SlideShare a Scribd company logo

Bastion

B
BoanLabDKU

Bastion (ATC 2020)

Engineering
1 of 24
Download to read offline
BASTION: A Security Enforcement Network Stack for Container Networks Jaehyun Nam1, Seungsoo Lee1, Hyunmin Seo1, Phillip Porras2, Vinod Yegneswaran2, and Seungwon Shin1 KAIST1 and SRI International2
The state of Container Security • Containers • Abstraction at the application layer Include everything needed to run an application • Sharing the same host OS kernel à faster and lighter than virtual machines • Microservices à the major use of containerization technologies • The state of container security • Tripwire’s Sate of Container Security Report (2018) [1] • Increasing number of container security incidents • 60% of organizations à security incidents • Vulnerable container images • 47% of containers they deployed à vulnerable • Limited visibility into container security • 52% of organizations à difficulty in investigating container security issues 2 [1] https://www.tripwire.com/state-of-security/devops/organizations-container-security-incident
Current Container Security Solutions • Container Image Integrity • Vulnerability scanning nested in container images using CVE databases • Application Isolation • Container isolation à Namespaces, cgroups, capabilities • Further restrictions on system resources à AppArmor, Seccomp, SELinux • Run-time threat detection • Monitoring container behaviors, and detecting run-time policy violations Mostly focus on the security of containers! Less concern for the security of container networks! 3
Current Container Networks (1/2) • Conceptual microservice architecture • Separate bridged networks (Docker environment) 4 Web UI (A) Service (A) DB (1) DB (2) DB (3) Web UI (B) Service (B) Host Network Bridge #2 Bridge #1 External Interface Gateway #1 Gateway #2 Web UI (A) Service (A) DB (1) Web UI (B) Service (B) DB (2) DB (3)
Current Container Networks (2/2) • Conceptual microservice architecture • Single overlay network (Kubernetes environment) 5 Web UI (A) Service (A) DB (1) DB (2) DB (3) Web UI (B) Service (B) Host Network Bridge External Interface Gateway for an overlay network Web UI (A) Service (A) DB (1) Web UI (B) Service (B) DB (2) DB (3)
Security Challenges in Container Networks (1/2) • Loss of container context • Do not know where packets actually come from in the host network namespace • Possible to forge packets on behalf of any other containers • Limitations of IP-based access controls • Dynamically changed container IP addresses • Still vulnerable to L2 attacks due to limited scope • Network policy explosion • Iptables: centralized mechanism for all network interfaces • Monolithic network rules daunting to manage 6 Container Network Container Container NS Container vNIC Container NS Host Network Namespace (NS) Iptables-based Access Control veth Packet veth vNIC 1 2,3
Security Challenges in Container Networks (2/2) • Unrestricted host access • The gateway of a container network in the host network namespace • Necessary to access external networks • Allow accessing the services running at the host • Unrestricted network-privileged containers • Network-privileged containers • Share the host network namespace • Used to directly expose services through a host IP • All network interfaces under control • No solutions that consider security policies for them 7 Container Container NS Host Service Host Network Namespace (NS) Bridge (or Software Switch) Network- privileged Container Container Network Host Network ExtNIC vNIC veth GW 4 5
Bastion: Security Enforcement Network Stack • Goal • Secure a container network through an intelligent container-aware communication sandbox • Protect network threats that abuse the security challenges of current container networks • Isolate inter-container communications according to their dependencies • Key Components • Bastion manager • Collect all network information (e.g., network configurations and policies) from container platforms • Network visibility service • Provide fine-grained control over different network topology visibility per container application • Traffic visibility service • Securely isolate inter-container communications in a point-to-point manner • Prevent the exposure of inter-container network traffic to other peer containers 8
Container NS Container NS Bastion Architecture Host NS Host-side Container vNIC Host-side Container vNIC veth veth iptables iptables Bridge extNIC Network Visibility Traffic Visibility Source Verification Direct ARP handler Container-aware Network Isolation Special IP handler End-to-end Direct Forwarding Visibility Maps Container Network Map Inter-container Dependency Map Bastion End-to-end direct forwarding End-to-end direct forwarding E2E forwarding Bastion Bastion 9 Container Container vNIC vNIC
Manager – Container Collection • Container network and dependency maps • Collect the network information of deployed containers from container platforms • Extract the inter-container dependencies using container configurations and network policies Container Network Service Interface IP address MAC address WebApp-X1 WebService WebApp vethwepl6f964e8 10.32.0.2 96:0e:73:ef:86:fe WebApp-X2 WebService WebApp vethweplb89dc35 10.32.0.3 6e:81:0f:a7:db:c7 Service-Y1 WebService Service vethweplb957e84 10.32.0.4 D6:bc:7b:20:32:c5 Database-Z1 WebService Database vethweplc5ee33c 10.32.0.5 42:a0:ae:b7:f5:97 Source Destination Policy WebApp Service Any WebApp Database TCP:3306 Service Database TCP:3307 < Inter-container Dependency Map > Operator Container Platform Bastion Manager Manual update Periodic update < Container Network Map > 10 Bastion UI
Manager – Security Stack Management • Security enforcement network stack • Install a security enforcement network stack at a newly deployed container • Update the maps of the security stack in run time 11 Bastion Manager Container Collection Stack Management NetMap DepMap Container Platform New Container Existing Container Security Stack Update the maps Security Stack Deploy a security stack Update the maps
Security Stack – Network Visibility Service (1/2) • Container Discovery • First step to identify other containers (targets for communication) • Possible to be exploited for scanning all containers by malicious containers • Current solutions: No prevention against non-IP-based communications • Direct ARP handler • Directly response ARP requests at the security stack based on inter-container dependencies • Do not broadcast the requests to the network since this operation could be abused by an attacker 12 Source container Destination container Bastion Security Stack Direct ARP handler ARP Request (dst: 10.32.0.4) ARP Reply (dst: D6:BC:7B:20:32:C5) No broadcast IP: 10.32.0.4 Mac: D6:BC:7B:20:32:C5 Container Network Map
Bastion Security Stack Security Stack – Network Visibility Service (2/2) • Limitation of the direct ARP handler • Limited to container-level isolation (coverage issue) • Cannot address malicious network activities between inter-dependent containers • Container-aware network isolation • Restrict container accesses according to finer-grained inter-container dependencies • In a similar way, Bastion restricts the opposite direction (10.32.0.5:3306 à 10.32.0.2:5000) as well 13 Src: 10.32.0.2(5000) Dst: 10.32.0.5(3306) Key(10.32.0.5) = YYY (1) Key Generation (2) Dependency map lookup (3) Policy matches DP:3306 = TCP:3306 Action (forward/drop) Packet from the WebApp KEY Policy YYY TCP:3306
Security Stack – Traffic Visibility Service (1/2) • How to verify sources in current solutions • Iptables: {source IP and MAC addresses} in packet headers • Vulnerable to Layer-2 attacks (e.g., ARP spoofing) • Open vSwitch: {source IP and MAC addresses} in packet headers + incoming virtual port • Not support a NOT operation • Need to define all possible flow rules with the above matching fields for source verification • Source verification in Bastion • {source IP and MAC addresses} in packet headers + kernel metadata at the container-side 14 Container Container-side Network Interface Bastion Security Stack Source Verification Packet Source IP = 10.32.0.1 Host-side Network Interface Metadata (If_index: xx) Source MAC = aa:bb:cc:dd:ee:ff Source interface = xx
Security Stack – Traffic Visibility Service (2/2) • End-to-end direct forwarding • Directly inject packets delivered from a source into a destination • Bypass the container network (the Linux network stack at the host-side) • Use the Linux networking features (XDP/eBPF) 15 Bastion Bastion Container Network Container A Container B Internal Interface Internal Interface Container A’s host-side Interface A à B A à B End-to-end direct forwarding No traffic? Nothing? Original path Container B’s host-side Interface Nothing?
Security Evaluation • Goal • Replace the contents delivered to a user with a fake content 16 Redis (1) Container Takeover (2) Target Scanning (3) Target Monitoring (4) Forged Content Injection (5) Fake Content Delivery (1) Forged Contents Request contents (5) (User) Forged contents Original contents Nginx (User) Gateway (0.0) Microservices Redis (Guest) Nginx (Guest) (3) (4) 0.1 0.3 0.4 0.2
Security: Attack Scenario Verification 17 à The number of all deployed containers Nginx-User The original MAC address of Redis-User à Redis-User The MAC address of Nginx-Guest à Nginx-Guest 1. Scan neighbor containers in a network (Nginx-Guest) 2. Spoof a target container (Nginx-User) 3. Eavesdrop the network traffic of the target (Nginx-Guest) 4. Inject a fake content (Client-side) Before injection After injection
Security: Container Discovery • No restriction on container reachability (without Bastion) • Limited container reachability (with Bastion) 18 à The number of all deployed containers à The number of dependent containers
Security: Passive Packet Monitoring • Precondition: ARP spoofing attack is successfully conducted • Network traffic for other containers à visible (without Bastion) • Non-local traffic à invisible (with Bastion) • For verification, intentionally make the source-to-destination flows visible 19
Security: Active Packet Injection • Precondition: ARP spoofing attack is successfully conducted • Without Bastion • With Bastion 20 < Attacker side > < Victim side > < Attacker side > < Victim side >
Performance: Inter-container Throughputs • Test environment • Xeon E5-2630v4 CPU with 64GB of RAM • Kubernetes with Weave overlay network, TCP traffic with iperf3 • Low inter-container throughputs across hosts? • Due to the heavy overheads in physical link traversal and tunneling between hosts 21 Throughput (Gbps) Base (No Bastion) Network Visibility only Traffic Visibility only Bastion (Fully deployed) Within a host 34.4 33.7 41.8 41.5 Across hosts 4.28 4.23 4.91 4.83
Performance: Bastion on Various Networks • Test environment • Xeon E5-2630v4 CPU with 64GB of RAM • Kubernetes with Flannel, Weave, and Calico overlay networks, TCP traffic with iperf3 22 34.50 40.02 34.40 41.50 31.92 38.52 6.04 6.61 4.28 4.83 5.87 6.16 0 10 20 30 40 50 Flannel Flannel-BN Weave Weave-BN Calico Calico-BN Throughput (Gbps) Intra-Host Inter-Host
Summary • The state of current container security • Mostly focus on the security of containers themselves • Less concern the security issues in container networks • Security assessment of container networks • Identified how the security challenges in current container networks impact containers • Bastion: security enforcement network stack for container networks • Intelligently isolate inter-container communications • Effectively mitigate lateral attacks against peer containers 23
24 Thank you for listening namjh@kaist.ac.kr

Recommended

Container intrusions Do You Even IDS
Container intrusions Do You Even IDSContainer intrusions Do You Even IDS
Container intrusions Do You Even IDS
Alfredo Hickman
 
"One network to rule them all" - OpenStack Summit Austin 2016
"One network to rule them all" - OpenStack Summit Austin 2016"One network to rule them all" - OpenStack Summit Austin 2016
"One network to rule them all" - OpenStack Summit Austin 2016
Phil Estes
 
Container Networking Deep Dive
Container Networking Deep DiveContainer Networking Deep Dive
Container Networking Deep Dive
Open Networking Summit
 
Five Steps to Creating a Secure Hybrid Cloud Architecture
Five Steps to Creating a Secure Hybrid Cloud ArchitectureFive Steps to Creating a Secure Hybrid Cloud Architecture
Five Steps to Creating a Secure Hybrid Cloud Architecture
Amazon Web Services
 
Integrating OpenStack To Existing Infrastructure
Integrating OpenStack To Existing InfrastructureIntegrating OpenStack To Existing Infrastructure
Integrating OpenStack To Existing Infrastructure
Hui Cheng
 
Dynamic Adaptation of Software-defined Networks for IoT Systems: A Search-bas...
Dynamic Adaptation of Software-defined Networks for IoT Systems: A Search-bas...Dynamic Adaptation of Software-defined Networks for IoT Systems: A Search-bas...
Dynamic Adaptation of Software-defined Networks for IoT Systems: A Search-bas...
Lionel Briand
 
Intro RINA
Intro RINAIntro RINA
Intro RINA
ARCFIRE ICT
 
Amazon Virtual Private Cloud
Amazon Virtual Private CloudAmazon Virtual Private Cloud
Amazon Virtual Private Cloud
Amazon Web Services
 

Recommended

Container intrusions Do You Even IDS
Container intrusions Do You Even IDSContainer intrusions Do You Even IDS
Container intrusions Do You Even IDS
Alfredo Hickman
 
"One network to rule them all" - OpenStack Summit Austin 2016
"One network to rule them all" - OpenStack Summit Austin 2016"One network to rule them all" - OpenStack Summit Austin 2016
"One network to rule them all" - OpenStack Summit Austin 2016
Phil Estes
 
Container Networking Deep Dive
Container Networking Deep DiveContainer Networking Deep Dive
Container Networking Deep Dive
Open Networking Summit
 
Five Steps to Creating a Secure Hybrid Cloud Architecture
Five Steps to Creating a Secure Hybrid Cloud ArchitectureFive Steps to Creating a Secure Hybrid Cloud Architecture
Five Steps to Creating a Secure Hybrid Cloud Architecture
Amazon Web Services
 
Integrating OpenStack To Existing Infrastructure
Integrating OpenStack To Existing InfrastructureIntegrating OpenStack To Existing Infrastructure
Integrating OpenStack To Existing Infrastructure
Hui Cheng
 
Dynamic Adaptation of Software-defined Networks for IoT Systems: A Search-bas...
Dynamic Adaptation of Software-defined Networks for IoT Systems: A Search-bas...Dynamic Adaptation of Software-defined Networks for IoT Systems: A Search-bas...
Dynamic Adaptation of Software-defined Networks for IoT Systems: A Search-bas...
Lionel Briand
 
Intro RINA
Intro RINAIntro RINA
Intro RINA
ARCFIRE ICT
 
Amazon Virtual Private Cloud
Amazon Virtual Private CloudAmazon Virtual Private Cloud
Amazon Virtual Private Cloud
Amazon Web Services
 
Integrating OpenStack to Existing infrastructure
Integrating OpenStack to Existing infrastructureIntegrating OpenStack to Existing infrastructure
Integrating OpenStack to Existing infrastructure
laurabeckcahoon
 
Monitoring a virtual network infrastructure - An IaaS perspective
Monitoring a virtual network infrastructure - An IaaS perspectiveMonitoring a virtual network infrastructure - An IaaS perspective
Monitoring a virtual network infrastructure - An IaaS perspective
Augusto Ciuffoletti
 
Openstack swift - VietOpenStack 6thmeeetup
Openstack swift - VietOpenStack 6thmeeetupOpenstack swift - VietOpenStack 6thmeeetup
Openstack swift - VietOpenStack 6thmeeetup
Vietnam Open Infrastructure User Group
 
Kubernetes networking in AWS
Kubernetes networking in AWSKubernetes networking in AWS
Kubernetes networking in AWS
Zvika Gazit
 
Building a Cloud Native Service - Docker Meetup Santa Clara (July 20, 2017)
Building a Cloud Native Service - Docker Meetup Santa Clara (July 20, 2017)Building a Cloud Native Service - Docker Meetup Santa Clara (July 20, 2017)
Building a Cloud Native Service - Docker Meetup Santa Clara (July 20, 2017)
Yong Tang
 
Securing Microservices in Containerized Environments
Securing Microservices in Containerized Environments Securing Microservices in Containerized Environments
Securing Microservices in Containerized Environments
DevOps.com
 
Delay Tolerant Network - Presentation
Delay Tolerant Network - PresentationDelay Tolerant Network - Presentation
Delay Tolerant Network - Presentation
Laili Aidi
 
Networking 101 AWS - VPCs, Subnets, NAT Gateways, etc
Networking 101 AWS - VPCs, Subnets, NAT Gateways, etcNetworking 101 AWS - VPCs, Subnets, NAT Gateways, etc
Networking 101 AWS - VPCs, Subnets, NAT Gateways, etc
Stenio Ferreira
 
RouteFlow & IXPs
RouteFlow & IXPsRouteFlow & IXPs
RouteFlow & IXPs
nvirters
 
Docker summit : Docker Networking Control-plane & Data-Plane
Docker summit : Docker Networking Control-plane & Data-PlaneDocker summit : Docker Networking Control-plane & Data-Plane
Docker summit : Docker Networking Control-plane & Data-Plane
Madhu Venugopal
 
Docker Networking: Control plane and Data plane
Docker Networking: Control plane and Data planeDocker Networking: Control plane and Data plane
Docker Networking: Control plane and Data plane
Docker, Inc.
 
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack NetworkingONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
markmcclain
 
Wisenet - Complete ppt about the topic wisenet
Wisenet - Complete ppt about the topic wisenetWisenet - Complete ppt about the topic wisenet
Wisenet - Complete ppt about the topic wisenet
Aboo Thahir
 
Tokyo meetup 20160224
Tokyo meetup 20160224Tokyo meetup 20160224
Tokyo meetup 20160224
Takao Setaka
 
(SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ...
(SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ... (SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ...
(SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ...
Priyanka Aash
 
State of the Container Ecosystem
State of the Container EcosystemState of the Container Ecosystem
State of the Container Ecosystem
Vinay Rao
 
Konfigurace sítí v Oracle Cloudu
Konfigurace sítí v Oracle ClouduKonfigurace sítí v Oracle Cloudu
Konfigurace sítí v Oracle Cloudu
MarketingArrowECS_CZ
 
Midokura OpenStack Meetup Taipei
Midokura OpenStack Meetup TaipeiMidokura OpenStack Meetup Taipei
Midokura OpenStack Meetup Taipei
Dan Mihai Dumitriu
 
Midokura OpenStack Day Korea Talk: MidoNet Open Source Network Virtualization...
Midokura OpenStack Day Korea Talk: MidoNet Open Source Network Virtualization...Midokura OpenStack Day Korea Talk: MidoNet Open Source Network Virtualization...
Midokura OpenStack Day Korea Talk: MidoNet Open Source Network Virtualization...
Dan Mihai Dumitriu
 
1. RINA motivation - TF Workshop
1. RINA motivation - TF Workshop1. RINA motivation - TF Workshop
1. RINA motivation - TF Workshop
ARCFIRE ICT
 
Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...
Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...
Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...
drmkjayanthikannan
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leap
RishantSharmaFr
 

More Related Content

Similar to Bastion

Building a Cloud Native Service - Docker Meetup Santa Clara (July 20, 2017)
Building a Cloud Native Service - Docker Meetup Santa Clara (July 20, 2017)Building a Cloud Native Service - Docker Meetup Santa Clara (July 20, 2017)
Building a Cloud Native Service - Docker Meetup Santa Clara (July 20, 2017)
Yong Tang
 
Securing Microservices in Containerized Environments
Securing Microservices in Containerized Environments Securing Microservices in Containerized Environments
Securing Microservices in Containerized Environments
DevOps.com
 
Delay Tolerant Network - Presentation
Delay Tolerant Network - PresentationDelay Tolerant Network - Presentation
Delay Tolerant Network - Presentation
Laili Aidi
 
RouteFlow & IXPs
RouteFlow & IXPsRouteFlow & IXPs
RouteFlow & IXPs
nvirters
 
(SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ...
(SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ... (SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ...
(SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ...
Priyanka Aash
 
Midokura OpenStack Day Korea Talk: MidoNet Open Source Network Virtualization...
Midokura OpenStack Day Korea Talk: MidoNet Open Source Network Virtualization...Midokura OpenStack Day Korea Talk: MidoNet Open Source Network Virtualization...
Midokura OpenStack Day Korea Talk: MidoNet Open Source Network Virtualization...
Dan Mihai Dumitriu
 

Similar to Bastion (20)

Integrating OpenStack to Existing infrastructure
Integrating OpenStack to Existing infrastructureIntegrating OpenStack to Existing infrastructure
Integrating OpenStack to Existing infrastructure
 
Monitoring a virtual network infrastructure - An IaaS perspective
Monitoring a virtual network infrastructure - An IaaS perspectiveMonitoring a virtual network infrastructure - An IaaS perspective
Monitoring a virtual network infrastructure - An IaaS perspective
 
Openstack swift - VietOpenStack 6thmeeetup
Openstack swift - VietOpenStack 6thmeeetupOpenstack swift - VietOpenStack 6thmeeetup
Openstack swift - VietOpenStack 6thmeeetup
 
Kubernetes networking in AWS
Kubernetes networking in AWSKubernetes networking in AWS
Kubernetes networking in AWS
 
Building a Cloud Native Service - Docker Meetup Santa Clara (July 20, 2017)
Building a Cloud Native Service - Docker Meetup Santa Clara (July 20, 2017)Building a Cloud Native Service - Docker Meetup Santa Clara (July 20, 2017)
Building a Cloud Native Service - Docker Meetup Santa Clara (July 20, 2017)
 
Securing Microservices in Containerized Environments
Securing Microservices in Containerized Environments Securing Microservices in Containerized Environments
Securing Microservices in Containerized Environments
 
Delay Tolerant Network - Presentation
Delay Tolerant Network - PresentationDelay Tolerant Network - Presentation
Delay Tolerant Network - Presentation
 
Networking 101 AWS - VPCs, Subnets, NAT Gateways, etc
Networking 101 AWS - VPCs, Subnets, NAT Gateways, etcNetworking 101 AWS - VPCs, Subnets, NAT Gateways, etc
Networking 101 AWS - VPCs, Subnets, NAT Gateways, etc
 
RouteFlow & IXPs
RouteFlow & IXPsRouteFlow & IXPs
RouteFlow & IXPs
 
Docker summit : Docker Networking Control-plane & Data-Plane
Docker summit : Docker Networking Control-plane & Data-PlaneDocker summit : Docker Networking Control-plane & Data-Plane
Docker summit : Docker Networking Control-plane & Data-Plane
 
Docker Networking: Control plane and Data plane
Docker Networking: Control plane and Data planeDocker Networking: Control plane and Data plane
Docker Networking: Control plane and Data plane
 
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack NetworkingONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
 
Wisenet - Complete ppt about the topic wisenet
Wisenet - Complete ppt about the topic wisenetWisenet - Complete ppt about the topic wisenet
Wisenet - Complete ppt about the topic wisenet
 
Tokyo meetup 20160224
Tokyo meetup 20160224Tokyo meetup 20160224
Tokyo meetup 20160224
 
(SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ...
(SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ... (SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ...
(SACON) Anand Tapikar - Attack vectors of Kubernetes infra. Are we on right ...
 
State of the Container Ecosystem
State of the Container EcosystemState of the Container Ecosystem
State of the Container Ecosystem
 
Konfigurace sítí v Oracle Cloudu
Konfigurace sítí v Oracle ClouduKonfigurace sítí v Oracle Cloudu
Konfigurace sítí v Oracle Cloudu
 
Midokura OpenStack Meetup Taipei
Midokura OpenStack Meetup TaipeiMidokura OpenStack Meetup Taipei
Midokura OpenStack Meetup Taipei
 
Midokura OpenStack Day Korea Talk: MidoNet Open Source Network Virtualization...
Midokura OpenStack Day Korea Talk: MidoNet Open Source Network Virtualization...Midokura OpenStack Day Korea Talk: MidoNet Open Source Network Virtualization...
Midokura OpenStack Day Korea Talk: MidoNet Open Source Network Virtualization...
 
1. RINA motivation - TF Workshop
1. RINA motivation - TF Workshop1. RINA motivation - TF Workshop
1. RINA motivation - TF Workshop
 

Recently uploaded

1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
AldoGarca30
 
Standard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayStandard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power Play
Epec Engineered Technologies
 
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak HamilCara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Kandungan 087776558899
 
Integrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - NeometrixIntegrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - Neometrix
Neometrix_Engineering_Pvt_Ltd
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Arindam Chakraborty, Ph.D., P.E. (CA, TX)
 
School management system project Report.pdf
School management system project Report.pdfSchool management system project Report.pdf
School management system project Report.pdf
Kamal Acharya
 
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Call Girls Mumbai
 
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills KuwaitKuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
jaanualu31
 

Recently uploaded (20)

Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...
Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...
Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leap
 
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
 
Online electricity billing project report..pdf
Online electricity billing project report..pdfOnline electricity billing project report..pdf
Online electricity billing project report..pdf
 
Standard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayStandard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power Play
 
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak HamilCara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
 
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxCOST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
 
Integrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - NeometrixIntegrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - Neometrix
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
 
DC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationDC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equation
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 
School management system project Report.pdf
School management system project Report.pdfSchool management system project Report.pdf
School management system project Report.pdf
 
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best ServiceTamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
 
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.ppt
 
Block diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.pptBlock diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.ppt
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills KuwaitKuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
 
Computer Lecture 01.pptxIntroduction to Computers
Computer Lecture 01.pptxIntroduction to ComputersComputer Lecture 01.pptxIntroduction to Computers
Computer Lecture 01.pptxIntroduction to Computers
 
Moment Distribution Method For Btech Civil
Moment Distribution Method For Btech CivilMoment Distribution Method For Btech Civil
Moment Distribution Method For Btech Civil
 

Bastion

  • 1. BASTION: A Security Enforcement Network Stack for Container Networks Jaehyun Nam1, Seungsoo Lee1, Hyunmin Seo1, Phillip Porras2, Vinod Yegneswaran2, and Seungwon Shin1 KAIST1 and SRI International2
  • 2. The state of Container Security • Containers • Abstraction at the application layer Include everything needed to run an application • Sharing the same host OS kernel à faster and lighter than virtual machines • Microservices à the major use of containerization technologies • The state of container security • Tripwire’s Sate of Container Security Report (2018) [1] • Increasing number of container security incidents • 60% of organizations à security incidents • Vulnerable container images • 47% of containers they deployed à vulnerable • Limited visibility into container security • 52% of organizations à difficulty in investigating container security issues 2 [1] https://www.tripwire.com/state-of-security/devops/organizations-container-security-incident
  • 3. Current Container Security Solutions • Container Image Integrity • Vulnerability scanning nested in container images using CVE databases • Application Isolation • Container isolation à Namespaces, cgroups, capabilities • Further restrictions on system resources à AppArmor, Seccomp, SELinux • Run-time threat detection • Monitoring container behaviors, and detecting run-time policy violations Mostly focus on the security of containers! Less concern for the security of container networks! 3
  • 4. Current Container Networks (1/2) • Conceptual microservice architecture • Separate bridged networks (Docker environment) 4 Web UI (A) Service (A) DB (1) DB (2) DB (3) Web UI (B) Service (B) Host Network Bridge #2 Bridge #1 External Interface Gateway #1 Gateway #2 Web UI (A) Service (A) DB (1) Web UI (B) Service (B) DB (2) DB (3)
  • 5. Current Container Networks (2/2) • Conceptual microservice architecture • Single overlay network (Kubernetes environment) 5 Web UI (A) Service (A) DB (1) DB (2) DB (3) Web UI (B) Service (B) Host Network Bridge External Interface Gateway for an overlay network Web UI (A) Service (A) DB (1) Web UI (B) Service (B) DB (2) DB (3)
  • 6. Security Challenges in Container Networks (1/2) • Loss of container context • Do not know where packets actually come from in the host network namespace • Possible to forge packets on behalf of any other containers • Limitations of IP-based access controls • Dynamically changed container IP addresses • Still vulnerable to L2 attacks due to limited scope • Network policy explosion • Iptables: centralized mechanism for all network interfaces • Monolithic network rules daunting to manage 6 Container Network Container Container NS Container vNIC Container NS Host Network Namespace (NS) Iptables-based Access Control veth Packet veth vNIC 1 2,3
  • 7. Security Challenges in Container Networks (2/2) • Unrestricted host access • The gateway of a container network in the host network namespace • Necessary to access external networks • Allow accessing the services running at the host • Unrestricted network-privileged containers • Network-privileged containers • Share the host network namespace • Used to directly expose services through a host IP • All network interfaces under control • No solutions that consider security policies for them 7 Container Container NS Host Service Host Network Namespace (NS) Bridge (or Software Switch) Network- privileged Container Container Network Host Network ExtNIC vNIC veth GW 4 5
  • 8. Bastion: Security Enforcement Network Stack • Goal • Secure a container network through an intelligent container-aware communication sandbox • Protect network threats that abuse the security challenges of current container networks • Isolate inter-container communications according to their dependencies • Key Components • Bastion manager • Collect all network information (e.g., network configurations and policies) from container platforms • Network visibility service • Provide fine-grained control over different network topology visibility per container application • Traffic visibility service • Securely isolate inter-container communications in a point-to-point manner • Prevent the exposure of inter-container network traffic to other peer containers 8
  • 9. Container NS Container NS Bastion Architecture Host NS Host-side Container vNIC Host-side Container vNIC veth veth iptables iptables Bridge extNIC Network Visibility Traffic Visibility Source Verification Direct ARP handler Container-aware Network Isolation Special IP handler End-to-end Direct Forwarding Visibility Maps Container Network Map Inter-container Dependency Map Bastion End-to-end direct forwarding End-to-end direct forwarding E2E forwarding Bastion Bastion 9 Container Container vNIC vNIC
  • 10. Manager – Container Collection • Container network and dependency maps • Collect the network information of deployed containers from container platforms • Extract the inter-container dependencies using container configurations and network policies Container Network Service Interface IP address MAC address WebApp-X1 WebService WebApp vethwepl6f964e8 10.32.0.2 96:0e:73:ef:86:fe WebApp-X2 WebService WebApp vethweplb89dc35 10.32.0.3 6e:81:0f:a7:db:c7 Service-Y1 WebService Service vethweplb957e84 10.32.0.4 D6:bc:7b:20:32:c5 Database-Z1 WebService Database vethweplc5ee33c 10.32.0.5 42:a0:ae:b7:f5:97 Source Destination Policy WebApp Service Any WebApp Database TCP:3306 Service Database TCP:3307 < Inter-container Dependency Map > Operator Container Platform Bastion Manager Manual update Periodic update < Container Network Map > 10 Bastion UI
  • 11. Manager – Security Stack Management • Security enforcement network stack • Install a security enforcement network stack at a newly deployed container • Update the maps of the security stack in run time 11 Bastion Manager Container Collection Stack Management NetMap DepMap Container Platform New Container Existing Container Security Stack Update the maps Security Stack Deploy a security stack Update the maps
  • 12. Security Stack – Network Visibility Service (1/2) • Container Discovery • First step to identify other containers (targets for communication) • Possible to be exploited for scanning all containers by malicious containers • Current solutions: No prevention against non-IP-based communications • Direct ARP handler • Directly response ARP requests at the security stack based on inter-container dependencies • Do not broadcast the requests to the network since this operation could be abused by an attacker 12 Source container Destination container Bastion Security Stack Direct ARP handler ARP Request (dst: 10.32.0.4) ARP Reply (dst: D6:BC:7B:20:32:C5) No broadcast IP: 10.32.0.4 Mac: D6:BC:7B:20:32:C5 Container Network Map
  • 13. Bastion Security Stack Security Stack – Network Visibility Service (2/2) • Limitation of the direct ARP handler • Limited to container-level isolation (coverage issue) • Cannot address malicious network activities between inter-dependent containers • Container-aware network isolation • Restrict container accesses according to finer-grained inter-container dependencies • In a similar way, Bastion restricts the opposite direction (10.32.0.5:3306 à 10.32.0.2:5000) as well 13 Src: 10.32.0.2(5000) Dst: 10.32.0.5(3306) Key(10.32.0.5) = YYY (1) Key Generation (2) Dependency map lookup (3) Policy matches DP:3306 = TCP:3306 Action (forward/drop) Packet from the WebApp KEY Policy YYY TCP:3306
  • 14. Security Stack – Traffic Visibility Service (1/2) • How to verify sources in current solutions • Iptables: {source IP and MAC addresses} in packet headers • Vulnerable to Layer-2 attacks (e.g., ARP spoofing) • Open vSwitch: {source IP and MAC addresses} in packet headers + incoming virtual port • Not support a NOT operation • Need to define all possible flow rules with the above matching fields for source verification • Source verification in Bastion • {source IP and MAC addresses} in packet headers + kernel metadata at the container-side 14 Container Container-side Network Interface Bastion Security Stack Source Verification Packet Source IP = 10.32.0.1 Host-side Network Interface Metadata (If_index: xx) Source MAC = aa:bb:cc:dd:ee:ff Source interface = xx
  • 15. Security Stack – Traffic Visibility Service (2/2) • End-to-end direct forwarding • Directly inject packets delivered from a source into a destination • Bypass the container network (the Linux network stack at the host-side) • Use the Linux networking features (XDP/eBPF) 15 Bastion Bastion Container Network Container A Container B Internal Interface Internal Interface Container A’s host-side Interface A à B A à B End-to-end direct forwarding No traffic? Nothing? Original path Container B’s host-side Interface Nothing?
  • 16. Security Evaluation • Goal • Replace the contents delivered to a user with a fake content 16 Redis (1) Container Takeover (2) Target Scanning (3) Target Monitoring (4) Forged Content Injection (5) Fake Content Delivery (1) Forged Contents Request contents (5) (User) Forged contents Original contents Nginx (User) Gateway (0.0) Microservices Redis (Guest) Nginx (Guest) (3) (4) 0.1 0.3 0.4 0.2
  • 17. Security: Attack Scenario Verification 17 à The number of all deployed containers Nginx-User The original MAC address of Redis-User à Redis-User The MAC address of Nginx-Guest à Nginx-Guest 1. Scan neighbor containers in a network (Nginx-Guest) 2. Spoof a target container (Nginx-User) 3. Eavesdrop the network traffic of the target (Nginx-Guest) 4. Inject a fake content (Client-side) Before injection After injection
  • 18. Security: Container Discovery • No restriction on container reachability (without Bastion) • Limited container reachability (with Bastion) 18 à The number of all deployed containers à The number of dependent containers
  • 19. Security: Passive Packet Monitoring • Precondition: ARP spoofing attack is successfully conducted • Network traffic for other containers à visible (without Bastion) • Non-local traffic à invisible (with Bastion) • For verification, intentionally make the source-to-destination flows visible 19
  • 20. Security: Active Packet Injection • Precondition: ARP spoofing attack is successfully conducted • Without Bastion • With Bastion 20 < Attacker side > < Victim side > < Attacker side > < Victim side >
  • 21. Performance: Inter-container Throughputs • Test environment • Xeon E5-2630v4 CPU with 64GB of RAM • Kubernetes with Weave overlay network, TCP traffic with iperf3 • Low inter-container throughputs across hosts? • Due to the heavy overheads in physical link traversal and tunneling between hosts 21 Throughput (Gbps) Base (No Bastion) Network Visibility only Traffic Visibility only Bastion (Fully deployed) Within a host 34.4 33.7 41.8 41.5 Across hosts 4.28 4.23 4.91 4.83
  • 22. Performance: Bastion on Various Networks • Test environment • Xeon E5-2630v4 CPU with 64GB of RAM • Kubernetes with Flannel, Weave, and Calico overlay networks, TCP traffic with iperf3 22 34.50 40.02 34.40 41.50 31.92 38.52 6.04 6.61 4.28 4.83 5.87 6.16 0 10 20 30 40 50 Flannel Flannel-BN Weave Weave-BN Calico Calico-BN Throughput (Gbps) Intra-Host Inter-Host
  • 23. Summary • The state of current container security • Mostly focus on the security of containers themselves • Less concern the security issues in container networks • Security assessment of container networks • Identified how the security challenges in current container networks impact containers • Bastion: security enforcement network stack for container networks • Intelligently isolate inter-container communications • Effectively mitigate lateral attacks against peer containers 23
  • 24. 24 Thank you for listening namjh@kaist.ac.kr