Marian Marinov, profile picture
Uploaded byMarian Marinov
ODP, PDF534 views

Securing the network for VMs or Containers

The document discusses securing KVM and container networks, emphasizing the need to understand infrastructure for effective protection against threats like ARP and IP spoofing. It outlines various networking options available for KVM and container configurations, alongside strategies for enhancing security through VLANs, iptables, and arptables. The document concludes with practical examples of network setups and security measures to prevent common network attacks.

Embed presentation

Download to read offline
Securing Securing  KVM / containerKVM / container networksnetworks Marian HackMan MarinovMarian HackMan Marinov <mm@siteground.com><mm@siteground.com> Chief System ArchitectChief System Architect SiteGroundSiteGround
Who am I?Who am I?Who am I?Who am I? ❖ Chief System Architect of Siteground.com ❖ Sysadmin since 1996 ❖ Organizer of OpenFest, BG Perl Workshops, LUG-BG and similar :) ❖ Teaching Network Security and Linux System Administration at Sofia University
DISCLAMERDISCLAMERDISCLAMERDISCLAMER ❖ I'll be looking only at the network on the host machine ❖ The only proper way of securing the network between your VMs / containers and the host machine is to know your infrastructure. This includes MAC, IP addresses and their actual location.
❖ Basic things that have to protect from  arp spoofing  ip spoofing  traffic leaking / sniffing
KVM networkingKVM networkingKVM networkingKVM networking ❖ What network options does KVM give us?  vnet device on the host  macvtap  Virtual Distributed Ethernet (VDE)  assign a physical device (SR-IOV) Single Root I/O Virtualization (SR-IOV)  assign a physical device (eth, wlan)
KVM networkingKVM networkingKVM networkingKVM networking ❖ What network options does KVM give us?  NAT  Routing  Bridge  OpenVswitch  ProxyARP
Container networkingContainer networkingContainer networkingContainer networking ❖ What network options are available for containers?  macvlan (tap & tun)  veth pair (routing or NAT)  VDE (using tap devices)  move any network device into the container (eth, tun/tap, vlan, wlan, etc.)
Container networkingContainer networkingContainer networkingContainer networking ❖ What network options are available for containers?  Bridge  OpenVswitch  Routing  NAT  ProxyARP
Protections?Protections?Protections?Protections? ❖ How can we secure all those options?  VLANs
Protections?Protections?Protections?Protections? ❖ How can we secure all those options?  VLANs  Routing
Protections?Protections?Protections?Protections? ❖ How can we secure all those options?  VLANs  Routing  Static ARP
Protections?Protections?Protections?Protections? ❖ How can we secure all those options?  VLANs  Routing  Static ARP  iptables
Protections?Protections?Protections?Protections? ❖ How can we secure all those options?  VLANs  Routing  Static ARP  iptables  ebtables
Protections?Protections?Protections?Protections? ❖ How can we secure all those options?  VLANs  Routing  Static ARP  iptables  ebtables  arptables
Protections?Protections?Protections?Protections? ❖ How can we secure all those options?  VLANs  Routing  Static ARP  iptables  ebtables  arptables  ip6tables
Network setupNetwork setupNetwork setupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2 Using a Router
Network setupNetwork setupNetwork setupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2 Using a Bridge
Attacking theAttacking the bridged networkbridged network Attacking theAttacking the bridged networkbridged network ❖ arp poisoning  VM-1 arp cache poison of the HOST  VM-1 arp cache poison of VM-2  As simple as: # ip a a 10.0.0.1/24 dev eth0 # arping -i eth0 -U 10.0.0.1  Can be even easier: # arpspoof -i eth0 -t 10.0.0.1 -r 10.0.0.15
Protecting theProtecting the bridged networkbridged network Protecting theProtecting the bridged networkbridged network ❖ Preventing arp poison on the HOST  adding static ARP entries: # ip n a 10.0.0.15 lladdr 01:81:36:ec:05:ee nud permanent dev vnet1
Protecting theProtecting the bridged networkbridged network Protecting theProtecting the bridged networkbridged network ❖ Preventing arp spoofing to the VMs/Containers  configure ARPTABLES # arptables -P OUT DROP # arptables -A OUT -j ACCEPT -s GW -i eth0 -z xx:xx:xx:xx:xx:xx # arptables -A OUT -j ACCEPT -s 10.0.0.15 -i vnet1 -z xx:xx:xx:xx:xx:xx # arptables -A OUT -j ACCEPT -o vnet1
Network setupNetwork setupNetwork setupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2 Using a Bridge eth0: 10.12.0.12 # brctl show bridge bridge id interfaces br0 8000.028037ec0200 eth0 vnet1 vnet2
Network setupNetwork setupNetwork setupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2Using a Bridge eth0: 10.12.0.12 VM1: ping -c1 10.12.0.12 PING 10.12.0.12 (10.12.0.12) 56(84) bytes of data. 64 bytes from 10.12.0.12: icmp_seq=1 ttl=64 time=0.086 ms
Network setupNetwork setupNetwork setupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2Using a Bridge eth0: 10.12.0.12 VM1: ping -c1 10.12.0.12 PING 10.12.0.12 (10.12.0.12) 56(84) bytes of data. 64 bytes from 10.12.0.12: icmp_seq=1 ttl=64 time=0.086 ms
Network setupNetwork setupNetwork setupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2Using a Bridge ❖ We now have many options we can use bridge vlan filtering using ingress policy using ebtables using namespaces ebtables filter (drop all traffic on that interface) arptables filter iptables filter (drop all traffic on that interface) don't forget about IPv6 ☺
Network setupNetwork setupNetwork setupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2Using a Bridge # echo 1 > /sys/class/net/br0/bridge/vlan_filtering # bridge vlan del dev br0 vid 1 self # bridge vlan show port vlan ids eth0 1 PVID Egress Untagged vnet1 1 PVID Egress Untagged vnet2 1 PVID Egress Untagged br0 None
Network setupNetwork setupNetwork setupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2Using a Bridge # echo 1 > /sys/class/net/br0/bridg # bridge vlan del dev br0 vid 1 sel # bridge vlan show port vlan ids eth0 1 PVID Egress Untagged vnet1 1 PVID Egress Untagged vnet2 1 PVID Egress Untagged br0 None HOST
Network setupNetwork setupNetwork setupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2Using a Bridge ingress filter # tc qdisc add dev br0 handle ffff: ingress # tc filter add dev br0 parent ffff: u32 match u8 0 0 action drop ebtables: # ebtables -A INPUT --logical-in br0 -j DROP
Network setupNetwork setupNetwork setupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2 Using a Bridge HOST eth1 br0 eth0 vnet1 vnet2 vm-bridge
Network setupNetwork setupNetwork setupNetwork setup # ip netns add vm-bridge # ip link set netns vm-bridge eth0 # ip link set netns vm-bridge vnet1 # ip link set netns vm-bridge vnet2 # ip link del dev br0 # ip netns exec vm-bridge brctl addbr br0 # for i in eth0 vnet1 vnet2; do > ip netns exec vm-bridge brctl addif br0 $i > ip netns exec vm-bridge ip link set up dev $i > done # ip netns exec vm-bridge ip link set up dev br0
Network setupNetwork setupNetwork setupNetwork setup Disabling ARP on bridge br0: # ip link set arp off dev br0 # ip l l dev br0 8: br0: <BROADCAST,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group d link/ether 50:54:33:00:00:04 brd ff:ff:ff:ff:ff:ff
Network setupNetwork setupNetwork setupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2 Using a Router VM1: 10.0.0.4/30 VM2: 10.0.0.8/30 HOST: 10.0.0.0/30
Network setupNetwork setupNetwork setupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2If you want flexibility,If you want flexibility, you add a routing protocolyou add a routing protocol bgp1bgp1 bgp2bgp2
Network setupNetwork setupNetwork setupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2If you want flexibility,If you want flexibility, you add a routing protocolyou add a routing protocol You now need to protect the BGPs from bogus announcements bgp1bgp1 bgp2bgp2
Protect the HOSTProtect the HOSTProtect the HOSTProtect the HOST Prevent access to the host node with policy routing # echo “200 vnet1” >> /etc/iproute2/rt_tables # ip route add 0/0 via x.x.x.x table vnet1 # ip route add 10.0.0.15 dev vnet1 table vnet1 # ip rule add iif vnet1 table vnet1 # ip rule add oif vnet1 table vnet1
Prevent spoofing of IPsPrevent spoofing of IPsPrevent spoofing of IPsPrevent spoofing of IPs Limit the source IPs of all clients: # iptables -P FORWARD DROP # iptables -A FORWARD -j ACCEPT -i vnet1 -s 10.0.0.15 # iptables -A FORWARD -j ACCEPT -i vnet2 -s 10.0.0.16
THANK YOUTHANK YOUTHANK YOUTHANK YOU Marian HackMan Marinov <mm@siteground.com>

More Related Content

PDF
UNDOCUMENTED Vyatta vRouter: Unbreakable VPN Tunneling (MEMO)
byNaoto MATSUMOTO
 
PPTX
Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"
byDefcon Moscow
 
PDF
SR-IOV+KVM on Debian/Stable
byjuet-y
 
PDF
How to ride a 100GbE LAN -MEMO-
byNaoto MATSUMOTO
 
PDF
An Easy way to build a server cluster without top of rack switches (MEMO)
byNaoto MATSUMOTO
 
ODP
How to setup your linux server
byMarian Marinov
 
DOCX
Wowza project
bySandeep Verma
 
PDF
How to twist a IPv6 over Bluetooth (6lowpan)
byNaoto MATSUMOTO
 
UNDOCUMENTED Vyatta vRouter: Unbreakable VPN Tunneling (MEMO)
byNaoto MATSUMOTO
 
Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"
byDefcon Moscow
 
SR-IOV+KVM on Debian/Stable
byjuet-y
 
How to ride a 100GbE LAN -MEMO-
byNaoto MATSUMOTO
 
An Easy way to build a server cluster without top of rack switches (MEMO)
byNaoto MATSUMOTO
 
How to setup your linux server
byMarian Marinov
 
Wowza project
bySandeep Verma
 
How to twist a IPv6 over Bluetooth (6lowpan)
byNaoto MATSUMOTO
 

What's hot

PPTX
Nomenclatura QNAP
byFernando Barrientos
 
PDF
VYOS & RPKI at the BGP as edge
byFaelix Ltd
 
PDF
Unbreakable VPN using Vyatta/VyOS - HOW TO -
byNaoto MATSUMOTO
 
PPT
Oleg Kupreev - 802.11 tricks and threats
byDefcon Moscow
 
PDF
Отказоустойчивость с использованием Cisco ASA Clustering
byCisco Russia
 
PDF
82599 sriov vm configuration notes
byRyan Aydelott
 
PDF
How to train your L3DSR with PBR - MEMO -
byNaoto MATSUMOTO
 
PDF
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES
byFaelix Ltd
 
PDF
NexusでAnsibleやってみた
byTakehiro Yokoishi
 
PDF
RabbitMQ Server - cheat sheet -
byNaoto MATSUMOTO
 
PDF
How to Connect MQTT Broker on ESP8266 WiFi
byNaoto MATSUMOTO
 
DOCX
Cisco asa 5505 vs juniper ssg 5
byIT Tech
 
PDF
Tiny Server Clustering using Vyatta/VyOS (MEMO)
byNaoto MATSUMOTO
 
PPTX
High Availability Server Clustering without ILB(Internal Load Balancer) (MEMO)
byNaoto MATSUMOTO
 
PDF
Keeping your rack cool
byPavel Odintsov
 
PPTX
Recent Developments in Donard
byPMC-Sierra Inc.
 
DOC
St58 t8g23 specification-www.ttbvs.com
byTTBVS
 
PDF
How to install OpenStack MITAKA --allinone - cheat sheet -
byNaoto MATSUMOTO
 
PDF
Ata Over Ethernet
byKit Peters
 
PDF
NeoKeys Phone Brochure V3 (Small File Size)
bywww.webhub.mobi by Yuvee, Inc.
 
Nomenclatura QNAP
byFernando Barrientos
 
VYOS & RPKI at the BGP as edge
byFaelix Ltd
 
Unbreakable VPN using Vyatta/VyOS - HOW TO -
byNaoto MATSUMOTO
 
Oleg Kupreev - 802.11 tricks and threats
byDefcon Moscow
 
Отказоустойчивость с использованием Cisco ASA Clustering
byCisco Russia
 
82599 sriov vm configuration notes
byRyan Aydelott
 
How to train your L3DSR with PBR - MEMO -
byNaoto MATSUMOTO
 
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES
byFaelix Ltd
 
NexusでAnsibleやってみた
byTakehiro Yokoishi
 
RabbitMQ Server - cheat sheet -
byNaoto MATSUMOTO
 
How to Connect MQTT Broker on ESP8266 WiFi
byNaoto MATSUMOTO
 
Cisco asa 5505 vs juniper ssg 5
byIT Tech
 
Tiny Server Clustering using Vyatta/VyOS (MEMO)
byNaoto MATSUMOTO
 
High Availability Server Clustering without ILB(Internal Load Balancer) (MEMO)
byNaoto MATSUMOTO
 
Keeping your rack cool
byPavel Odintsov
 
Recent Developments in Donard
byPMC-Sierra Inc.
 
St58 t8g23 specification-www.ttbvs.com
byTTBVS
 
How to install OpenStack MITAKA --allinone - cheat sheet -
byNaoto MATSUMOTO
 
Ata Over Ethernet
byKit Peters
 
NeoKeys Phone Brochure V3 (Small File Size)
bywww.webhub.mobi by Yuvee, Inc.
 

Viewers also liked

ODP
nftables - the evolution of Linux Firewall
byMarian Marinov
 
PDF
4 Sessions
byMarian Marinov
 
PDF
Performance comparison of Distributed File Systems on 1Gbit networks
byMarian Marinov
 
ODP
Home assistant
byMarian Marinov
 
ODP
Computer vision for your projects
byMarian Marinov
 
PDF
Introduction to python
byMarian Marinov
 
PDF
Make your internship "worth it"
byMarian Marinov
 
PDF
Moving your router inside container
byMarian Marinov
 
PDF
Lxd the proper way of runing containers
byMarian Marinov
 
PDF
Comparison of foss distributed storage
byMarian Marinov
 
PDF
Why we are migrating to Slackware
byMarian Marinov
 
PDF
Protecting your home and office in the era of IoT
byMarian Marinov
 
PDF
LUG-BG 2017 - Rangel Ivanov - Spread some butter - BTRFS
byMarian Marinov
 
PDF
How penetration testing techniques can help you improve your qa skills
byMarian Marinov
 
PPTX
LUG-BG - Kostadin Slavkov - PostgreSQL 10
byMarian Marinov
 
PDF
Practical my sql performance optimization
byMarian Marinov
 
PDF
Io t introduction to electronics
byMarian Marinov
 
PDF
Gluster.community.day.2013
byUdo Seidel
 
ODP
Protecting your data when entering the US
byMarian Marinov
 
nftables - the evolution of Linux Firewall
byMarian Marinov
 
4 Sessions
byMarian Marinov
 
Performance comparison of Distributed File Systems on 1Gbit networks
byMarian Marinov
 
Home assistant
byMarian Marinov
 
Computer vision for your projects
byMarian Marinov
 
Introduction to python
byMarian Marinov
 
Make your internship "worth it"
byMarian Marinov
 
Moving your router inside container
byMarian Marinov
 
Lxd the proper way of runing containers
byMarian Marinov
 
Comparison of foss distributed storage
byMarian Marinov
 
Why we are migrating to Slackware
byMarian Marinov
 
Protecting your home and office in the era of IoT
byMarian Marinov
 
LUG-BG 2017 - Rangel Ivanov - Spread some butter - BTRFS
byMarian Marinov
 
How penetration testing techniques can help you improve your qa skills
byMarian Marinov
 
LUG-BG - Kostadin Slavkov - PostgreSQL 10
byMarian Marinov
 
Practical my sql performance optimization
byMarian Marinov
 
Io t introduction to electronics
byMarian Marinov
 
Gluster.community.day.2013
byUdo Seidel
 
Protecting your data when entering the US
byMarian Marinov
 

Similar to Securing the network for VMs or Containers

PPT
Mitigating Layer2 Attacks
bydkaya
 
PDF
Linux Networking Explained
byThomas Graf
 
PDF
Catalyst Smart Operations : Simplify Your Network
byCisco Russia
 
PDF
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online
byShapeBlue
 
PDF
Linux network tools (Maarten Blomme)
byAvansa Mid- en Zuidwest
 
DOCX
Ccna 4 final lab switchi
byLeandro Uglar
 
PDF
Open stack advanced_part
bylilliput12
 
PDF
Secure LXC Networking
byMarian Marinov
 
PPTX
Training open stack networking -neutron
byHaifeng Yan (颜海峰)
 
DOCX
Configuracion EIGRP
byalexis marck Huiza Canchanya
 
PDF
欧洲杯投注网站-欧洲杯投注网站推荐-欧洲杯投注网站| 立即访问【ac123.net】
byfoismail170
 
PDF
欧洲杯投注app-欧洲杯投注app推荐-欧洲杯投注app| 立即访问【ac123.net】
byfoismail170
 
PDF
2024欧洲杯最好的投注软件-2024欧洲杯最好的投注软件网址-2024欧洲杯最好的投注软件|【​网址​🎉ac123.net🎉​】
byakrooshsaleem36
 
PDF
2024欧洲杯平台-2024欧洲杯平台网址-2024欧洲杯平台|【​网址​🎉ac123.net🎉​】
bytalhaaslan625
 
PDF
欧洲杯比赛投注官网-欧洲杯比赛投注官网网站-欧洲杯比赛投注官网|【​网址​🎉ac123.net🎉​】
byvelosonando62
 
PDF
欧洲杯比赛投注官网-欧洲杯比赛投注官网网站-欧洲杯比赛投注官网|【​网址​🎉ac123.net🎉​】
byahmedendrise81
 
ODP
Integrating Linux routing with FusionCLI™
byStephen Hemminger
 
PDF
Cisco asa vpn
byAndres Ldño
 
PDF
Actividad configuración de cisco asa vpn
byAndres Ldño
 
PDF
Campus Area Networks of the University using MPLS, VLANs and the Internet
byijtsrd
 
Mitigating Layer2 Attacks
bydkaya
 
Linux Networking Explained
byThomas Graf
 
Catalyst Smart Operations : Simplify Your Network
byCisco Russia
 
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online
byShapeBlue
 
Linux network tools (Maarten Blomme)
byAvansa Mid- en Zuidwest
 
Ccna 4 final lab switchi
byLeandro Uglar
 
Open stack advanced_part
bylilliput12
 
Secure LXC Networking
byMarian Marinov
 
Training open stack networking -neutron
byHaifeng Yan (颜海峰)
 
Configuracion EIGRP
byalexis marck Huiza Canchanya
 
欧洲杯投注网站-欧洲杯投注网站推荐-欧洲杯投注网站| 立即访问【ac123.net】
byfoismail170
 
欧洲杯投注app-欧洲杯投注app推荐-欧洲杯投注app| 立即访问【ac123.net】
byfoismail170
 
2024欧洲杯最好的投注软件-2024欧洲杯最好的投注软件网址-2024欧洲杯最好的投注软件|【​网址​🎉ac123.net🎉​】
byakrooshsaleem36
 
2024欧洲杯平台-2024欧洲杯平台网址-2024欧洲杯平台|【​网址​🎉ac123.net🎉​】
bytalhaaslan625
 
欧洲杯比赛投注官网-欧洲杯比赛投注官网网站-欧洲杯比赛投注官网|【​网址​🎉ac123.net🎉​】
byvelosonando62
 
欧洲杯比赛投注官网-欧洲杯比赛投注官网网站-欧洲杯比赛投注官网|【​网址​🎉ac123.net🎉​】
byahmedendrise81
 
Integrating Linux routing with FusionCLI™
byStephen Hemminger
 
Cisco asa vpn
byAndres Ldño
 
Actividad configuración de cisco asa vpn
byAndres Ldño
 
Campus Area Networks of the University using MPLS, VLANs and the Internet
byijtsrd
 

More from Marian Marinov

PDF
DoS and DDoS mitigations with eBPF, XDP and DPDK
byMarian Marinov
 
PDF
Basic presentation of cryptography mechanisms
byMarian Marinov
 
PDF
Securing your MySQL server
byMarian Marinov
 
PDF
Improve your storage with bcachefs
byMarian Marinov
 
PDF
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
byMarian Marinov
 
PDF
How to successfully migrate to DevOps .pdf
byMarian Marinov
 
PDF
Understanding your memory usage under Linux
byMarian Marinov
 
PDF
How to implement PassKeys in your application
byMarian Marinov
 
PDF
Comparison of-foss-distributed-storage
byMarian Marinov
 
PDF
Introduction and replication to DragonflyDB
byMarian Marinov
 
PDF
Dev.bg DevOps March 2024 Monitoring & Logging
byMarian Marinov
 
PDF
How to start and then move forward in IT
byMarian Marinov
 
PDF
Challenges with high density networks
byMarian Marinov
 
PDF
Thinking about highly-available systems and their setup
byMarian Marinov
 
PDF
Control your service resources with systemd
byMarian Marinov
 
PDF
Sysadmin vs. dev ops
byMarian Marinov
 
PDF
Microservices: Benefits, drawbacks and are they for me?
byMarian Marinov
 
PDF
How to survive in the work from home era
byMarian Marinov
 
PDF
Managing sysadmins
byMarian Marinov
 
PDF
Защо и как да обогатяваме знанията си?
byMarian Marinov
 
DoS and DDoS mitigations with eBPF, XDP and DPDK
byMarian Marinov
 
Basic presentation of cryptography mechanisms
byMarian Marinov
 
Securing your MySQL server
byMarian Marinov
 
Improve your storage with bcachefs
byMarian Marinov
 
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
byMarian Marinov
 
How to successfully migrate to DevOps .pdf
byMarian Marinov
 
Understanding your memory usage under Linux
byMarian Marinov
 
How to implement PassKeys in your application
byMarian Marinov
 
Comparison of-foss-distributed-storage
byMarian Marinov
 
Introduction and replication to DragonflyDB
byMarian Marinov
 
Dev.bg DevOps March 2024 Monitoring & Logging
byMarian Marinov
 
How to start and then move forward in IT
byMarian Marinov
 
Challenges with high density networks
byMarian Marinov
 
Thinking about highly-available systems and their setup
byMarian Marinov
 
Control your service resources with systemd
byMarian Marinov
 
Sysadmin vs. dev ops
byMarian Marinov
 
Microservices: Benefits, drawbacks and are they for me?
byMarian Marinov
 
How to survive in the work from home era
byMarian Marinov
 
Managing sysadmins
byMarian Marinov
 
Защо и как да обогатяваме знанията си?
byMarian Marinov
 

Recently uploaded

PDF
Python Frameworks for Machine Learning Labmanuel
bygomathisankariv2
 
PDF
Operating system Introduction to System Call
bySanjay Gunjal
 
PPTX
PEMET 413 KTU 2024 SCHEME MODULE 2 LECTURE 4.pptx
byVINAY B
 
PPTX
PEMET 413 KTU 2024 MODULE 2 LECTURE 3.pptx
byVINAY B
 
PDF
Software Engineering : Process Model
byGunjalSanjay
 
PDF
Introduction to Software , Product and Process
byGunjalSanjay
 
PDF
CRYPTOCURRENCY FORENSICS: A COMPREHENSIVE REPORT ON TRACKING ILLICIT DIGITAL ...
byGarima Singh
 
PDF
Lathe Machine: Definition, Parts, Types, Working and Operations
byAatif Razi
 
PDF
Retrieval Augmented Generation (RAG) Turning Data into Smart Answers
byYasir Ali
 
PDF
TU/e - Lecture Geotechnics - Case Singelgrachtgarage-Marnix - Arkesteijn
byRuud Arkesteijn
 
PDF
Software Engineering : Process Models.
byGunjalSanjay
 
PDF
Requirement Engineering : Capturing the Requirements
byGunjalSanjay
 
PDF
22PEOIT4C Artificial Intelligence unit 3 QB Final.pdf
byGuru Nanak Technical Institutions
 
DOCX
Hallucination Reduction In Generative Artificial Intelligence (1).docx
by21nitinsinha
 
PPTX
TechSprint Intro Session GDGOC PUSSGRC
bykashvidua39
 
PPTX
1.2-Structure of Ceramics_ Materials Science.pptx
byDr. Sandip Thorat
 
PPTX
Ion exchange or demineralization to soften water.pptx
byChemical Engineering Dept. NIT Rourkela-769008, Odisha, India
 
PPTX
1.1 Structure of Materials_Material science.pptx
byDr. Sandip Thorat
 
PPTX
UNIT 1.3-Structure of Polymers_Material Science-.pptx
byDr. Sandip Thorat
 
PPTX
DISINFECTANT & DISINFECTION PROCESS.pptx
byChemical Engineering Dept. NIT Rourkela-769008, Odisha, India
 
Python Frameworks for Machine Learning Labmanuel
bygomathisankariv2
 
Operating system Introduction to System Call
bySanjay Gunjal
 
PEMET 413 KTU 2024 SCHEME MODULE 2 LECTURE 4.pptx
byVINAY B
 
PEMET 413 KTU 2024 MODULE 2 LECTURE 3.pptx
byVINAY B
 
Software Engineering : Process Model
byGunjalSanjay
 
Introduction to Software , Product and Process
byGunjalSanjay
 
CRYPTOCURRENCY FORENSICS: A COMPREHENSIVE REPORT ON TRACKING ILLICIT DIGITAL ...
byGarima Singh
 
Lathe Machine: Definition, Parts, Types, Working and Operations
byAatif Razi
 
Retrieval Augmented Generation (RAG) Turning Data into Smart Answers
byYasir Ali
 
TU/e - Lecture Geotechnics - Case Singelgrachtgarage-Marnix - Arkesteijn
byRuud Arkesteijn
 
Software Engineering : Process Models.
byGunjalSanjay
 
Requirement Engineering : Capturing the Requirements
byGunjalSanjay
 
22PEOIT4C Artificial Intelligence unit 3 QB Final.pdf
byGuru Nanak Technical Institutions
 
Hallucination Reduction In Generative Artificial Intelligence (1).docx
by21nitinsinha
 
TechSprint Intro Session GDGOC PUSSGRC
bykashvidua39
 
1.2-Structure of Ceramics_ Materials Science.pptx
byDr. Sandip Thorat
 
Ion exchange or demineralization to soften water.pptx
byChemical Engineering Dept. NIT Rourkela-769008, Odisha, India
 
1.1 Structure of Materials_Material science.pptx
byDr. Sandip Thorat
 
UNIT 1.3-Structure of Polymers_Material Science-.pptx
byDr. Sandip Thorat
 
DISINFECTANT & DISINFECTION PROCESS.pptx
byChemical Engineering Dept. NIT Rourkela-769008, Odisha, India
 

Securing the network for VMs or Containers

  • 1.
    Securing Securing  KVM / containerKVM / container networksnetworks Marian HackMan MarinovMarianHackMan Marinov <mm@siteground.com><mm@siteground.com> Chief System ArchitectChief System Architect SiteGroundSiteGround
  • 2.
    Who am I?Whoam I?Who am I?Who am I? ❖ Chief System Architect of Siteground.com ❖ Sysadmin since 1996 ❖ Organizer of OpenFest, BG Perl Workshops, LUG-BG and similar :) ❖ Teaching Network Security and Linux System Administration at Sofia University
  • 3.
    DISCLAMERDISCLAMERDISCLAMERDISCLAMER ❖ I'll belooking only at the network on the host machine ❖ The only proper way of securing the network between your VMs / containers and the host machine is to know your infrastructure. This includes MAC, IP addresses and their actual location.
  • 4.
    ❖ Basic thingsthat have to protect from  arp spoofing  ip spoofing  traffic leaking / sniffing
  • 5.
    KVM networkingKVM networkingKVMnetworkingKVM networking ❖ What network options does KVM give us?  vnet device on the host  macvtap  Virtual Distributed Ethernet (VDE)  assign a physical device (SR-IOV) Single Root I/O Virtualization (SR-IOV)  assign a physical device (eth, wlan)
  • 6.
    KVM networkingKVM networkingKVMnetworkingKVM networking ❖ What network options does KVM give us?  NAT  Routing  Bridge  OpenVswitch  ProxyARP
  • 7.
    Container networkingContainer networkingContainernetworkingContainer networking ❖ What network options are available for containers?  macvlan (tap & tun)  veth pair (routing or NAT)  VDE (using tap devices)  move any network device into the container (eth, tun/tap, vlan, wlan, etc.)
  • 8.
    Container networkingContainer networkingContainernetworkingContainer networking ❖ What network options are available for containers?  Bridge  OpenVswitch  Routing  NAT  ProxyARP
  • 9.
    Protections?Protections?Protections?Protections? ❖ How canwe secure all those options?  VLANs
  • 10.
    Protections?Protections?Protections?Protections? ❖ How canwe secure all those options?  VLANs  Routing
  • 11.
    Protections?Protections?Protections?Protections? ❖ How canwe secure all those options?  VLANs  Routing  Static ARP
  • 12.
    Protections?Protections?Protections?Protections? ❖ How canwe secure all those options?  VLANs  Routing  Static ARP  iptables
  • 13.
    Protections?Protections?Protections?Protections? ❖ How canwe secure all those options?  VLANs  Routing  Static ARP  iptables  ebtables
  • 14.
    Protections?Protections?Protections?Protections? ❖ How canwe secure all those options?  VLANs  Routing  Static ARP  iptables  ebtables  arptables
  • 15.
    Protections?Protections?Protections?Protections? ❖ How canwe secure all those options?  VLANs  Routing  Static ARP  iptables  ebtables  arptables  ip6tables
  • 16.
    Network setupNetwork setupNetworksetupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2 Using a Router
  • 17.
    Network setupNetwork setupNetworksetupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2 Using a Bridge
  • 18.
    Attacking theAttacking the bridgednetworkbridged network Attacking theAttacking the bridged networkbridged network ❖ arp poisoning  VM-1 arp cache poison of the HOST  VM-1 arp cache poison of VM-2  As simple as: # ip a a 10.0.0.1/24 dev eth0 # arping -i eth0 -U 10.0.0.1  Can be even easier: # arpspoof -i eth0 -t 10.0.0.1 -r 10.0.0.15
  • 19.
    Protecting theProtecting the bridgednetworkbridged network Protecting theProtecting the bridged networkbridged network ❖ Preventing arp poison on the HOST  adding static ARP entries: # ip n a 10.0.0.15 lladdr 01:81:36:ec:05:ee nud permanent dev vnet1
  • 20.
    Protecting theProtecting the bridgednetworkbridged network Protecting theProtecting the bridged networkbridged network ❖ Preventing arp spoofing to the VMs/Containers  configure ARPTABLES # arptables -P OUT DROP # arptables -A OUT -j ACCEPT -s GW -i eth0 -z xx:xx:xx:xx:xx:xx # arptables -A OUT -j ACCEPT -s 10.0.0.15 -i vnet1 -z xx:xx:xx:xx:xx:xx # arptables -A OUT -j ACCEPT -o vnet1
  • 21.
    Network setupNetwork setupNetworksetupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2 Using a Bridge eth0: 10.12.0.12 # brctl show bridge bridge id interfaces br0 8000.028037ec0200 eth0 vnet1 vnet2
  • 22.
    Network setupNetwork setupNetworksetupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2Using a Bridge eth0: 10.12.0.12 VM1: ping -c1 10.12.0.12 PING 10.12.0.12 (10.12.0.12) 56(84) bytes of data. 64 bytes from 10.12.0.12: icmp_seq=1 ttl=64 time=0.086 ms
  • 23.
    Network setupNetwork setupNetworksetupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2Using a Bridge eth0: 10.12.0.12 VM1: ping -c1 10.12.0.12 PING 10.12.0.12 (10.12.0.12) 56(84) bytes of data. 64 bytes from 10.12.0.12: icmp_seq=1 ttl=64 time=0.086 ms
  • 24.
    Network setupNetwork setupNetworksetupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2Using a Bridge ❖ We now have many options we can use bridge vlan filtering using ingress policy using ebtables using namespaces ebtables filter (drop all traffic on that interface) arptables filter iptables filter (drop all traffic on that interface) don't forget about IPv6 ☺
  • 25.
    Network setupNetwork setupNetworksetupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2Using a Bridge # echo 1 > /sys/class/net/br0/bridge/vlan_filtering # bridge vlan del dev br0 vid 1 self # bridge vlan show port vlan ids eth0 1 PVID Egress Untagged vnet1 1 PVID Egress Untagged vnet2 1 PVID Egress Untagged br0 None
  • 26.
    Network setupNetwork setupNetworksetupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2Using a Bridge # echo 1 > /sys/class/net/br0/bridg # bridge vlan del dev br0 vid 1 sel # bridge vlan show port vlan ids eth0 1 PVID Egress Untagged vnet1 1 PVID Egress Untagged vnet2 1 PVID Egress Untagged br0 None HOST
  • 27.
    Network setupNetwork setupNetworksetupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2Using a Bridge ingress filter # tc qdisc add dev br0 handle ffff: ingress # tc filter add dev br0 parent ffff: u32 match u8 0 0 action drop ebtables: # ebtables -A INPUT --logical-in br0 -j DROP
  • 28.
    Network setupNetwork setupNetworksetupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2 Using a Bridge HOST eth1 br0 eth0 vnet1 vnet2 vm-bridge
  • 29.
    Network setupNetwork setupNetworksetupNetwork setup # ip netns add vm-bridge # ip link set netns vm-bridge eth0 # ip link set netns vm-bridge vnet1 # ip link set netns vm-bridge vnet2 # ip link del dev br0 # ip netns exec vm-bridge brctl addbr br0 # for i in eth0 vnet1 vnet2; do > ip netns exec vm-bridge brctl addif br0 $i > ip netns exec vm-bridge ip link set up dev $i > done # ip netns exec vm-bridge ip link set up dev br0
  • 30.
    Network setupNetwork setupNetworksetupNetwork setup Disabling ARP on bridge br0: # ip link set arp off dev br0 # ip l l dev br0 8: br0: <BROADCAST,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group d link/ether 50:54:33:00:00:04 brd ff:ff:ff:ff:ff:ff
  • 31.
    Network setupNetwork setupNetworksetupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2 Using a Router VM1: 10.0.0.4/30 VM2: 10.0.0.8/30 HOST: 10.0.0.0/30
  • 32.
    Network setupNetwork setupNetworksetupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2If you want flexibility,If you want flexibility, you add a routing protocolyou add a routing protocol bgp1bgp1 bgp2bgp2
  • 33.
    Network setupNetwork setupNetworksetupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2If you want flexibility,If you want flexibility, you add a routing protocolyou add a routing protocol You now need to protect the BGPs from bogus announcements bgp1bgp1 bgp2bgp2
  • 34.
    Protect the HOSTProtectthe HOSTProtect the HOSTProtect the HOST Prevent access to the host node with policy routing # echo “200 vnet1” >> /etc/iproute2/rt_tables # ip route add 0/0 via x.x.x.x table vnet1 # ip route add 10.0.0.15 dev vnet1 table vnet1 # ip rule add iif vnet1 table vnet1 # ip rule add oif vnet1 table vnet1
  • 35.
    Prevent spoofing ofIPsPrevent spoofing of IPsPrevent spoofing of IPsPrevent spoofing of IPs Limit the source IPs of all clients: # iptables -P FORWARD DROP # iptables -A FORWARD -j ACCEPT -i vnet1 -s 10.0.0.15 # iptables -A FORWARD -j ACCEPT -i vnet2 -s 10.0.0.16
  • 36.
    THANK YOUTHANK YOUTHANKYOUTHANK YOU Marian HackMan Marinov <mm@siteground.com>