Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Linux Native, HTTP Aware Network Security

1,461 views

Published on

Cilium is open source software for transparently securing the network connectivity between application services deployed using Linux container management platforms like Docker and Kubernetes.

At the foundation of Cilium is a new Linux kernel technology called BPF, which enables the dynamic insertion of powerful security visibility and control logic within Linux itself. Because BPF runs inside the Linux kernel itself, Cilium security policies can be applied and updated without any changes to the application code or container configuration.

Published in: Software
  • Be the first to comment

Linux Native, HTTP Aware Network Security

  1. 1. Title. Thomas Graf CTO & Co-Founder @ Covalent Linux-Native, HTTP-Aware Network Security
  2. 2. Application Architectures Delivery Frequency Operational Complexity Single Server App Yearly Low Distributed Microservices App 10-100 x’s / day Extreme 3-Tier App Monthly Moderate CODE CONSISTENCY AT VELOCITY
  3. 3. Network Security has not evolved $ iptables -A INPUT -p tcp -s 15.15.15.3 --dport 80 -m conntrack --ctstate NEW -j ACCEPT The world still runs on iptables matching IPs and ports:
  4. 4. Your HTTP ports be like …
  5. 5. L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” API
  6. 6. L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” API GET /store/myItem HTTP/1.1
  7. 7. L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” API GET /store/myItem HTTP/1.1 FROM frontend ALLOW tcp:80
  8. 8. L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” GET /store/{id} API GET /store/myItem HTTP/1.1 FROM frontend ALLOW tcp:80
  9. 9. L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” GET /healthz GET /store/{id} PUT /store/{id} PUT /config API GET /store/myItem HTTP/1.1 FROM frontend ALLOW tcp:80
  10. 10. L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” GET /healthz GET /store/{id} PUT /store/{id} PUT /config API attacksurface GET /store/myItem HTTP/1.1 FROM frontend ALLOW tcp:80
  11. 11. L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” GET /healthz GET /store/{id} PUT /store/{id} PUT /config API exposed exposed exposed FROM frontend ALLOW tcp:80 GET /store/myItem HTTP/1.1 OK
  12. 12. L4 security has become meaningless in the age of microservices
  13. 13. L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” GET /healthz GET /store/{id} PUT /store/{id} PUT /config API GET /store/myItem HTTP/1.1
  14. 14. L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” GET /healthz GET /store/{id} PUT /store/{id} PUT /config API FROM frontend ALLOW GET /store/.* GET /store/myItem HTTP/1.1
  15. 15. We demand a demo!
  16. 16. BPF – The Superpowers inside Linux
  17. 17. What is BPF? .insns = { BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152), BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0), BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42), BPF_EXIT_INSN(), }
  18. 18. What is BPF? SOURCE CODE [C] </> USER SPACE
  19. 19. What is BPF? SOURCE CODE [C] </> BYTE CODE [BPF] USER SPACE </>
  20. 20. What is BPF? SOURCE CODE [C] </> BYTE CODE [BPF] VERIFIER + JIT USER SPACE KERNEL </>
  21. 21. What is BPF? SOURCE CODE [C] </> BYTE CODE [BPF] VERIFIER + JIT USER SPACE KERNEL </> SANDBOX BPF
  22. 22. What is BPF? SOURCE CODE [C] </> BYTE CODE [BPF] VERIFIER + JIT USER SPACE KERNEL </> SANDBOX BPF Process Process
  23. 23. What is BPF? SOURCE CODE [C] </> BYTE CODE [BPF] VERIFIER + JIT USER SPACE KERNEL </> SANDBOX BPF Process SANDBOX BPF write() Process
  24. 24. What is BPF? SOURCE CODE [C] </> BYTE CODE [BPF] VERIFIER + JIT USER SPACE KERNEL </> SANDBOX BPF Process SANDBOX BPF write() Process EACCESS
  25. 25. How does BPF relate to HTTP? Process GET /foo
  26. 26. SANDBOX BPF Process GET /foo How does BPF relate to HTTP?
  27. 27. SANDBOX BPF Process Proxy rules GET /foo redirect How does BPF relate to HTTP?
  28. 28. SANDBOX BPF Process Proxy rules GET /foo redirect reinject How does BPF relate to HTTP?
  29. 29. SANDBOX BPF Process Proxy rules GET /foo redirect 403 Access Denied How does BPF relate to HTTP?
  30. 30. Cilium Architecture Cilium Kernel ProcessBPF ProcessBPF BPF Cilium Agent CLI Monitor Policy Plugins
  31. 31. • Generate networking code at Container Startup + Tailored to each container + Include Minimal Code Required Faster Smaller Attack Surface • Constant Config (IP, MAC, Ports, …), Compiler Optimization • Regeneration at Runtime Without Breaking Connections BPF CODE GENERATION AT CONTAINER STARTUP
  32. 32. 75 140 205 240 325 365 370 365 410 412 425 445 450 460 460 490 495 505 515 525 545 565 0 100 200 300 400 500 600 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 BPF redirect() performance [GBit per core] Intel Xeon 3.5Ghz Sandy Bridge, 24 Cores, 1 TCP GSO flow per core, netperf -t TCP_SENDFILE, 10K Cilium policies
  33. 33. Thank You Learn More: cilium.io Code: github.com/cilium/cilium Follow us: @ciliumproject KubeCon booth: S19

×