SlideShare a Scribd company logo

Securing the network for VMs or Containers

Download as ODP, PDF
Marian Marinov
Marian Marinov

Securing the network on the host machine for VMs and/or containers is important! This presentation, shows you how you can prevent ARP spoofing and IP spoofing on the host node.

Engineering
1 of 36
Securing Securing  KVM / containerKVM / container networksnetworks Marian HackMan MarinovMarian HackMan Marinov <mm@siteground.com><mm@siteground.com> Chief System ArchitectChief System Architect SiteGroundSiteGround
Who am I?Who am I?Who am I?Who am I? ❖ Chief System Architect of Siteground.com ❖ Sysadmin since 1996 ❖ Organizer of OpenFest, BG Perl Workshops, LUG-BG and similar :) ❖ Teaching Network Security and Linux System Administration at Sofia University
DISCLAMERDISCLAMERDISCLAMERDISCLAMER ❖ I'll be looking only at the network on the host machine ❖ The only proper way of securing the network between your VMs / containers and the host machine is to know your infrastructure. This includes MAC, IP addresses and their actual location.
❖ Basic things that have to protect from  arp spoofing  ip spoofing  traffic leaking / sniffing
KVM networkingKVM networkingKVM networkingKVM networking ❖ What network options does KVM give us?  vnet device on the host  macvtap  Virtual Distributed Ethernet (VDE)  assign a physical device (SR-IOV) Single Root I/O Virtualization (SR-IOV)  assign a physical device (eth, wlan)
KVM networkingKVM networkingKVM networkingKVM networking ❖ What network options does KVM give us?  NAT  Routing  Bridge  OpenVswitch  ProxyARP
Container networkingContainer networkingContainer networkingContainer networking ❖ What network options are available for containers?  macvlan (tap & tun)  veth pair (routing or NAT)  VDE (using tap devices)  move any network device into the container (eth, tun/tap, vlan, wlan, etc.)
Container networkingContainer networkingContainer networkingContainer networking ❖ What network options are available for containers?  Bridge  OpenVswitch  Routing  NAT  ProxyARP
Protections?Protections?Protections?Protections? ❖ How can we secure all those options?  VLANs
Protections?Protections?Protections?Protections? ❖ How can we secure all those options?  VLANs  Routing
Protections?Protections?Protections?Protections? ❖ How can we secure all those options?  VLANs  Routing  Static ARP
Protections?Protections?Protections?Protections? ❖ How can we secure all those options?  VLANs  Routing  Static ARP  iptables
Protections?Protections?Protections?Protections? ❖ How can we secure all those options?  VLANs  Routing  Static ARP  iptables  ebtables
Protections?Protections?Protections?Protections? ❖ How can we secure all those options?  VLANs  Routing  Static ARP  iptables  ebtables  arptables
Protections?Protections?Protections?Protections? ❖ How can we secure all those options?  VLANs  Routing  Static ARP  iptables  ebtables  arptables  ip6tables
Network setupNetwork setupNetwork setupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2 Using a Router
Network setupNetwork setupNetwork setupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2 Using a Bridge
Attacking theAttacking the bridged networkbridged network Attacking theAttacking the bridged networkbridged network ❖ arp poisoning  VM-1 arp cache poison of the HOST  VM-1 arp cache poison of VM-2  As simple as: # ip a a 10.0.0.1/24 dev eth0 # arping -i eth0 -U 10.0.0.1  Can be even easier: # arpspoof -i eth0 -t 10.0.0.1 -r 10.0.0.15
Protecting theProtecting the bridged networkbridged network Protecting theProtecting the bridged networkbridged network ❖ Preventing arp poison on the HOST  adding static ARP entries: # ip n a 10.0.0.15 lladdr 01:81:36:ec:05:ee nud permanent dev vnet1
Protecting theProtecting the bridged networkbridged network Protecting theProtecting the bridged networkbridged network ❖ Preventing arp spoofing to the VMs/Containers  configure ARPTABLES # arptables -P OUT DROP # arptables -A OUT -j ACCEPT -s GW -i eth0 -z xx:xx:xx:xx:xx:xx # arptables -A OUT -j ACCEPT -s 10.0.0.15 -i vnet1 -z xx:xx:xx:xx:xx:xx # arptables -A OUT -j ACCEPT -o vnet1
Network setupNetwork setupNetwork setupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2 Using a Bridge eth0: 10.12.0.12 # brctl show bridge bridge id interfaces br0 8000.028037ec0200 eth0 vnet1 vnet2
Network setupNetwork setupNetwork setupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2Using a Bridge eth0: 10.12.0.12 VM1: ping -c1 10.12.0.12 PING 10.12.0.12 (10.12.0.12) 56(84) bytes of data. 64 bytes from 10.12.0.12: icmp_seq=1 ttl=64 time=0.086 ms
Network setupNetwork setupNetwork setupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2Using a Bridge eth0: 10.12.0.12 VM1: ping -c1 10.12.0.12 PING 10.12.0.12 (10.12.0.12) 56(84) bytes of data. 64 bytes from 10.12.0.12: icmp_seq=1 ttl=64 time=0.086 ms
Network setupNetwork setupNetwork setupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2Using a Bridge ❖ We now have many options we can use bridge vlan filtering using ingress policy using ebtables using namespaces ebtables filter (drop all traffic on that interface) arptables filter iptables filter (drop all traffic on that interface) don't forget about IPv6 ☺
Network setupNetwork setupNetwork setupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2Using a Bridge # echo 1 > /sys/class/net/br0/bridge/vlan_filtering # bridge vlan del dev br0 vid 1 self # bridge vlan show port vlan ids eth0 1 PVID Egress Untagged vnet1 1 PVID Egress Untagged vnet2 1 PVID Egress Untagged br0 None
Network setupNetwork setupNetwork setupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2Using a Bridge # echo 1 > /sys/class/net/br0/bridg # bridge vlan del dev br0 vid 1 sel # bridge vlan show port vlan ids eth0 1 PVID Egress Untagged vnet1 1 PVID Egress Untagged vnet2 1 PVID Egress Untagged br0 None HOST
Network setupNetwork setupNetwork setupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2Using a Bridge ingress filter # tc qdisc add dev br0 handle ffff: ingress # tc filter add dev br0 parent ffff: u32 match u8 0 0 action drop ebtables: # ebtables -A INPUT --logical-in br0 -j DROP
Network setupNetwork setupNetwork setupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2 Using a Bridge HOST eth1 br0 eth0 vnet1 vnet2 vm-bridge
Network setupNetwork setupNetwork setupNetwork setup # ip netns add vm-bridge # ip link set netns vm-bridge eth0 # ip link set netns vm-bridge vnet1 # ip link set netns vm-bridge vnet2 # ip link del dev br0 # ip netns exec vm-bridge brctl addbr br0 # for i in eth0 vnet1 vnet2; do > ip netns exec vm-bridge brctl addif br0 $i > ip netns exec vm-bridge ip link set up dev $i > done # ip netns exec vm-bridge ip link set up dev br0
Network setupNetwork setupNetwork setupNetwork setup Disabling ARP on bridge br0: # ip link set arp off dev br0 # ip l l dev br0 8: br0: <BROADCAST,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group d link/ether 50:54:33:00:00:04 brd ff:ff:ff:ff:ff:ff
Network setupNetwork setupNetwork setupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2 Using a Router VM1: 10.0.0.4/30 VM2: 10.0.0.8/30 HOST: 10.0.0.0/30
Network setupNetwork setupNetwork setupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2If you want flexibility,If you want flexibility, you add a routing protocolyou add a routing protocol bgp1bgp1 bgp2bgp2
Network setupNetwork setupNetwork setupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2If you want flexibility,If you want flexibility, you add a routing protocolyou add a routing protocol You now need to protect the BGPs from bogus announcements bgp1bgp1 bgp2bgp2
Protect the HOSTProtect the HOSTProtect the HOSTProtect the HOST Prevent access to the host node with policy routing # echo “200 vnet1” >> /etc/iproute2/rt_tables # ip route add 0/0 via x.x.x.x table vnet1 # ip route add 10.0.0.15 dev vnet1 table vnet1 # ip rule add iif vnet1 table vnet1 # ip rule add oif vnet1 table vnet1
Prevent spoofing of IPsPrevent spoofing of IPsPrevent spoofing of IPsPrevent spoofing of IPs Limit the source IPs of all clients: # iptables -P FORWARD DROP # iptables -A FORWARD -j ACCEPT -i vnet1 -s 10.0.0.15 # iptables -A FORWARD -j ACCEPT -i vnet2 -s 10.0.0.16
THANK YOUTHANK YOUTHANK YOUTHANK YOU Marian HackMan Marinov <mm@siteground.com>

Recommended

How to setup your linux server
How to setup your linux serverHow to setup your linux server
How to setup your linux server
Marian Marinov
 
Wowza project
Wowza projectWowza project
Wowza project
Sandeep Verma
 
Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"
Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"
Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"
Defcon Moscow
 
An Easy way to build a server cluster without top of rack switches (MEMO)
An Easy way to build a server cluster without top of rack switches (MEMO)An Easy way to build a server cluster without top of rack switches (MEMO)
An Easy way to build a server cluster without top of rack switches (MEMO)
Naoto MATSUMOTO
 
UNDOCUMENTED Vyatta vRouter: Unbreakable VPN Tunneling (MEMO)
UNDOCUMENTED Vyatta vRouter: Unbreakable VPN Tunneling (MEMO) UNDOCUMENTED Vyatta vRouter: Unbreakable VPN Tunneling (MEMO)
UNDOCUMENTED Vyatta vRouter: Unbreakable VPN Tunneling (MEMO)
Naoto MATSUMOTO
 
SR-IOV+KVM on Debian/Stable
SR-IOV+KVM on Debian/StableSR-IOV+KVM on Debian/Stable
SR-IOV+KVM on Debian/Stable
juet-y
 
How to twist a IPv6 over Bluetooth (6lowpan)
How to twist a IPv6 over Bluetooth (6lowpan) How to twist a IPv6 over Bluetooth (6lowpan)
How to twist a IPv6 over Bluetooth (6lowpan)
Naoto MATSUMOTO
 
How to ride a 100GbE LAN -MEMO-
How to ride a 100GbE LAN -MEMO-How to ride a 100GbE LAN -MEMO-
How to ride a 100GbE LAN -MEMO-
Naoto MATSUMOTO
 

Recommended

How to setup your linux server
How to setup your linux serverHow to setup your linux server
How to setup your linux server
Marian Marinov
 
Wowza project
Wowza projectWowza project
Wowza project
Sandeep Verma
 
Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"
Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"
Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"
Defcon Moscow
 
An Easy way to build a server cluster without top of rack switches (MEMO)
An Easy way to build a server cluster without top of rack switches (MEMO)An Easy way to build a server cluster without top of rack switches (MEMO)
An Easy way to build a server cluster without top of rack switches (MEMO)
Naoto MATSUMOTO
 
UNDOCUMENTED Vyatta vRouter: Unbreakable VPN Tunneling (MEMO)
UNDOCUMENTED Vyatta vRouter: Unbreakable VPN Tunneling (MEMO) UNDOCUMENTED Vyatta vRouter: Unbreakable VPN Tunneling (MEMO)
UNDOCUMENTED Vyatta vRouter: Unbreakable VPN Tunneling (MEMO)
Naoto MATSUMOTO
 
SR-IOV+KVM on Debian/Stable
SR-IOV+KVM on Debian/StableSR-IOV+KVM on Debian/Stable
SR-IOV+KVM on Debian/Stable
juet-y
 
How to twist a IPv6 over Bluetooth (6lowpan)
How to twist a IPv6 over Bluetooth (6lowpan) How to twist a IPv6 over Bluetooth (6lowpan)
How to twist a IPv6 over Bluetooth (6lowpan)
Naoto MATSUMOTO
 
How to ride a 100GbE LAN -MEMO-
How to ride a 100GbE LAN -MEMO-How to ride a 100GbE LAN -MEMO-
How to ride a 100GbE LAN -MEMO-
Naoto MATSUMOTO
 
High Availability Server Clustering without ILB(Internal Load Balancer) (MEMO)
High Availability Server Clustering without ILB(Internal Load Balancer) (MEMO)High Availability Server Clustering without ILB(Internal Load Balancer) (MEMO)
High Availability Server Clustering without ILB(Internal Load Balancer) (MEMO)
Naoto MATSUMOTO
 
Oleg Kupreev - 802.11 tricks and threats
Oleg Kupreev - 802.11 tricks and threatsOleg Kupreev - 802.11 tricks and threats
Oleg Kupreev - 802.11 tricks and threats
Defcon Moscow
 
Cisco asa 5505 vs juniper ssg 5
Cisco asa 5505 vs juniper ssg 5Cisco asa 5505 vs juniper ssg 5
Cisco asa 5505 vs juniper ssg 5
IT Tech
 
Unbreakable VPN using Vyatta/VyOS - HOW TO -
Unbreakable VPN using Vyatta/VyOS - HOW TO -Unbreakable VPN using Vyatta/VyOS - HOW TO -
Unbreakable VPN using Vyatta/VyOS - HOW TO -
Naoto MATSUMOTO
 
82599 sriov vm configuration notes
82599 sriov vm configuration notes82599 sriov vm configuration notes
82599 sriov vm configuration notes
Ryan Aydelott
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool
Pavel Odintsov
 
Tiny Server Clustering using Vyatta/VyOS (MEMO)
Tiny Server Clustering using Vyatta/VyOS (MEMO)Tiny Server Clustering using Vyatta/VyOS (MEMO)
Tiny Server Clustering using Vyatta/VyOS (MEMO)
Naoto MATSUMOTO
 
Recent Developments in Donard
Recent Developments in DonardRecent Developments in Donard
Recent Developments in Donard
PMC-Sierra Inc.
 
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICESL2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES
Faelix Ltd
 
How to train your L3DSR with PBR - MEMO -
How to train your L3DSR with PBR - MEMO -How to train your L3DSR with PBR - MEMO -
How to train your L3DSR with PBR - MEMO -
Naoto MATSUMOTO
 
How to install OpenStack MITAKA --allinone - cheat sheet -
How to install OpenStack MITAKA --allinone - cheat sheet -How to install OpenStack MITAKA --allinone - cheat sheet -
How to install OpenStack MITAKA --allinone - cheat sheet -
Naoto MATSUMOTO
 
RabbitMQ Server - cheat sheet -
RabbitMQ Server - cheat sheet -RabbitMQ Server - cheat sheet -
RabbitMQ Server - cheat sheet -
Naoto MATSUMOTO
 
NeoKeys Phone Brochure V3 (Small File Size)
NeoKeys Phone Brochure V3 (Small File Size)NeoKeys Phone Brochure V3 (Small File Size)
NeoKeys Phone Brochure V3 (Small File Size)
www.webhub.mobi by Yuvee, Inc.
 
VYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edgeVYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edge
Faelix Ltd
 
Ata Over Ethernet
Ata Over EthernetAta Over Ethernet
Ata Over Ethernet
Kit Peters
 
NexusでAnsibleやってみた
NexusでAnsibleやってみたNexusでAnsibleやってみた
NexusでAnsibleやってみた
Takehiro Yokoishi
 
Отказоустойчивость с использованием Cisco ASA Clustering
Отказоустойчивость с использованием Cisco ASA ClusteringОтказоустойчивость с использованием Cisco ASA Clustering
Отказоустойчивость с использованием Cisco ASA Clustering
Cisco Russia
 
St58 t8g23 specification-www.ttbvs.com
St58 t8g23 specification-www.ttbvs.comSt58 t8g23 specification-www.ttbvs.com
St58 t8g23 specification-www.ttbvs.com
TTBVS
 
How to Connect MQTT Broker on ESP8266 WiFi
How to Connect MQTT Broker on ESP8266 WiFiHow to Connect MQTT Broker on ESP8266 WiFi
How to Connect MQTT Broker on ESP8266 WiFi
Naoto MATSUMOTO
 
Nomenclatura QNAP
Nomenclatura QNAPNomenclatura QNAP
Nomenclatura QNAP
Fernando Barrientos
 
Gluster.community.day.2013
Gluster.community.day.2013Gluster.community.day.2013
Gluster.community.day.2013
Udo Seidel
 
4 Sessions
4 Sessions4 Sessions
4 Sessions
Marian Marinov
 

More Related Content

What's hot

High Availability Server Clustering without ILB(Internal Load Balancer) (MEMO)
High Availability Server Clustering without ILB(Internal Load Balancer) (MEMO)High Availability Server Clustering without ILB(Internal Load Balancer) (MEMO)
High Availability Server Clustering without ILB(Internal Load Balancer) (MEMO)
Naoto MATSUMOTO
 
Oleg Kupreev - 802.11 tricks and threats
Oleg Kupreev - 802.11 tricks and threatsOleg Kupreev - 802.11 tricks and threats
Oleg Kupreev - 802.11 tricks and threats
Defcon Moscow
 
Cisco asa 5505 vs juniper ssg 5
Cisco asa 5505 vs juniper ssg 5Cisco asa 5505 vs juniper ssg 5
Cisco asa 5505 vs juniper ssg 5
IT Tech
 
Unbreakable VPN using Vyatta/VyOS - HOW TO -
Unbreakable VPN using Vyatta/VyOS - HOW TO -Unbreakable VPN using Vyatta/VyOS - HOW TO -
Unbreakable VPN using Vyatta/VyOS - HOW TO -
Naoto MATSUMOTO
 
82599 sriov vm configuration notes
82599 sriov vm configuration notes82599 sriov vm configuration notes
82599 sriov vm configuration notes
Ryan Aydelott
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool
Pavel Odintsov
 
Tiny Server Clustering using Vyatta/VyOS (MEMO)
Tiny Server Clustering using Vyatta/VyOS (MEMO)Tiny Server Clustering using Vyatta/VyOS (MEMO)
Tiny Server Clustering using Vyatta/VyOS (MEMO)
Naoto MATSUMOTO
 
Recent Developments in Donard
Recent Developments in DonardRecent Developments in Donard
Recent Developments in Donard
PMC-Sierra Inc.
 
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICESL2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES
Faelix Ltd
 
How to train your L3DSR with PBR - MEMO -
How to train your L3DSR with PBR - MEMO -How to train your L3DSR with PBR - MEMO -
How to train your L3DSR with PBR - MEMO -
Naoto MATSUMOTO
 
How to install OpenStack MITAKA --allinone - cheat sheet -
How to install OpenStack MITAKA --allinone - cheat sheet -How to install OpenStack MITAKA --allinone - cheat sheet -
How to install OpenStack MITAKA --allinone - cheat sheet -
Naoto MATSUMOTO
 
RabbitMQ Server - cheat sheet -
RabbitMQ Server - cheat sheet -RabbitMQ Server - cheat sheet -
RabbitMQ Server - cheat sheet -
Naoto MATSUMOTO
 
NeoKeys Phone Brochure V3 (Small File Size)
NeoKeys Phone Brochure V3 (Small File Size)NeoKeys Phone Brochure V3 (Small File Size)
NeoKeys Phone Brochure V3 (Small File Size)
www.webhub.mobi by Yuvee, Inc.
 
VYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edgeVYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edge
Faelix Ltd
 
Ata Over Ethernet
Ata Over EthernetAta Over Ethernet
Ata Over Ethernet
Kit Peters
 
NexusでAnsibleやってみた
NexusでAnsibleやってみたNexusでAnsibleやってみた
NexusでAnsibleやってみた
Takehiro Yokoishi
 
Отказоустойчивость с использованием Cisco ASA Clustering
Отказоустойчивость с использованием Cisco ASA ClusteringОтказоустойчивость с использованием Cisco ASA Clustering
Отказоустойчивость с использованием Cisco ASA Clustering
Cisco Russia
 
St58 t8g23 specification-www.ttbvs.com
St58 t8g23 specification-www.ttbvs.comSt58 t8g23 specification-www.ttbvs.com
St58 t8g23 specification-www.ttbvs.com
TTBVS
 
How to Connect MQTT Broker on ESP8266 WiFi
How to Connect MQTT Broker on ESP8266 WiFiHow to Connect MQTT Broker on ESP8266 WiFi
How to Connect MQTT Broker on ESP8266 WiFi
Naoto MATSUMOTO
 
Nomenclatura QNAP
Nomenclatura QNAPNomenclatura QNAP
Nomenclatura QNAP
Fernando Barrientos
 

What's hot (20)

High Availability Server Clustering without ILB(Internal Load Balancer) (MEMO)
High Availability Server Clustering without ILB(Internal Load Balancer) (MEMO)High Availability Server Clustering without ILB(Internal Load Balancer) (MEMO)
High Availability Server Clustering without ILB(Internal Load Balancer) (MEMO)
 
Oleg Kupreev - 802.11 tricks and threats
Oleg Kupreev - 802.11 tricks and threatsOleg Kupreev - 802.11 tricks and threats
Oleg Kupreev - 802.11 tricks and threats
 
Cisco asa 5505 vs juniper ssg 5
Cisco asa 5505 vs juniper ssg 5Cisco asa 5505 vs juniper ssg 5
Cisco asa 5505 vs juniper ssg 5
 
Unbreakable VPN using Vyatta/VyOS - HOW TO -
Unbreakable VPN using Vyatta/VyOS - HOW TO -Unbreakable VPN using Vyatta/VyOS - HOW TO -
Unbreakable VPN using Vyatta/VyOS - HOW TO -
 
82599 sriov vm configuration notes
82599 sriov vm configuration notes82599 sriov vm configuration notes
82599 sriov vm configuration notes
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool
 
Tiny Server Clustering using Vyatta/VyOS (MEMO)
Tiny Server Clustering using Vyatta/VyOS (MEMO)Tiny Server Clustering using Vyatta/VyOS (MEMO)
Tiny Server Clustering using Vyatta/VyOS (MEMO)
 
Recent Developments in Donard
Recent Developments in DonardRecent Developments in Donard
Recent Developments in Donard
 
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICESL2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES
 
How to train your L3DSR with PBR - MEMO -
How to train your L3DSR with PBR - MEMO -How to train your L3DSR with PBR - MEMO -
How to train your L3DSR with PBR - MEMO -
 
How to install OpenStack MITAKA --allinone - cheat sheet -
How to install OpenStack MITAKA --allinone - cheat sheet -How to install OpenStack MITAKA --allinone - cheat sheet -
How to install OpenStack MITAKA --allinone - cheat sheet -
 
RabbitMQ Server - cheat sheet -
RabbitMQ Server - cheat sheet -RabbitMQ Server - cheat sheet -
RabbitMQ Server - cheat sheet -
 
NeoKeys Phone Brochure V3 (Small File Size)
NeoKeys Phone Brochure V3 (Small File Size)NeoKeys Phone Brochure V3 (Small File Size)
NeoKeys Phone Brochure V3 (Small File Size)
 
VYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edgeVYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edge
 
Ata Over Ethernet
Ata Over EthernetAta Over Ethernet
Ata Over Ethernet
 
NexusでAnsibleやってみた
NexusでAnsibleやってみたNexusでAnsibleやってみた
NexusでAnsibleやってみた
 
Отказоустойчивость с использованием Cisco ASA Clustering
Отказоустойчивость с использованием Cisco ASA ClusteringОтказоустойчивость с использованием Cisco ASA Clustering
Отказоустойчивость с использованием Cisco ASA Clustering
 
St58 t8g23 specification-www.ttbvs.com
St58 t8g23 specification-www.ttbvs.comSt58 t8g23 specification-www.ttbvs.com
St58 t8g23 specification-www.ttbvs.com
 
How to Connect MQTT Broker on ESP8266 WiFi
How to Connect MQTT Broker on ESP8266 WiFiHow to Connect MQTT Broker on ESP8266 WiFi
How to Connect MQTT Broker on ESP8266 WiFi
 
Nomenclatura QNAP
Nomenclatura QNAPNomenclatura QNAP
Nomenclatura QNAP
 

Viewers also liked

Gluster.community.day.2013
Gluster.community.day.2013Gluster.community.day.2013
Gluster.community.day.2013
Udo Seidel
 
4 Sessions
4 Sessions4 Sessions
4 Sessions
Marian Marinov
 
Protecting your home and office in the era of IoT
Protecting your home and office in the era of IoTProtecting your home and office in the era of IoT
Protecting your home and office in the era of IoT
Marian Marinov
 
Comparison of foss distributed storage
Comparison of foss distributed storageComparison of foss distributed storage
Comparison of foss distributed storage
Marian Marinov
 
Lxd the proper way of runing containers
Lxd the proper way of runing containersLxd the proper way of runing containers
Lxd the proper way of runing containers
Marian Marinov
 
Io t introduction to electronics
Io t introduction to electronicsIo t introduction to electronics
Io t introduction to electronics
Marian Marinov
 
Computer vision for your projects
Computer vision for your projectsComputer vision for your projects
Computer vision for your projects
Marian Marinov
 
Make your internship "worth it"
Make your internship "worth it"Make your internship "worth it"
Make your internship "worth it"
Marian Marinov
 
Why we are migrating to Slackware
Why we are migrating to SlackwareWhy we are migrating to Slackware
Why we are migrating to Slackware
Marian Marinov
 
Protecting your data when entering the US
Protecting your data when entering the USProtecting your data when entering the US
Protecting your data when entering the US
Marian Marinov
 
LUG-BG 2017 - Rangel Ivanov - Spread some butter - BTRFS
LUG-BG 2017 - Rangel Ivanov - Spread some butter - BTRFSLUG-BG 2017 - Rangel Ivanov - Spread some butter - BTRFS
LUG-BG 2017 - Rangel Ivanov - Spread some butter - BTRFS
Marian Marinov
 
Moving your router inside container
Moving your router inside container Moving your router inside container
Moving your router inside container
Marian Marinov
 
Introduction to python
Introduction to pythonIntroduction to python
Introduction to python
Marian Marinov
 
Practical my sql performance optimization
Practical my sql performance optimizationPractical my sql performance optimization
Practical my sql performance optimization
Marian Marinov
 
LUG-BG - Kostadin Slavkov - PostgreSQL 10
LUG-BG - Kostadin Slavkov - PostgreSQL 10LUG-BG - Kostadin Slavkov - PostgreSQL 10
LUG-BG - Kostadin Slavkov - PostgreSQL 10
Marian Marinov
 
How penetration testing techniques can help you improve your qa skills
How penetration testing techniques can help you improve your qa skillsHow penetration testing techniques can help you improve your qa skills
How penetration testing techniques can help you improve your qa skills
Marian Marinov
 
Home assistant
Home assistantHome assistant
Home assistant
Marian Marinov
 
Performance comparison of Distributed File Systems on 1Gbit networks
Performance comparison of Distributed File Systems on 1Gbit networksPerformance comparison of Distributed File Systems on 1Gbit networks
Performance comparison of Distributed File Systems on 1Gbit networks
Marian Marinov
 
nftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewallnftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewall
Marian Marinov
 

Viewers also liked (19)

Gluster.community.day.2013
Gluster.community.day.2013Gluster.community.day.2013
Gluster.community.day.2013
 
4 Sessions
4 Sessions4 Sessions
4 Sessions
 
Protecting your home and office in the era of IoT
Protecting your home and office in the era of IoTProtecting your home and office in the era of IoT
Protecting your home and office in the era of IoT
 
Comparison of foss distributed storage
Comparison of foss distributed storageComparison of foss distributed storage
Comparison of foss distributed storage
 
Lxd the proper way of runing containers
Lxd the proper way of runing containersLxd the proper way of runing containers
Lxd the proper way of runing containers
 
Io t introduction to electronics
Io t introduction to electronicsIo t introduction to electronics
Io t introduction to electronics
 
Computer vision for your projects
Computer vision for your projectsComputer vision for your projects
Computer vision for your projects
 
Make your internship "worth it"
Make your internship "worth it"Make your internship "worth it"
Make your internship "worth it"
 
Why we are migrating to Slackware
Why we are migrating to SlackwareWhy we are migrating to Slackware
Why we are migrating to Slackware
 
Protecting your data when entering the US
Protecting your data when entering the USProtecting your data when entering the US
Protecting your data when entering the US
 
LUG-BG 2017 - Rangel Ivanov - Spread some butter - BTRFS
LUG-BG 2017 - Rangel Ivanov - Spread some butter - BTRFSLUG-BG 2017 - Rangel Ivanov - Spread some butter - BTRFS
LUG-BG 2017 - Rangel Ivanov - Spread some butter - BTRFS
 
Moving your router inside container
Moving your router inside container Moving your router inside container
Moving your router inside container
 
Introduction to python
Introduction to pythonIntroduction to python
Introduction to python
 
Practical my sql performance optimization
Practical my sql performance optimizationPractical my sql performance optimization
Practical my sql performance optimization
 
LUG-BG - Kostadin Slavkov - PostgreSQL 10
LUG-BG - Kostadin Slavkov - PostgreSQL 10LUG-BG - Kostadin Slavkov - PostgreSQL 10
LUG-BG - Kostadin Slavkov - PostgreSQL 10
 
How penetration testing techniques can help you improve your qa skills
How penetration testing techniques can help you improve your qa skillsHow penetration testing techniques can help you improve your qa skills
How penetration testing techniques can help you improve your qa skills
 
Home assistant
Home assistantHome assistant
Home assistant
 
Performance comparison of Distributed File Systems on 1Gbit networks
Performance comparison of Distributed File Systems on 1Gbit networksPerformance comparison of Distributed File Systems on 1Gbit networks
Performance comparison of Distributed File Systems on 1Gbit networks
 
nftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewallnftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewall
 

Similar to Securing the network for VMs or Containers

Open stack advanced_part
Open stack advanced_partOpen stack advanced_part
Open stack advanced_part
lilliput12
 
SR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/Stable
SR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/StableSR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/Stable
SR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/Stable
juet-y
 
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud TenantImplementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
Shixiong Shang
 
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online
KVM Security Groups Under the Hood - Wido den Hollander - Your.OnlineKVM Security Groups Under the Hood - Wido den Hollander - Your.Online
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online
ShapeBlue
 
Nexus 1000v part ii
Nexus 1000v part iiNexus 1000v part ii
Nexus 1000v part ii
Krunal Shah
 
[OpenStack 하반기 스터디] HA using DVR
[OpenStack 하반기 스터디] HA using DVR[OpenStack 하반기 스터디] HA using DVR
[OpenStack 하반기 스터디] HA using DVR
OpenStack Korea Community
 
SAS (Secure Active Switch)
SAS (Secure Active Switch)SAS (Secure Active Switch)
SAS (Secure Active Switch)
Security Date
 
ByPat博客出品Lvs+keepalived
ByPat博客出品Lvs+keepalivedByPat博客出品Lvs+keepalived
ByPat博客出品Lvs+keepalivedredhat9
 
Mpls vpn.rip
Mpls vpn.ripMpls vpn.rip
Mpls vpn.rip
farhanica
 
Anycast all the things
Anycast all the thingsAnycast all the things
Anycast all the things
Maximilan Wilhelm
 
See what happened with real time kvm when building real time cloud pezhang@re...
See what happened with real time kvm when building real time cloud pezhang@re...See what happened with real time kvm when building real time cloud pezhang@re...
See what happened with real time kvm when building real time cloud pezhang@re...
LinuxCon ContainerCon CloudOpen China
 
Open stack networking_101_part-2_tech_deep_dive
Open stack networking_101_part-2_tech_deep_diveOpen stack networking_101_part-2_tech_deep_dive
Open stack networking_101_part-2_tech_deep_dive
yfauser
 
VXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksVXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building Blocks
APNIC
 
Xpress path vxlan_bgp_evpn_appricot2019-v2_
Xpress path vxlan_bgp_evpn_appricot2019-v2_Xpress path vxlan_bgp_evpn_appricot2019-v2_
Xpress path vxlan_bgp_evpn_appricot2019-v2_
Jide Akintola JNCIE-M&T/SP #496 CCIE-SP#28552
 
Secure LXC Networking
Secure LXC NetworkingSecure LXC Networking
Secure LXC Networking
Marian Marinov
 
Flexible NFV WAN interconnections with Neutron BGP VPN
Flexible NFV WAN interconnections with Neutron BGP VPN Flexible NFV WAN interconnections with Neutron BGP VPN
Flexible NFV WAN interconnections with Neutron BGP VPN
Thomas Morin
 
VLANs in the Linux Kernel
VLANs in the Linux KernelVLANs in the Linux Kernel
VLANs in the Linux Kernel
Kernel TLV
 
Router Commands Overview
Router Commands OverviewRouter Commands Overview
Router Commands OverviewMuhammed Niyas
 
Tópicos - LVS Instalacao Slack11
Tópicos - LVS Instalacao Slack11Tópicos - LVS Instalacao Slack11
Tópicos - LVS Instalacao Slack11Luiz Arthur
 

Similar to Securing the network for VMs or Containers (20)

Open stack advanced_part
Open stack advanced_partOpen stack advanced_part
Open stack advanced_part
 
SR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/Stable
SR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/StableSR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/Stable
SR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/Stable
 
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud TenantImplementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
 
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online
KVM Security Groups Under the Hood - Wido den Hollander - Your.OnlineKVM Security Groups Under the Hood - Wido den Hollander - Your.Online
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online
 
Nexus 1000v part ii
Nexus 1000v part iiNexus 1000v part ii
Nexus 1000v part ii
 
[OpenStack 하반기 스터디] HA using DVR
[OpenStack 하반기 스터디] HA using DVR[OpenStack 하반기 스터디] HA using DVR
[OpenStack 하반기 스터디] HA using DVR
 
SAS (Secure Active Switch)
SAS (Secure Active Switch)SAS (Secure Active Switch)
SAS (Secure Active Switch)
 
ByPat博客出品Lvs+keepalived
ByPat博客出品Lvs+keepalivedByPat博客出品Lvs+keepalived
ByPat博客出品Lvs+keepalived
 
Mpls vpn.rip
Mpls vpn.ripMpls vpn.rip
Mpls vpn.rip
 
CCNA 2
CCNA 2 CCNA 2
CCNA 2
 
Anycast all the things
Anycast all the thingsAnycast all the things
Anycast all the things
 
See what happened with real time kvm when building real time cloud pezhang@re...
See what happened with real time kvm when building real time cloud pezhang@re...See what happened with real time kvm when building real time cloud pezhang@re...
See what happened with real time kvm when building real time cloud pezhang@re...
 
Open stack networking_101_part-2_tech_deep_dive
Open stack networking_101_part-2_tech_deep_diveOpen stack networking_101_part-2_tech_deep_dive
Open stack networking_101_part-2_tech_deep_dive
 
VXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksVXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building Blocks
 
Xpress path vxlan_bgp_evpn_appricot2019-v2_
Xpress path vxlan_bgp_evpn_appricot2019-v2_Xpress path vxlan_bgp_evpn_appricot2019-v2_
Xpress path vxlan_bgp_evpn_appricot2019-v2_
 
Secure LXC Networking
Secure LXC NetworkingSecure LXC Networking
Secure LXC Networking
 
Flexible NFV WAN interconnections with Neutron BGP VPN
Flexible NFV WAN interconnections with Neutron BGP VPN Flexible NFV WAN interconnections with Neutron BGP VPN
Flexible NFV WAN interconnections with Neutron BGP VPN
 
VLANs in the Linux Kernel
VLANs in the Linux KernelVLANs in the Linux Kernel
VLANs in the Linux Kernel
 
Router Commands Overview
Router Commands OverviewRouter Commands Overview
Router Commands Overview
 
Tópicos - LVS Instalacao Slack11
Tópicos - LVS Instalacao Slack11Tópicos - LVS Instalacao Slack11
Tópicos - LVS Instalacao Slack11
 

More from Marian Marinov

How to implement PassKeys in your application
How to implement PassKeys in your applicationHow to implement PassKeys in your application
How to implement PassKeys in your application
Marian Marinov
 
Dev.bg DevOps March 2024 Monitoring & Logging
Dev.bg DevOps March 2024 Monitoring & LoggingDev.bg DevOps March 2024 Monitoring & Logging
Dev.bg DevOps March 2024 Monitoring & Logging
Marian Marinov
 
Basic presentation of cryptography mechanisms
Basic presentation of cryptography mechanismsBasic presentation of cryptography mechanisms
Basic presentation of cryptography mechanisms
Marian Marinov
 
Microservices: Benefits, drawbacks and are they for me?
Microservices: Benefits, drawbacks and are they for me?Microservices: Benefits, drawbacks and are they for me?
Microservices: Benefits, drawbacks and are they for me?
Marian Marinov
 
Introduction and replication to DragonflyDB
Introduction and replication to DragonflyDBIntroduction and replication to DragonflyDB
Introduction and replication to DragonflyDB
Marian Marinov
 
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQMessage Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
Marian Marinov
 
How to successfully migrate to DevOps .pdf
How to successfully migrate to DevOps .pdfHow to successfully migrate to DevOps .pdf
How to successfully migrate to DevOps .pdf
Marian Marinov
 
How to survive in the work from home era
How to survive in the work from home eraHow to survive in the work from home era
How to survive in the work from home era
Marian Marinov
 
Managing sysadmins
Managing sysadminsManaging sysadmins
Managing sysadmins
Marian Marinov
 
Improve your storage with bcachefs
Improve your storage with bcachefsImprove your storage with bcachefs
Improve your storage with bcachefs
Marian Marinov
 
Control your service resources with systemd
Control your service resources with systemd Control your service resources with systemd
Control your service resources with systemd
Marian Marinov
 
Comparison of-foss-distributed-storage
Comparison of-foss-distributed-storageComparison of-foss-distributed-storage
Comparison of-foss-distributed-storage
Marian Marinov
 
Защо и как да обогатяваме знанията си?
Защо и как да обогатяваме знанията си?Защо и как да обогатяваме знанията си?
Защо и как да обогатяваме знанията си?
Marian Marinov
 
Securing your MySQL server
Securing your MySQL serverSecuring your MySQL server
Securing your MySQL server
Marian Marinov
 
Sysadmin vs. dev ops
Sysadmin vs. dev opsSysadmin vs. dev ops
Sysadmin vs. dev ops
Marian Marinov
 
DoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKDoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDK
Marian Marinov
 
Challenges with high density networks
Challenges with high density networksChallenges with high density networks
Challenges with high density networks
Marian Marinov
 
SiteGround building automation
SiteGround building automationSiteGround building automation
SiteGround building automation
Marian Marinov
 
Preventing cpu side channel attacks with kernel tracking
Preventing cpu side channel attacks with kernel trackingPreventing cpu side channel attacks with kernel tracking
Preventing cpu side channel attacks with kernel tracking
Marian Marinov
 
Managing a lot of servers
Managing a lot of serversManaging a lot of servers
Managing a lot of servers
Marian Marinov
 

More from Marian Marinov (20)

How to implement PassKeys in your application
How to implement PassKeys in your applicationHow to implement PassKeys in your application
How to implement PassKeys in your application
 
Dev.bg DevOps March 2024 Monitoring & Logging
Dev.bg DevOps March 2024 Monitoring & LoggingDev.bg DevOps March 2024 Monitoring & Logging
Dev.bg DevOps March 2024 Monitoring & Logging
 
Basic presentation of cryptography mechanisms
Basic presentation of cryptography mechanismsBasic presentation of cryptography mechanisms
Basic presentation of cryptography mechanisms
 
Microservices: Benefits, drawbacks and are they for me?
Microservices: Benefits, drawbacks and are they for me?Microservices: Benefits, drawbacks and are they for me?
Microservices: Benefits, drawbacks and are they for me?
 
Introduction and replication to DragonflyDB
Introduction and replication to DragonflyDBIntroduction and replication to DragonflyDB
Introduction and replication to DragonflyDB
 
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQMessage Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
 
How to successfully migrate to DevOps .pdf
How to successfully migrate to DevOps .pdfHow to successfully migrate to DevOps .pdf
How to successfully migrate to DevOps .pdf
 
How to survive in the work from home era
How to survive in the work from home eraHow to survive in the work from home era
How to survive in the work from home era
 
Managing sysadmins
Managing sysadminsManaging sysadmins
Managing sysadmins
 
Improve your storage with bcachefs
Improve your storage with bcachefsImprove your storage with bcachefs
Improve your storage with bcachefs
 
Control your service resources with systemd
Control your service resources with systemd Control your service resources with systemd
Control your service resources with systemd
 
Comparison of-foss-distributed-storage
Comparison of-foss-distributed-storageComparison of-foss-distributed-storage
Comparison of-foss-distributed-storage
 
Защо и как да обогатяваме знанията си?
Защо и как да обогатяваме знанията си?Защо и как да обогатяваме знанията си?
Защо и как да обогатяваме знанията си?
 
Securing your MySQL server
Securing your MySQL serverSecuring your MySQL server
Securing your MySQL server
 
Sysadmin vs. dev ops
Sysadmin vs. dev opsSysadmin vs. dev ops
Sysadmin vs. dev ops
 
DoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKDoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDK
 
Challenges with high density networks
Challenges with high density networksChallenges with high density networks
Challenges with high density networks
 
SiteGround building automation
SiteGround building automationSiteGround building automation
SiteGround building automation
 
Preventing cpu side channel attacks with kernel tracking
Preventing cpu side channel attacks with kernel trackingPreventing cpu side channel attacks with kernel tracking
Preventing cpu side channel attacks with kernel tracking
 
Managing a lot of servers
Managing a lot of serversManaging a lot of servers
Managing a lot of servers
 

Recently uploaded

AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdfAKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
SamSarthak3
 
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
thanhdowork
 
Literature Review Basics and Understanding Reference Management.pptx
Literature Review Basics and Understanding Reference Management.pptxLiterature Review Basics and Understanding Reference Management.pptx
Literature Review Basics and Understanding Reference Management.pptx
Dr Ramhari Poudyal
 
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
MdTanvirMahtab2
 
Cosmetic shop management system project report.pdf
Cosmetic shop management system project report.pdfCosmetic shop management system project report.pdf
Cosmetic shop management system project report.pdf
Kamal Acharya
 
DfMAy 2024 - key insights and contributions
DfMAy 2024 - key insights and contributionsDfMAy 2024 - key insights and contributions
DfMAy 2024 - key insights and contributions
gestioneergodomus
 
basic-wireline-operations-course-mahmoud-f-radwan.pdf
basic-wireline-operations-course-mahmoud-f-radwan.pdfbasic-wireline-operations-course-mahmoud-f-radwan.pdf
basic-wireline-operations-course-mahmoud-f-radwan.pdf
NidhalKahouli2
 
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressions
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressionsKuberTENes Birthday Bash Guadalajara - K8sGPT first impressions
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressions
Victor Morales
 
Fundamentals of Induction Motor Drives.pptx
Fundamentals of Induction Motor Drives.pptxFundamentals of Induction Motor Drives.pptx
Fundamentals of Induction Motor Drives.pptx
manasideore6
 
Water Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation and Control Monthly - May 2024.pdfWater Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation & Control
 
Planning Of Procurement o different goods and services
Planning Of Procurement o different goods and servicesPlanning Of Procurement o different goods and services
Planning Of Procurement o different goods and services
JoytuBarua2
 
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理
zwunae
 
Understanding Inductive Bias in Machine Learning
Understanding Inductive Bias in Machine LearningUnderstanding Inductive Bias in Machine Learning
Understanding Inductive Bias in Machine Learning
SUTEJAS
 
Swimming pool mechanical components design.pptx
Swimming pool mechanical components design.pptxSwimming pool mechanical components design.pptx
Swimming pool mechanical components design.pptx
yokeleetan1
 
MCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdfMCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdf
Osamah Alsalih
 
An Approach to Detecting Writing Styles Based on Clustering Techniques
An Approach to Detecting Writing Styles Based on Clustering TechniquesAn Approach to Detecting Writing Styles Based on Clustering Techniques
An Approach to Detecting Writing Styles Based on Clustering Techniques
ambekarshweta25
 
Online aptitude test management system project report.pdf
Online aptitude test management system project report.pdfOnline aptitude test management system project report.pdf
Online aptitude test management system project report.pdf
Kamal Acharya
 
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
AJAYKUMARPUND1
 
DESIGN AND ANALYSIS OF A CAR SHOWROOM USING E TABS
DESIGN AND ANALYSIS OF A CAR SHOWROOM USING E TABSDESIGN AND ANALYSIS OF A CAR SHOWROOM USING E TABS
DESIGN AND ANALYSIS OF A CAR SHOWROOM USING E TABS
itech2017
 
Harnessing WebAssembly for Real-time Stateless Streaming Pipelines
Harnessing WebAssembly for Real-time Stateless Streaming PipelinesHarnessing WebAssembly for Real-time Stateless Streaming Pipelines
Harnessing WebAssembly for Real-time Stateless Streaming Pipelines
Christina Lin
 

Recently uploaded (20)

AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdfAKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
 
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
 
Literature Review Basics and Understanding Reference Management.pptx
Literature Review Basics and Understanding Reference Management.pptxLiterature Review Basics and Understanding Reference Management.pptx
Literature Review Basics and Understanding Reference Management.pptx
 
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
 
Cosmetic shop management system project report.pdf
Cosmetic shop management system project report.pdfCosmetic shop management system project report.pdf
Cosmetic shop management system project report.pdf
 
DfMAy 2024 - key insights and contributions
DfMAy 2024 - key insights and contributionsDfMAy 2024 - key insights and contributions
DfMAy 2024 - key insights and contributions
 
basic-wireline-operations-course-mahmoud-f-radwan.pdf
basic-wireline-operations-course-mahmoud-f-radwan.pdfbasic-wireline-operations-course-mahmoud-f-radwan.pdf
basic-wireline-operations-course-mahmoud-f-radwan.pdf
 
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressions
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressionsKuberTENes Birthday Bash Guadalajara - K8sGPT first impressions
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressions
 
Fundamentals of Induction Motor Drives.pptx
Fundamentals of Induction Motor Drives.pptxFundamentals of Induction Motor Drives.pptx
Fundamentals of Induction Motor Drives.pptx
 
Water Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation and Control Monthly - May 2024.pdfWater Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation and Control Monthly - May 2024.pdf
 
Planning Of Procurement o different goods and services
Planning Of Procurement o different goods and servicesPlanning Of Procurement o different goods and services
Planning Of Procurement o different goods and services
 
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单专业办理
 
Understanding Inductive Bias in Machine Learning
Understanding Inductive Bias in Machine LearningUnderstanding Inductive Bias in Machine Learning
Understanding Inductive Bias in Machine Learning
 
Swimming pool mechanical components design.pptx
Swimming pool mechanical components design.pptxSwimming pool mechanical components design.pptx
Swimming pool mechanical components design.pptx
 
MCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdfMCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdf
 
An Approach to Detecting Writing Styles Based on Clustering Techniques
An Approach to Detecting Writing Styles Based on Clustering TechniquesAn Approach to Detecting Writing Styles Based on Clustering Techniques
An Approach to Detecting Writing Styles Based on Clustering Techniques
 
Online aptitude test management system project report.pdf
Online aptitude test management system project report.pdfOnline aptitude test management system project report.pdf
Online aptitude test management system project report.pdf
 
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
 
DESIGN AND ANALYSIS OF A CAR SHOWROOM USING E TABS
DESIGN AND ANALYSIS OF A CAR SHOWROOM USING E TABSDESIGN AND ANALYSIS OF A CAR SHOWROOM USING E TABS
DESIGN AND ANALYSIS OF A CAR SHOWROOM USING E TABS
 
Harnessing WebAssembly for Real-time Stateless Streaming Pipelines
Harnessing WebAssembly for Real-time Stateless Streaming PipelinesHarnessing WebAssembly for Real-time Stateless Streaming Pipelines
Harnessing WebAssembly for Real-time Stateless Streaming Pipelines
 

Securing the network for VMs or Containers

  • 1. Securing Securing  KVM / containerKVM / container networksnetworks Marian HackMan MarinovMarian HackMan Marinov <mm@siteground.com><mm@siteground.com> Chief System ArchitectChief System Architect SiteGroundSiteGround
  • 2. Who am I?Who am I?Who am I?Who am I? ❖ Chief System Architect of Siteground.com ❖ Sysadmin since 1996 ❖ Organizer of OpenFest, BG Perl Workshops, LUG-BG and similar :) ❖ Teaching Network Security and Linux System Administration at Sofia University
  • 3. DISCLAMERDISCLAMERDISCLAMERDISCLAMER ❖ I'll be looking only at the network on the host machine ❖ The only proper way of securing the network between your VMs / containers and the host machine is to know your infrastructure. This includes MAC, IP addresses and their actual location.
  • 4. ❖ Basic things that have to protect from  arp spoofing  ip spoofing  traffic leaking / sniffing
  • 5. KVM networkingKVM networkingKVM networkingKVM networking ❖ What network options does KVM give us?  vnet device on the host  macvtap  Virtual Distributed Ethernet (VDE)  assign a physical device (SR-IOV) Single Root I/O Virtualization (SR-IOV)  assign a physical device (eth, wlan)
  • 6. KVM networkingKVM networkingKVM networkingKVM networking ❖ What network options does KVM give us?  NAT  Routing  Bridge  OpenVswitch  ProxyARP
  • 7. Container networkingContainer networkingContainer networkingContainer networking ❖ What network options are available for containers?  macvlan (tap & tun)  veth pair (routing or NAT)  VDE (using tap devices)  move any network device into the container (eth, tun/tap, vlan, wlan, etc.)
  • 8. Container networkingContainer networkingContainer networkingContainer networking ❖ What network options are available for containers?  Bridge  OpenVswitch  Routing  NAT  ProxyARP
  • 9. Protections?Protections?Protections?Protections? ❖ How can we secure all those options?  VLANs
  • 10. Protections?Protections?Protections?Protections? ❖ How can we secure all those options?  VLANs  Routing
  • 11. Protections?Protections?Protections?Protections? ❖ How can we secure all those options?  VLANs  Routing  Static ARP
  • 12. Protections?Protections?Protections?Protections? ❖ How can we secure all those options?  VLANs  Routing  Static ARP  iptables
  • 13. Protections?Protections?Protections?Protections? ❖ How can we secure all those options?  VLANs  Routing  Static ARP  iptables  ebtables
  • 14. Protections?Protections?Protections?Protections? ❖ How can we secure all those options?  VLANs  Routing  Static ARP  iptables  ebtables  arptables
  • 15. Protections?Protections?Protections?Protections? ❖ How can we secure all those options?  VLANs  Routing  Static ARP  iptables  ebtables  arptables  ip6tables
  • 16. Network setupNetwork setupNetwork setupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2 Using a Router
  • 17. Network setupNetwork setupNetwork setupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2 Using a Bridge
  • 18. Attacking theAttacking the bridged networkbridged network Attacking theAttacking the bridged networkbridged network ❖ arp poisoning  VM-1 arp cache poison of the HOST  VM-1 arp cache poison of VM-2  As simple as: # ip a a 10.0.0.1/24 dev eth0 # arping -i eth0 -U 10.0.0.1  Can be even easier: # arpspoof -i eth0 -t 10.0.0.1 -r 10.0.0.15
  • 19. Protecting theProtecting the bridged networkbridged network Protecting theProtecting the bridged networkbridged network ❖ Preventing arp poison on the HOST  adding static ARP entries: # ip n a 10.0.0.15 lladdr 01:81:36:ec:05:ee nud permanent dev vnet1
  • 20. Protecting theProtecting the bridged networkbridged network Protecting theProtecting the bridged networkbridged network ❖ Preventing arp spoofing to the VMs/Containers  configure ARPTABLES # arptables -P OUT DROP # arptables -A OUT -j ACCEPT -s GW -i eth0 -z xx:xx:xx:xx:xx:xx # arptables -A OUT -j ACCEPT -s 10.0.0.15 -i vnet1 -z xx:xx:xx:xx:xx:xx # arptables -A OUT -j ACCEPT -o vnet1
  • 21. Network setupNetwork setupNetwork setupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2 Using a Bridge eth0: 10.12.0.12 # brctl show bridge bridge id interfaces br0 8000.028037ec0200 eth0 vnet1 vnet2
  • 22. Network setupNetwork setupNetwork setupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2Using a Bridge eth0: 10.12.0.12 VM1: ping -c1 10.12.0.12 PING 10.12.0.12 (10.12.0.12) 56(84) bytes of data. 64 bytes from 10.12.0.12: icmp_seq=1 ttl=64 time=0.086 ms
  • 23. Network setupNetwork setupNetwork setupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2Using a Bridge eth0: 10.12.0.12 VM1: ping -c1 10.12.0.12 PING 10.12.0.12 (10.12.0.12) 56(84) bytes of data. 64 bytes from 10.12.0.12: icmp_seq=1 ttl=64 time=0.086 ms
  • 24. Network setupNetwork setupNetwork setupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2Using a Bridge ❖ We now have many options we can use bridge vlan filtering using ingress policy using ebtables using namespaces ebtables filter (drop all traffic on that interface) arptables filter iptables filter (drop all traffic on that interface) don't forget about IPv6 ☺
  • 25. Network setupNetwork setupNetwork setupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2Using a Bridge # echo 1 > /sys/class/net/br0/bridge/vlan_filtering # bridge vlan del dev br0 vid 1 self # bridge vlan show port vlan ids eth0 1 PVID Egress Untagged vnet1 1 PVID Egress Untagged vnet2 1 PVID Egress Untagged br0 None
  • 26. Network setupNetwork setupNetwork setupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2Using a Bridge # echo 1 > /sys/class/net/br0/bridg # bridge vlan del dev br0 vid 1 sel # bridge vlan show port vlan ids eth0 1 PVID Egress Untagged vnet1 1 PVID Egress Untagged vnet2 1 PVID Egress Untagged br0 None HOST
  • 27. Network setupNetwork setupNetwork setupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2Using a Bridge ingress filter # tc qdisc add dev br0 handle ffff: ingress # tc filter add dev br0 parent ffff: u32 match u8 0 0 action drop ebtables: # ebtables -A INPUT --logical-in br0 -j DROP
  • 28. Network setupNetwork setupNetwork setupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2 Using a Bridge HOST eth1 br0 eth0 vnet1 vnet2 vm-bridge
  • 29. Network setupNetwork setupNetwork setupNetwork setup # ip netns add vm-bridge # ip link set netns vm-bridge eth0 # ip link set netns vm-bridge vnet1 # ip link set netns vm-bridge vnet2 # ip link del dev br0 # ip netns exec vm-bridge brctl addbr br0 # for i in eth0 vnet1 vnet2; do > ip netns exec vm-bridge brctl addif br0 $i > ip netns exec vm-bridge ip link set up dev $i > done # ip netns exec vm-bridge ip link set up dev br0
  • 30. Network setupNetwork setupNetwork setupNetwork setup Disabling ARP on bridge br0: # ip link set arp off dev br0 # ip l l dev br0 8: br0: <BROADCAST,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group d link/ether 50:54:33:00:00:04 brd ff:ff:ff:ff:ff:ff
  • 31. Network setupNetwork setupNetwork setupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2 Using a Router VM1: 10.0.0.4/30 VM2: 10.0.0.8/30 HOST: 10.0.0.0/30
  • 32. Network setupNetwork setupNetwork setupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2If you want flexibility,If you want flexibility, you add a routing protocolyou add a routing protocol bgp1bgp1 bgp2bgp2
  • 33. Network setupNetwork setupNetwork setupNetwork setup VM-1VM-1 LXC-1LXC-1 VM-2VM-2 LXC-2LXC-2If you want flexibility,If you want flexibility, you add a routing protocolyou add a routing protocol You now need to protect the BGPs from bogus announcements bgp1bgp1 bgp2bgp2
  • 34. Protect the HOSTProtect the HOSTProtect the HOSTProtect the HOST Prevent access to the host node with policy routing # echo “200 vnet1” >> /etc/iproute2/rt_tables # ip route add 0/0 via x.x.x.x table vnet1 # ip route add 10.0.0.15 dev vnet1 table vnet1 # ip rule add iif vnet1 table vnet1 # ip rule add oif vnet1 table vnet1
  • 35. Prevent spoofing of IPsPrevent spoofing of IPsPrevent spoofing of IPsPrevent spoofing of IPs Limit the source IPs of all clients: # iptables -P FORWARD DROP # iptables -A FORWARD -j ACCEPT -i vnet1 -s 10.0.0.15 # iptables -A FORWARD -j ACCEPT -i vnet2 -s 10.0.0.16
  • 36. THANK YOUTHANK YOUTHANK YOUTHANK YOU Marian HackMan Marinov <mm@siteground.com>