Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Title.
Thomas Graf
CTO & Co-Founder @ Covalent
Linux-Native,
HTTP-Aware
Network Security
Application
Architectures
Delivery Frequency
Operational
Complexity
Single Server
App
Yearly
Low
Distributed
Microservices...
Network Security
has not evolved
$ iptables -A INPUT -p tcp 
-s 15.15.15.3 --dport 80 
-m conntrack --ctstate NEW 
-j ACCE...
Your HTTP ports be like …
L3/L4
Network Security
for microservices
Pod
“Frontend”
Pod
“Store”
API
L3/L4
Network Security
for microservices
Pod
“Frontend”
Pod
“Store”
API
GET /store/myItem HTTP/1.1
L3/L4
Network Security
for microservices
Pod
“Frontend”
Pod
“Store”
API
GET /store/myItem HTTP/1.1
FROM frontend
ALLOW tcp...
L3/L4
Network Security
for microservices
Pod
“Frontend”
Pod
“Store”
GET /store/{id}
API
GET /store/myItem HTTP/1.1
FROM fr...
L3/L4
Network Security
for microservices
Pod
“Frontend”
Pod
“Store”
GET /healthz
GET /store/{id}
PUT /store/{id}
PUT /conf...
L3/L4
Network Security
for microservices
Pod
“Frontend”
Pod
“Store”
GET /healthz
GET /store/{id}
PUT /store/{id}
PUT /conf...
L3/L4
Network Security
for microservices
Pod
“Frontend”
Pod
“Store”
GET /healthz
GET /store/{id}
PUT /store/{id}
PUT /conf...
L4 security has
become meaningless in
the age of microservices
L3/L4
Network Security
for microservices
Pod
“Frontend”
Pod
“Store”
GET /healthz
GET /store/{id}
PUT /store/{id}
PUT /conf...
L3/L4
Network Security
for microservices
Pod
“Frontend”
Pod
“Store”
GET /healthz
GET /store/{id}
PUT /store/{id}
PUT /conf...
We demand
a demo!
BPF – The
Superpowers
inside Linux
What is BPF?
.insns = {
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
BPF_ST_MEM(BPF_DW, BP...
What is BPF?
SOURCE CODE [C]
</>
USER SPACE
What is BPF?
SOURCE CODE [C]
</>
BYTE CODE [BPF]
USER SPACE
</>
What is BPF?
SOURCE CODE [C]
</>
BYTE CODE [BPF]
VERIFIER
+ JIT
USER SPACE
KERNEL
</>
What is BPF?
SOURCE CODE [C]
</>
BYTE CODE [BPF]
VERIFIER
+ JIT
USER SPACE
KERNEL
</>
SANDBOX
BPF
What is BPF?
SOURCE CODE [C]
</>
BYTE CODE [BPF]
VERIFIER
+ JIT
USER SPACE
KERNEL
</>
SANDBOX
BPF
Process
Process
What is BPF?
SOURCE CODE [C]
</>
BYTE CODE [BPF]
VERIFIER
+ JIT
USER SPACE
KERNEL
</>
SANDBOX
BPF
Process
SANDBOX
BPF
writ...
What is BPF?
SOURCE CODE [C]
</>
BYTE CODE [BPF]
VERIFIER
+ JIT
USER SPACE
KERNEL
</>
SANDBOX
BPF
Process
SANDBOX
BPF
writ...
How does BPF relate to HTTP?
Process
GET /foo
SANDBOX
BPF Process
GET /foo
How does BPF relate to HTTP?
SANDBOX
BPF Process
Proxy
rules
GET /foo
redirect
How does BPF relate to HTTP?
SANDBOX
BPF Process
Proxy
rules
GET /foo
redirect
reinject
How does BPF relate to HTTP?
SANDBOX
BPF Process
Proxy
rules
GET /foo
redirect
403
Access
Denied
How does BPF relate to HTTP?
Cilium Architecture
Cilium
Kernel
ProcessBPF
ProcessBPF
BPF
Cilium
Agent
CLI Monitor Policy
Plugins
• Generate networking code at Container
Startup
+ Tailored to each container
+ Include Minimal Code Required
Faster
Smalle...
75
140
205
240
325
365 370 365
410 412 425
445 450 460 460
490 495 505 515 525
545
565
0
100
200
300
400
500
600
1 2 3 4 5...
Thank You
Learn More:
cilium.io
Code:
github.com/cilium/cilium
Follow us:
@ciliumproject
KubeCon booth:
S19
You’ve finished this document.
Download and read it offline.
Upcoming SlideShare
BPF: Next Generation of Programmable Datapath
Next
Upcoming SlideShare
BPF: Next Generation of Programmable Datapath
Next
Download to read offline and view in fullscreen.

4

Share

Linux Native, HTTP Aware Network Security

Download to read offline

Cilium is open source software for transparently securing the network connectivity between application services deployed using Linux container management platforms like Docker and Kubernetes.

At the foundation of Cilium is a new Linux kernel technology called BPF, which enables the dynamic insertion of powerful security visibility and control logic within Linux itself. Because BPF runs inside the Linux kernel itself, Cilium security policies can be applied and updated without any changes to the application code or container configuration.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Linux Native, HTTP Aware Network Security

  1. 1. Title. Thomas Graf CTO & Co-Founder @ Covalent Linux-Native, HTTP-Aware Network Security
  2. 2. Application Architectures Delivery Frequency Operational Complexity Single Server App Yearly Low Distributed Microservices App 10-100 x’s / day Extreme 3-Tier App Monthly Moderate CODE CONSISTENCY AT VELOCITY
  3. 3. Network Security has not evolved $ iptables -A INPUT -p tcp -s 15.15.15.3 --dport 80 -m conntrack --ctstate NEW -j ACCEPT The world still runs on iptables matching IPs and ports:
  4. 4. Your HTTP ports be like …
  5. 5. L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” API
  6. 6. L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” API GET /store/myItem HTTP/1.1
  7. 7. L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” API GET /store/myItem HTTP/1.1 FROM frontend ALLOW tcp:80
  8. 8. L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” GET /store/{id} API GET /store/myItem HTTP/1.1 FROM frontend ALLOW tcp:80
  9. 9. L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” GET /healthz GET /store/{id} PUT /store/{id} PUT /config API GET /store/myItem HTTP/1.1 FROM frontend ALLOW tcp:80
  10. 10. L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” GET /healthz GET /store/{id} PUT /store/{id} PUT /config API attacksurface GET /store/myItem HTTP/1.1 FROM frontend ALLOW tcp:80
  11. 11. L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” GET /healthz GET /store/{id} PUT /store/{id} PUT /config API exposed exposed exposed FROM frontend ALLOW tcp:80 GET /store/myItem HTTP/1.1 OK
  12. 12. L4 security has become meaningless in the age of microservices
  13. 13. L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” GET /healthz GET /store/{id} PUT /store/{id} PUT /config API GET /store/myItem HTTP/1.1
  14. 14. L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” GET /healthz GET /store/{id} PUT /store/{id} PUT /config API FROM frontend ALLOW GET /store/.* GET /store/myItem HTTP/1.1
  15. 15. We demand a demo!
  16. 16. BPF – The Superpowers inside Linux
  17. 17. What is BPF? .insns = { BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152), BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0), BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42), BPF_EXIT_INSN(), }
  18. 18. What is BPF? SOURCE CODE [C] </> USER SPACE
  19. 19. What is BPF? SOURCE CODE [C] </> BYTE CODE [BPF] USER SPACE </>
  20. 20. What is BPF? SOURCE CODE [C] </> BYTE CODE [BPF] VERIFIER + JIT USER SPACE KERNEL </>
  21. 21. What is BPF? SOURCE CODE [C] </> BYTE CODE [BPF] VERIFIER + JIT USER SPACE KERNEL </> SANDBOX BPF
  22. 22. What is BPF? SOURCE CODE [C] </> BYTE CODE [BPF] VERIFIER + JIT USER SPACE KERNEL </> SANDBOX BPF Process Process
  23. 23. What is BPF? SOURCE CODE [C] </> BYTE CODE [BPF] VERIFIER + JIT USER SPACE KERNEL </> SANDBOX BPF Process SANDBOX BPF write() Process
  24. 24. What is BPF? SOURCE CODE [C] </> BYTE CODE [BPF] VERIFIER + JIT USER SPACE KERNEL </> SANDBOX BPF Process SANDBOX BPF write() Process EACCESS
  25. 25. How does BPF relate to HTTP? Process GET /foo
  26. 26. SANDBOX BPF Process GET /foo How does BPF relate to HTTP?
  27. 27. SANDBOX BPF Process Proxy rules GET /foo redirect How does BPF relate to HTTP?
  28. 28. SANDBOX BPF Process Proxy rules GET /foo redirect reinject How does BPF relate to HTTP?
  29. 29. SANDBOX BPF Process Proxy rules GET /foo redirect 403 Access Denied How does BPF relate to HTTP?
  30. 30. Cilium Architecture Cilium Kernel ProcessBPF ProcessBPF BPF Cilium Agent CLI Monitor Policy Plugins
  31. 31. • Generate networking code at Container Startup + Tailored to each container + Include Minimal Code Required Faster Smaller Attack Surface • Constant Config (IP, MAC, Ports, …), Compiler Optimization • Regeneration at Runtime Without Breaking Connections BPF CODE GENERATION AT CONTAINER STARTUP
  32. 32. 75 140 205 240 325 365 370 365 410 412 425 445 450 460 460 490 495 505 515 525 545 565 0 100 200 300 400 500 600 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 BPF redirect() performance [GBit per core] Intel Xeon 3.5Ghz Sandy Bridge, 24 Cores, 1 TCP GSO flow per core, netperf -t TCP_SENDFILE, 10K Cilium policies
  33. 33. Thank You Learn More: cilium.io Code: github.com/cilium/cilium Follow us: @ciliumproject KubeCon booth: S19
  • rickzan

    Jun. 28, 2018
  • sbilly

    May. 31, 2017
  • VadimBauer1

    May. 29, 2017
  • JosMolinaGonzlez

    Apr. 10, 2017

Cilium is open source software for transparently securing the network connectivity between application services deployed using Linux container management platforms like Docker and Kubernetes. At the foundation of Cilium is a new Linux kernel technology called BPF, which enables the dynamic insertion of powerful security visibility and control logic within Linux itself. Because BPF runs inside the Linux kernel itself, Cilium security policies can be applied and updated without any changes to the application code or container configuration.

Views

Total views

2,128

On Slideshare

0

From embeds

0

Number of embeds

44

Actions

Downloads

133

Shares

0

Comments

0

Likes

4

×