Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Docker security - TASK Jan 2016

Ricardo Gerardi and I had the privilege of delivering an introductory talk on Docker & Docker Security to the Toronto Area Security Klatch (TASK) this week. Here are the slides.

  • Login to see the comments

Docker security - TASK Jan 2016

  1. 1. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 1/59 DOCKERSECURITY Fernando Montenegro, CISSP - Ricardo Gerardi - TASK Jan 27, 2016 @fsmontenegro @ricardogerardi
  2. 2. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 2/59 WHYAREWEHERE? Google Trends: "Microservices"
  3. 3. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 3/59 Google Trends: "Docker"
  4. 4. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 4/59 Google Trends: "Kubernetes"
  5. 5. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 6/59 MICROSERVICES? (Source: F5)
  6. 6. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 7/59 MICROSERVICES "Many development teams have found the microservices architectural style to be a superior approach to a monolithic architecture. But other teams have found them to be a productivity­sapping burden. Like any architectural style, microservices bring costs and benefits. To make a sensible choice you have to understand these and apply them to your specific context."" Martin Fowler ( ) http://martinfowler.com/articles/microservice­trade­ offs.html
  7. 7. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 8/59 SIGNIFICANTBENEFITS Support CI/CD practices Easier to achieve scale Operational benefits of "DevOps"
  8. 8. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 9/59 DATADOGCONTAINERSURVEY ( ) Two schools of thought: Containers as up&down microservices Containers as "lightweight servers" that stay up https://www.datadoghq.com/docker­adoption/
  9. 9. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 10/59
  10. 10. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 11/59
  11. 11. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 12/59 WHATWEFOUND
  12. 12. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 14/59
  13. 13. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 16/59 ABOUTUS-FERNANDO Sales Engineer Online Fraud Network Security CompSci ’94 Greying hair Curious Finance (DIY) Economics (EMH, Behaviour) Data Science (Coursera) @fsmontenegro
  14. 14. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 18/59 ABOUTUS-RICARDO Senior IT Consultant Network Management/Monitoring IBM Netcool Certified Uncertified father (2x) Interests Linux/UNIX Emerging technologies Data Science @ricardogerardi
  15. 15. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 19/59 DOCKERINTRO
  16. 16. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 20/59 WHATISDOCKER? DOCKER,THEPLATFORM Docker is a container based platform used to package and run applications in a variety of systems DOCKER,THECOMPANY Docker Inc. (https://www.docker.com/company)
  17. 17. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 21/59 SOFTWAREPACKAGEANDDISTRIBUTIONCHALLENGE OLDWAY-HOSTEDAPPLICATIONS
  18. 18. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 22/59 VIRTUALMACHINES
  19. 19. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 23/59 ENTERTHECONTAINER
  20. 20. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 24/59 WHYDOCKER? Linux containers Around for a long time (Open VZ, LXC, etc) Not very "friendly" Docker streamlines the process and makes it very easy to create and use containers Speed (Development/Scalability) Portability Driver to DevOps and Microservices
  21. 21. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 25/59 WHATDOYOUNEEDTORUNDOCKER? Recent Linux Kernel (3.8+) Namespaces cGroups Network connection
  22. 22. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 26/59 DOCKERARCHITECTUREINANUTSHELL Source: https://www.docker.com/what­docker
  23. 23. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 28/59 Source: https://docs.docker.com/engine/introduction/understanding­ docker/
  24. 24. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 29/59 DOCKERDEMO
  25. 25. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 30/59 DOCKERSECURITY
  26. 26. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 31/59 FIRSTTHINGSFIRST... Containers vs. VMs? Containers not as isolated as VMs. but much more isolated than processes... cgroups & namespaces Containers are OS-dependant. Containers for multi-tenancy? Not so fast... Containers & VMs :-)
  27. 27. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 32/59 SECURITYFORDOCKER How to secure the Docker "pipeline" How to secure Docker containers themselves
  28. 28. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 33/59 SECURITYFORDOCKERIMAGES Secure Registry/Mirror Access Getting trustworthy images trusted sources - docker hub, private registry building secure Docker Content Trust (1.8) [Notary] "only signed content in production" Yubico Keys
  29. 29. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 34/59 DOCKER'SPROJECTNAUTILUS Docker securing images on DockerHub Image security Component inventory/license management Image optimization Basic functional testing
  30. 30. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 35/59 CLAIRBYCOREOS Security scanning of images - Available on Quay Security Scanning Beta - https://coreos.com/blog/vulnerability­analysis­for­ containers/ https://blog.quay.io/security­ scanning­beta/
  31. 31. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 36/59 OTHERCONSIDERATIONS Containers are stateless Can mount additional volumes How to do Secrets Management? ENV variables - not recommended Key/Value Pair solutions Embedded in orchestration ( ) Vault & Keywhiz Kubernetes Custom solutions
  32. 32. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 37/59 SECURITYFROMDOCKER How to contain Docker & containers?
  33. 33. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 38/59 NAMESPACES&CGROUPS PID – process isolation Network – NICs, IPs, routing tabes et al. UTS – hostnames Mount – filesystem layouts/ properties IPC – interprocess communication User – users ("root" != root) Control groups: resource utilization (RAM, swap, CPU, IO, controls)
  34. 34. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 39/59 ADDITIONALFEATURES capabilities - add or drop capabilities seccomp - filtering of system calls network isolation via iptables limit inter-container communication
  35. 35. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 40/59 SECURITYBYDOCKER Leveraging Docker features for security
  36. 36. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 41/59 LEVERAGINGDOCKERFORSECURITY microservice -> reduced attack surface enforce content trust to protect production r/o FileSystems drop capabilities when possible seccomp - filtering system calls journaled changes
  37. 37. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 42/59 OPERATIONSANDECOSYSTEM
  38. 38. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 43/59 WHERETODEPLOYDOCKER? ONPREMISES Baremetal (on Linux) Virtual Machines IaaS, OpenStack, etc
  39. 39. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 44/59 PUBLICCLOUDPROVIDERS
  40. 40. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 45/59 PAASPROVIDERS
  41. 41. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 46/59 ORCHESTRATION/SCHEDULING
  42. 42. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 47/59 NETWORKING BASICNETWORKING
  43. 43. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 48/59 OVERLAYNETWORKING
  44. 44. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 49/59 MONITORING CHALLENGES Scalability (100s of containers in a single host) Host Monitoring x Container Monitoring Container instrumentation (1 process/container philosophy) API instability
  45. 45. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 50/59 CONTAINERMONITORINGSOLUTIONS Sysdig Cloud Weaveworks New relic Google cAdvisor
  46. 46. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 51/59 CONTAINERLOGMANAGEMENT ELK Stack Splunk
  47. 47. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 52/59 WRAPPINGUP
  48. 48. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 53/59 LOOKINGATTHEFUTURE Containers exist in a continuum of options. Unikernels one degree further compile kernel for application Undebuggable? Serverless Architecture? AWS Lambda Azure Service Fabric potentially bad idea?
  49. 49. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 54/59
  50. 50. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 55/59 WRAPPINGUP Docker Security "Anti-Patterns" free-for-all (unrestricted containers in Prod) treating containers as servers Recommendations for Security Don't try to stop it!!! recognize massive potential for disruption no agents on containers watch for outbound traffic keep up to date (news!) rethink approach ("cattle, not pets")
  51. 51. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 56/59 DOCKERALLOVER Last few weeks of news: Docker buys Unikernel Arista announces Container support in EOS Citrix supports NetScaler as Container Amazon announces Docker 1.9 support
  52. 52. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 57/59 RESOURCES! Twitterfolk:
  53. 53. 1/29/2016 Docker Security Introduction http://159.203.15.183:8080/#/ 58/59 - AWS architect, tons of Docker links - Docker Security - Tons of Container work - Pluralsight course - KeepingItClassless, TechFieldDay - WebScale @ Shopify - DevOps - Shmoocon 2016 preso and - Company & Conference - Kubernetes confab Websites: - Checklist - portal of all things "modern" stacks - Network-focused approach - Open Container Initiative @mattnowina @diogomonica @frazelledazzell @nigelpoulton @mierdin @Sirupsen @blinken_lichten @jaybeale @docker @dockercon @kubeconio DockerBench TheNewStack Packet Pushers RunC

×