC2 Container Service
  8. 8. © 2015 Where did that code come FROM (and is it secure)?
  9. 9. © 2015 Official Images with Vulnerabilities Image credit: Banyan Ops - http://www.banyanops.com/blog/analyzing-docker-hub/
  10. 10. © 2015 Packages in Official Images with High Priority Vulnerabilities Image credit: Banyan Ops - http://www.banyanops.com/blog/analyzing-docker-hub/
  11. 11. © 2015 General Images with Vulnerabilities Image credit: Banyan Ops - http://www.banyanops.com/blog/analyzing-docker-hub/
  12. 12. © 2015 Packages in General Images with High Priority Vulnerabilities Image credit: Banyan Ops - http://www.banyanops.com/blog/analyzing-docker-hub/
  13. 13. © 2015 It’s not as bad as it might look Image bloat can mean lots of potentially vulnerable code that never gets run leaves something of an unexploded minefield Taint inheritance fix the root cause – fix a lot of images Worst cases lie in deprecated versions but the continued use of known vulnerable old versions of things is how we end up with stuff that gets attacked so easily
  14. 14. © 2015 The manifest problem
  15. 15. © 2015 Take an example Dockerfile
  16. 16. © 2015 Each active line creates a layer Base OS Sources Update repos Install nginx Mod nginx.conf Mod index.html
  17. 17. © 2015 An images binds layers together
  18. 18. © 2015 The image is the unit of deployment
  19. 19. © 2015 What version of nginx is that?
  20. 20. © 2015 What version of OpenSSL is installed?
  21. 21. © 2015 And which bash?
  22. 22. © 2015 Problem 1 – non determinism Whilst we want things to be cached in the short term e.g.: apt-get install nginx We perhaps don’t want it cached in the long term What are those durations?
  23. 23. © 2015 Problem 2 – the manifest problem When I run: apt-get install nginx I don’t know which version of nginx I just got Should I? nginx –v > some.log Or maybe? apt-cache policy nginx > some.log Or should I have done this in the first place? apt-get install nginx=1.1.19-1ubuntu0.7
  24. 24. © 2015 NB – These are package manager problems But Docker is ‘the new package manager’ and it typically wraps the old ones
  25. 25. © 2015 So perhaps use a more sophisticated package manager
  26. 26. © 2015 Or avoid packages altogether FROM scratch
  27. 27. © 2015 Docker Content Trust
  28. 28. © 2015 Overview of Docker Content Trust Image credit: Diogo Mónica (Docker) - https://blog.docker.com/2015/08/content-trust-docker-1-8/
  29. 29. © 2015 Protection against image forgery Image credit: Diogo Mónica (Docker) - https://blog.docker.com/2015/08/content-trust-docker-1-8/
  30. 30. © 2015 Protection against replay attacks Image credit: Diogo Mónica (Docker) - https://blog.docker.com/2015/08/content-trust-docker-1-8/
  31. 31. © 2015 Protection against key compromise Image credit: Diogo Mónica (Docker) - https://blog.docker.com/2015/08/content-trust-docker-1-8/
  32. 32. © 2015 Key components of Docker Content Trust
  33. 33. © 2015 Docker Security Benchmark
  34. 34. © 2015 It’s a document
  35. 35. © 2015 And there’s an accompanying tool Image credit: https://www.docker.com/docker-security
  36. 36. © 2015 The benchmark covers 1.Host configuration 2.Docker daemon configuration 3.Docker daemon configuration files 4.Container Images and build file 5.Container runtime 6.Docker security operations
  37. 37. © 2015 Wrapping up
  38. 38. © 2015 For more detail https://www.docker.com/docker-security http://www.infoq.com/author/Chris-Swan
  39. 39. © 2015 And please check out Docker plugins to our VNS3 39 Isolated Docker containers within VNS3 allows Partners and Customers to embed features and functions safely and securely into their Cloud Network. Proxy Reverse Proxy Content Caching Load Balancer IDS Custom Container Router Switch Firewall Protocol Redistributor VPN Concentrator Scriptable SDN VNS3 Core Components
  40. 40. © 2015 Questions?

×