visualizing security boundaries in docker swarm overlay
play

visualizing security boundaries in docker swarm overlay networks - PowerPoint PPT Presentation

Sep 28, 2022 •412 likes •743 views

Marcel Brouwers July 3, 2017 Master of System and Network Engineering University of Amsterdam Supervisor: Esan Wit visualizing security boundaries in docker swarm overlay networks Mode for managing a cluster of docker nodes The Swarm

  1. Marcel Brouwers July 3, 2017 Master of System and Network Engineering University of Amsterdam Supervisor: Esan Wit visualizing security boundaries in docker swarm overlay networks

  2. ∙ Mode for managing a cluster of docker nodes ∙ The Swarm keeps services running and distributes containers over the nodes ∙ Has a feature for overlay networks between containers 1 Introduction Docker Swarm

  3. ∙ Containers can be connected to multiple Swarm overlay networks ∙ Networks are created from the manager nodes 1 https://tools.ietf.org/html/rfc7348 2 https://github.com/docker/libnetwork/blob/master/drivers/ overlay/ov_serf.go 2 Docker Swarm overlay network ∙ VxLAN 1 based overlay networks. (Layer 2 over Layer 3) ∙ Serf used for mapping 2

  4. ∙ RFC 7348 ∙ Layer 2 over layer 3 ∙ 24 bits Virtual Network Identified (VNI) ∙ UDP port 4789 3 VxLAN

  5. ∙ Which security measures are there for Docker Swarm overlay networks and what can be done on the overlay network if a container or host gets compromised? ∙ Which strategies are there to find out what gets exposed by containers and hosts in (overlay) networks? ∙ Is it feasible to consolidate all the information about exposure and visualize it in a comprehensible way? 4 Research question ∙ What gets exposed when using Docker Swarm overlay networks and is there a way to visualize what gets exposed?

  6. ∙ Which security measures are there for Docker Swarm overlay networks and what can be done on the overlay network if a container or host gets compromised? ∙ Which strategies are there to find out what gets exposed by containers and hosts in (overlay) networks? ∙ Is it feasible to consolidate all the information about exposure and visualize it in a comprehensible way? 4 Research question ∙ What gets exposed when using Docker Swarm overlay networks and is there a way to visualize what gets exposed?

  7. ∙ Which security measures are there for Docker Swarm overlay networks and what can be done on the overlay network if a container or host gets compromised? ∙ Which strategies are there to find out what gets exposed by containers and hosts in (overlay) networks? ∙ Is it feasible to consolidate all the information about exposure and visualize it in a comprehensible way? 4 Research question ∙ What gets exposed when using Docker Swarm overlay networks and is there a way to visualize what gets exposed?

  8. ∙ Which security measures are there for Docker Swarm overlay networks and what can be done on the overlay network if a container or host gets compromised? ∙ Which strategies are there to find out what gets exposed by containers and hosts in (overlay) networks? ∙ Is it feasible to consolidate all the information about exposure and visualize it in a comprehensible way? 4 Research question ∙ What gets exposed when using Docker Swarm overlay networks and is there a way to visualize what gets exposed?

  9. ∙ Layer 2 attacks on a VxLAN overlay network, Author: G. Peneda, March 11, 2014 ∙ Secure Virtual Network Configuration for Virtual Machine (VM) Protection Author: NIST, March 2016 ∙ Docker swarm mode overlay network security model Author: 3 https://docs.docker.com/engine/userguide/networking/ overlay-security-model/ 5 Related work Docker Project, 2017 3

  10. ∙ Encryption for overlay network not used by default ∙ Encryption possible: IPSEC tunnel 6 Security measures for Swarm overlays

  11. ∙ Tested: ARP spoofing, MAC flooding ∙ Tested using: Arpspoof tool (Dsniff), Ettercap, Macof (Dsniff) ∙ Using non-privileged containers and privileged containers ∙ Monitored ARP tables and sniffed network traffic ∙ Result: Not possible. 7 What’s possible?

  12. ∙ Tested: ARP spoofing, MAC flooding ∙ Tested using: Arpspoof tool (Dsniff), Ettercap, Macof (Dsniff) ∙ Using non-privileged containers and privileged containers ∙ Monitored ARP tables and sniffed network traffic ∙ Result: Not possible. 7 What’s possible?

  13. 8 1 4 https://tools.ietf.org/html/rfc7348#page-21 FDB gets populated using a gossip protocol “Serf”. schemes possible for the distribution of the VTEP IP to VM MAC “In addition to a learning-based control plane, there are other ageing 300 l3miss srcport 0 0 dstport 4789 proxy l2miss id 4097 vxlan 4 1 f f : f f : f f : f f : f f : f f brd <BROADCAST , MULTICAST , UP , LOWER_UP> mtu 1450 qdisc noqueue master br0 d l i n k show vxlan1 2 1 1 : 46: e6 : 4 8 : 5 d : dd :92 vxlan1 : state UNKNOWN mode DEFAULT group default 3 l i n k /ether Why was that not possible? root@manager1 : ~ # ip netns exec 1 − 7x3gglxlba ip − link − netnsid 0 promiscuity Listing 1: Proxy ARP configured on VTEP mapping information”’ 4

  14. ∙ Tested: Replay of packets ∙ Using Tcpreplay ∙ ICMP from container A to container B on host A and B ∙ Replayed ICMP request from node C ∙ Works, ICMP reply arrives at container A ∙ Also works when source ip is changed ∙ Replay also works for an encrypted Swarm overlay network ∙ VNIs predictable: start at 4096 ∙ UDP port 4789 (and tcp/udp 7946 for Serf) 9 What’s possible?

  15. ∙ Tested: Replay of packets ∙ Using Tcpreplay ∙ ICMP from container A to container B on host A and B ∙ Replayed ICMP request from node C ∙ Works, ICMP reply arrives at container A ∙ Also works when source ip is changed ∙ Replay also works for an encrypted Swarm overlay network ∙ VNIs predictable: start at 4096 ∙ UDP port 4789 (and tcp/udp 7946 for Serf) 9 What’s possible?

  16. ∙ Tested: Replay of packets ∙ Using Tcpreplay ∙ ICMP from container A to container B on host A and B ∙ Replayed ICMP request from node C ∙ Works, ICMP reply arrives at container A ∙ Also works when source ip is changed ∙ Replay also works for an encrypted Swarm overlay network ∙ VNIs predictable: start at 4096 ∙ UDP port 4789 (and tcp/udp 7946 for Serf) 9 What’s possible?

  17. ∙ Tested: Replay of packets ∙ Using Tcpreplay ∙ ICMP from container A to container B on host A and B ∙ Replayed ICMP request from node C ∙ Works, ICMP reply arrives at container A ∙ Also works when source ip is changed ∙ Replay also works for an encrypted Swarm overlay network ∙ VNIs predictable: start at 4096 ∙ UDP port 4789 (and tcp/udp 7946 for Serf) 9 What’s possible?

  18. ∙ Tested: Replay of packets ∙ Using Tcpreplay ∙ ICMP from container A to container B on host A and B ∙ Replayed ICMP request from node C ∙ Works, ICMP reply arrives at container A ∙ Also works when source ip is changed ∙ Replay also works for an encrypted Swarm overlay network ∙ VNIs predictable: start at 4096 ∙ UDP port 4789 (and tcp/udp 7946 for Serf) 9 What’s possible?

  19. ∙ Have each container report netstat output and firewall status ∙ Pro: Can be fast and complete ∙ Con: Overhead by running on each container ∙ Con: Required adapting docker files and redeploying. ∙ Scan the network ∙ Pro: One container that runs a scanner ∙ Con: Should be connected to all overlay networks ∙ Con: Scan can take a long time ∙ Have each host report netstat output and firewall status for the containers ∙ Pro: Containers can not be overlooked ∙ Pro: Can be relatively fast 10 Strategies for finding out what gets exposed

  20. ∙ Have each container report netstat output and firewall status ∙ Pro: Can be fast and complete ∙ Con: Overhead by running on each container ∙ Con: Required adapting docker files and redeploying. ∙ Scan the network ∙ Pro: One container that runs a scanner ∙ Con: Should be connected to all overlay networks ∙ Con: Scan can take a long time ∙ Have each host report netstat output and firewall status for the containers ∙ Pro: Containers can not be overlooked ∙ Pro: Can be relatively fast 10 Strategies for finding out what gets exposed

  21. ∙ Have each container report netstat output and firewall status ∙ Pro: Can be fast and complete ∙ Con: Overhead by running on each container ∙ Con: Required adapting docker files and redeploying. ∙ Scan the network ∙ Pro: One container that runs a scanner ∙ Con: Should be connected to all overlay networks ∙ Con: Scan can take a long time ∙ Have each host report netstat output and firewall status for the containers ∙ Pro: Containers can not be overlooked ∙ Pro: Can be relatively fast 10 Strategies for finding out what gets exposed

  22. ∙ Visualizations in the browser ∙ D3.js ∙ Collected data using Swarm API and scripts on hosts 11 Visualizing

  23. 12 Visualizing

  24. 13 Visualizing

  25. 14 Visualizing

  26. 15 Visualizing

  27. 16 Visualizing

  28. 17 Demo Visualizing

  29. ∙ Layer 2 attacks based on ARP injecting seems not possible on a Swarm overlay network ∙ It is possible to inject something in a Swarm overlay network when standard configuration is used ∙ Encrypted Swarm overlay traffic can be successfully replayed ∙ Creating visualizations of the Swarm overlay networks taking security boundaries into account is possible 18 Conclusion

  30. ∙ Work on visualizations for single nodes showing more detail for ∙ Research the mechanism that updates the mapping for the VTEPs firewall configuration 19 Future work

  31. 20 Questions?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

docker service is the new docker run Getting Started with Docker Clustering Mike Goelzer /

docker service is the new docker run Getting Started with Docker Clustering Mike Goelzer /

docker service is the new docker run Getting Started with Docker Clustering Mike Goelzer / mgoelzer@docker.com / @mgoelzer Docker Inc. docker service is the new docker run docker run nginx 2013-14 docker run -p 3375:2375 swarm ; 2014-15

688 views • 34 slides
Docker Security Workshop Goals of this Workshop Understand and get Understand and get

Docker Security Workshop Goals of this Workshop Understand and get Understand and get

Docker Security Workshop Goals of this Workshop Understand and get Understand and get comfortable with Docker comfortable with Linux security technologies security technologies Swarm Mode Security AppArmor Secrets Management seccomp

1.94k views • 147 slides
Brendan Jackson Vice President, Analytics PDI Virtual Desktop In Docker Innovate In Your Swarm

Brendan Jackson Vice President, Analytics PDI Virtual Desktop In Docker Innovate In Your Swarm

Brendan Jackson Vice President, Analytics PDI Virtual Desktop In Docker Innovate In Your Swarm PDI Virtual Desktop in Docker Containerize PDI to have visual development power in your swarm Seasoned healthcare finance and technology

349 views • 11 slides
Orchestration in Docker Swarm mode, Docker services and declarative application deployment Mike

Orchestration in Docker Swarm mode, Docker services and declarative application deployment Mike

Orchestration in Docker Swarm mode, Docker services and declarative application deployment Mike Goelzer &amp; Victor Vieux Docker Orchestration Overview Mike Goelzer / mgoelzer@docker.com / gh: mgoelzer Orchestration in Docker Orchestration

599 views • 39 slides
Add picture Swarm here Bret Fisher DevOps Consultant Docker Captain, Dell {code} Catalyst

Add picture Swarm here Bret Fisher DevOps Consultant Docker Captain, Dell {code} Catalyst

Going Production with Docker and Add picture Swarm here Bret Fisher DevOps Consultant Docker Captain, Dell {code} Catalyst Author of Udemy's Docker Mastery Slides! bretfisher.com/slides Add picture here Tweets!

769 views • 63 slides
Orchestra)on Tool Roundup - Docker Swarm vs. Kubernetes,

Orchestra)on Tool Roundup - Docker Swarm vs. Kubernetes,

Orchestra)on Tool Roundup - Docker Swarm vs. Kubernetes, TerraForm vs. TOSCA/Cloudify vs. Heat Agenda Orchestra)on 101.. Different approaches for

1.1k views • 77 slides
USING DOCKER SAFELY ADRIAN MOUAT NLUUG 28 MAY 2015 LOT OF NEGATIVE COMMENTS ON DOCKER SECURITY

USING DOCKER SAFELY ADRIAN MOUAT NLUUG 28 MAY 2015 LOT OF NEGATIVE COMMENTS ON DOCKER SECURITY

USING DOCKER SAFELY ADRIAN MOUAT NLUUG 28 MAY 2015 LOT OF NEGATIVE COMMENTS ON DOCKER SECURITY &quot;Containers Don't Contain&quot; Daniel Walsh, RedHat https://opensource.com/business/14/7/docker- security-selinux &quot;... total systemic

502 views • 48 slides
Containers, Docker, and Security: State of the Union 1 / 38 Who am I? Jrme Petazzoni

Containers, Docker, and Security: State of the Union 1 / 38 Who am I? Jrme Petazzoni

Containers, Docker, and Security: State of the Union 1 / 38 Who am I? Jrme Petazzoni (@jpetazzo) French software engineer living in California Joined Docker (dotCloud) more than 4 years ago (I was at Docker before it was cool! ) I built

420 views • 38 slides
Docker cker Ov Overlay rlay Networks tworks Performance analysis in high-latency environments

Docker cker Ov Overlay rlay Networks tworks Performance analysis in high-latency environments

Docker cker Ov Overlay rlay Networks tworks Performance analysis in high-latency environments Students: s: Siem Hermans Patrick de Niet Resea earc rch Project ect 1 Supervi rviso sor: Dr. Paola Grosso System and Network Engineering

438 views • 18 slides
CONTAINER ORCHESTRATION WITH SWARM MODE, MESOS/MARATHON AND KUBERNETES ADRIAN MOUAT WHO AM I?

CONTAINER ORCHESTRATION WITH SWARM MODE, MESOS/MARATHON AND KUBERNETES ADRIAN MOUAT WHO AM I?

CONTAINER ORCHESTRATION WITH SWARM MODE, MESOS/MARATHON AND KUBERNETES ADRIAN MOUAT WHO AM I? Chief Scientist at Container Solutions Wrote &quot;Using Docker&quot; for O'Reilly 40% discount with code AUTHD Docker Captain @adrianmouat WHAT

1.4k views • 59 slides
Setup docker rm $(docker ps -aq) docker network rm my_net Demo - Install and activate yum -y

Setup docker rm $(docker ps -aq) docker network rm my_net Demo - Install and activate yum -y

Setup docker rm $(docker ps -aq) docker network rm my_net Demo - Install and activate yum -y install docker s ystemctl start docker systemctl enable docker docker images - Launch pre-canned container: hello-world (busybox is another good

480 views • 4 slides
Docker Networking Workshop Agenda 1. Detailed Overview 2. Docker Networking Evolution 3. Use

Docker Networking Workshop Agenda 1. Detailed Overview 2. Docker Networking Evolution 3. Use

Docker Networking Workshop Agenda 1. Detailed Overview 2. Docker Networking Evolution 3. Use Cases Single-host networking with the Bridge driver Multi-host networking with the Overlay driver Connecting to existing VLANs with the

1.32k views • 93 slides
Deliver Docker Containers Continuously on AWS Philipp Garbe @pgarbe Google Container So many

Deliver Docker Containers Continuously on AWS Philipp Garbe @pgarbe Google Container So many

Deliver Docker Containers Continuously on AWS Philipp Garbe @pgarbe Google Container So many choices... Engine Azure Container Services Cloud Foundrys Amazon ECS Diego Kubernetes Docker Swarm Mesosphere CoreOS Marathon Fleet

465 views • 45 slides
1 Agenda Docker world Containers VS Virtual machine Security concerns Conclusion Whoami

1 Agenda Docker world Containers VS Virtual machine Security concerns Conclusion Whoami

12.03.2019 Docker security 1 Agenda Docker world Containers VS Virtual machine Security concerns Conclusion Whoami M.Sc Computer Security M.Sc Software Development Worked previously as an embedded software developer Actually

586 views • 54 slides
L2 Overlay L2 Overlay

L2 Overlay L2 Overlay

L2 Overlay L2 Overlay July 30, 2019 A. Gerrard, What Is Kubernetes?

536 views • 24 slides
The Modern Platform in 2020 Justin Cormack Who am I? Engineer at Docker in Cambridge, UK. Docker

The Modern Platform in 2020 Justin Cormack Who am I? Engineer at Docker in Cambridge, UK. Docker

The Modern Platform in 2020 Justin Cormack Who am I? Engineer at Docker in Cambridge, UK. Docker developers Work on security, systems software, applications, LinuxKit, containers @justincormack 2 From OS to languages? From OS to

843 views • 39 slides
2019 - 20 Financial Aid High School Presentation New Jersey Higher Education Student Assistance

2019 - 20 Financial Aid High School Presentation New Jersey Higher Education Student Assistance

2019 - 20 Financial Aid High School Presentation New Jersey Higher Education Student Assistance Authority Presented by Woodrow Lewis Jr. The Mission The Higher Education Student Assistance Authority is the only State agency with the sole

621 views • 58 slides
ERSAT - EAV ERTMS on SATELLITE Enabling Application Validation Alessandro Neri 1 , Gianluigi

ERSAT - EAV ERTMS on SATELLITE Enabling Application Validation Alessandro Neri 1 , Gianluigi

Pacific PNT May 2-4, 2017 Honolulu, Hawaii ERSAT - EAV ERTMS on SATELLITE Enabling Application Validation Alessandro Neri 1 , Gianluigi Fontana 2 , Salvatore Sabina 2 , Francesco Rispoli 2 , Roberto Capua 3 , Giorgia Olivieri 3 , Fabio

523 views • 23 slides
Capacity and Commodity Invoices . Invoicing Discovery Day LDZ Capacity and Commodity Validations

Capacity and Commodity Invoices . Invoicing Discovery Day LDZ Capacity and Commodity Validations

Capacity and Commodity Invoices . Invoicing Discovery Day LDZ Capacity and Commodity Validations Daily validations include; Daily Validations to ensure UKLink &amp; Gemini Class 1 and 2 energies are in line AQ Validations to ensure UK

427 views • 11 slides
Supporting the training, education and development of UC San Diego Research Administrators .

Supporting the training, education and development of UC San Diego Research Administrators .

Supporting the training, education and development of UC San Diego Research Administrators . trainra.ucsd.edu A look at the past year (and a half) RA Training Program Jul 2015 Jan 2016 Oct 2016 May 2017 Nicole hired, but Nicole

728 views • 20 slides
Oversight Committee Meeting Streets Project Status Updates * * All financial values based

Oversight Committee Meeting Streets Project Status Updates * * All financial values based

Quarterly Revenue Bond Oversight Committee Meeting Streets Project Status Updates * * All financial values based on May 2016 data. 1 SFMTA Strategic Plan Goals 2018 2012 Bike/Walk 21% Auto Transit/ Auto Transit 62% Bike/Walk

214 views • 18 slides
Nick Hamilton Institute for Molecular Bioscience Essential Graph Theory for Biologists Image: Matt

Nick Hamilton Institute for Molecular Bioscience Essential Graph Theory for Biologists Image: Matt

Nick Hamilton Institute for Molecular Bioscience Essential Graph Theory for Biologists Image: Matt Moores, The Visible Cell Outline Core definitions Which are the most important bits? Which are the most important bits? What happens when

901 views • 24 slides
How to create a good poster Nitzan Rimon, Yael Elbaz &amp; Maya Schuldiner Department of

How to create a good poster Nitzan Rimon, Yael Elbaz &amp; Maya Schuldiner Department of

How to create a good poster Nitzan Rimon, Yael Elbaz &amp; Maya Schuldiner Department of Molecular Genetics, Weizmann Institute of Science Note: Many of the ideas here were taken from: http://colinpurrington.com/tips/academic/posterdesign. Visit

444 views • 5 slides
Requirements PREPARED AND PRESENTED BY: DR. KELLEY PENNELL, DNP, APRN, ACNS-BC Objectives Gain

Requirements PREPARED AND PRESENTED BY: DR. KELLEY PENNELL, DNP, APRN, ACNS-BC Objectives Gain

Delegation Rules and Requirements PREPARED AND PRESENTED BY: DR. KELLEY PENNELL, DNP, APRN, ACNS-BC Objectives Gain knowledge regarding TMB rules regarding physician delegation Gain knowledge regarding TMB rules regarding responsibilities of

722 views • 12 slides

More recommend