Linux Native, HTTP Aware Network Security
•
5 likes•2,291 views
Cilium is open source software for transparently securing the network connectivity between application services deployed using Linux container management platforms like Docker and Kubernetes. At the foundation of Cilium is a new Linux kernel technology called BPF, which enables the dynamic insertion of powerful security visibility and control logic within Linux itself. Because BPF runs inside the Linux kernel itself, Cilium security policies can be applied and updated without any changes to the application code or container configuration.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (15)
Similar to Linux Native, HTTP Aware Network Security
Similar to Linux Native, HTTP Aware Network Security (20)
More from Thomas Graf
More from Thomas Graf (7)
Recently uploaded
Recently uploaded (20)
Linux Native, HTTP Aware Network Security
- 1. Title. Thomas Graf CTO & Co-Founder @ Covalent Linux-Native, HTTP-Aware Network Security
- 2. Application Architectures Delivery Frequency Operational Complexity Single Server App Yearly Low Distributed Microservices App 10-100 x’s / day Extreme 3-Tier App Monthly Moderate CODE CONSISTENCY AT VELOCITY
- 3. Network Security has not evolved $ iptables -A INPUT -p tcp -s 15.15.15.3 --dport 80 -m conntrack --ctstate NEW -j ACCEPT The world still runs on iptables matching IPs and ports:
- 4. Your HTTP ports be like …
- 6. L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” API GET /store/myItem HTTP/1.1
- 7. L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” API GET /store/myItem HTTP/1.1 FROM frontend ALLOW tcp:80
- 8. L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” GET /store/{id} API GET /store/myItem HTTP/1.1 FROM frontend ALLOW tcp:80
- 9. L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” GET /healthz GET /store/{id} PUT /store/{id} PUT /config API GET /store/myItem HTTP/1.1 FROM frontend ALLOW tcp:80
- 10. L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” GET /healthz GET /store/{id} PUT /store/{id} PUT /config API attacksurface GET /store/myItem HTTP/1.1 FROM frontend ALLOW tcp:80
- 11. L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” GET /healthz GET /store/{id} PUT /store/{id} PUT /config API exposed exposed exposed FROM frontend ALLOW tcp:80 GET /store/myItem HTTP/1.1 OK
- 12. L4 security has become meaningless in the age of microservices
- 13. L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” GET /healthz GET /store/{id} PUT /store/{id} PUT /config API GET /store/myItem HTTP/1.1
- 14. L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” GET /healthz GET /store/{id} PUT /store/{id} PUT /config API FROM frontend ALLOW GET /store/.* GET /store/myItem HTTP/1.1
- 16. BPF – The Superpowers inside Linux
- 17. What is BPF? .insns = { BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152), BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0), BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42), BPF_EXIT_INSN(), }
- 18. What is BPF? SOURCE CODE [C] </> USER SPACE
- 19. What is BPF? SOURCE CODE [C] </> BYTE CODE [BPF] USER SPACE </>
- 20. What is BPF? SOURCE CODE [C] </> BYTE CODE [BPF] VERIFIER + JIT USER SPACE KERNEL </>
- 21. What is BPF? SOURCE CODE [C] </> BYTE CODE [BPF] VERIFIER + JIT USER SPACE KERNEL </> SANDBOX BPF
- 22. What is BPF? SOURCE CODE [C] </> BYTE CODE [BPF] VERIFIER + JIT USER SPACE KERNEL </> SANDBOX BPF Process Process
- 23. What is BPF? SOURCE CODE [C] </> BYTE CODE [BPF] VERIFIER + JIT USER SPACE KERNEL </> SANDBOX BPF Process SANDBOX BPF write() Process
- 24. What is BPF? SOURCE CODE [C] </> BYTE CODE [BPF] VERIFIER + JIT USER SPACE KERNEL </> SANDBOX BPF Process SANDBOX BPF write() Process EACCESS
- 25. How does BPF relate to HTTP? Process GET /foo
- 26. SANDBOX BPF Process GET /foo How does BPF relate to HTTP?
- 27. SANDBOX BPF Process Proxy rules GET /foo redirect How does BPF relate to HTTP?
- 28. SANDBOX BPF Process Proxy rules GET /foo redirect reinject How does BPF relate to HTTP?
- 29. SANDBOX BPF Process Proxy rules GET /foo redirect 403 Access Denied How does BPF relate to HTTP?
- 30. Cilium Architecture Cilium Kernel ProcessBPF ProcessBPF BPF Cilium Agent CLI Monitor Policy Plugins
- 31. • Generate networking code at Container Startup + Tailored to each container + Include Minimal Code Required Faster Smaller Attack Surface • Constant Config (IP, MAC, Ports, …), Compiler Optimization • Regeneration at Runtime Without Breaking Connections BPF CODE GENERATION AT CONTAINER STARTUP
- 32. 75 140 205 240 325 365 370 365 410 412 425 445 450 460 460 490 495 505 515 525 545 565 0 100 200 300 400 500 600 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 BPF redirect() performance [GBit per core] Intel Xeon 3.5Ghz Sandy Bridge, 24 Cores, 1 TCP GSO flow per core, netperf -t TCP_SENDFILE, 10K Cilium policies
- 33. Thank You Learn More: cilium.io Code: github.com/cilium/cilium Follow us: @ciliumproject KubeCon booth: S19