By Gary Duan and Fei Huang
Protecting Application Containers
A Docker container firewall should be a ‘must-have’ requirement before deploying any container-based applications. In this post we’ll compare a couple ways to deploy a Docker container firewall – manually vs. with a commercial solution such as NeuVector. However you choose to do this, you’ll want to protect containers with at least some network firewalling rules so attackers don’t have an open door to your critical assets. There’s a new breed of container security technology called a cloud-native container firewall which makes deploying a Docker container firewall simple, and even adds cloud and host security protections.
Why Is Container Security Even Needed?
The recent security breaches such as Equifax and ransomware prove that hackers will eventually find a way to get a foothold in your infrastructure. New vulnerabilities are constantly be discovered and exploits created such as apache struts, linux stack clash, and dirty cow.
It’s not enough just to scan code for vulnerabilities and patch production systems. That’s like closing the barn door after the horse has run away. Exploits usually involve a ‘kill chain’ — a series of events where the attacker gains entry, escalates a privilege, scans other systems, and performs other steps before being able to steal data or damage systems. A Docker container firewall can detect multiple steps in this kill chain, even for zero-day exploits where a vulnerability has yet to be published and patched.
Why Is It So Difficult to Deploy a Docker Container Firewall?
A container deployment is designed to be easily scaled, updated, and moved across hosts and even clouds. Each container has its own virtualized network interfaces which get deployed automatically by Docker and the orchestration tools used. This makes it difficult to use traditional firewall rules and iptables to inspect and protect access to containers.
[Learn How to Protect Workloads in this Container Segmentation Guide]
How Can I Do It Manually?
You can try to configure a Docker container firewall manually, but it’s only recommended if you are linux networking knowledgeable and don’t plan to frequently scale or update containers and host clusters.
Here are the basic steps required, for example on a Debian host;
- Make sure Docker isn’t going to overwrite your rules by setting –iptables=false.
- Make sure any rules you create will be saved persistently.
- Add Allow/Forwarding rules (lo interface, ICMP, docker).
- Add Firewall rules (incoming, outgoing, routing). Make sure to allow containers to access the internet if needed.
- Load the Firewall rules.
- Allow/Restrict Host to Host Container Communication
–icc=true (must manually configure this too if –iptables=false)
After you’re finished, your rules.v4 / rules.v6 file will look something like this:
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Allow localhost
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
# ICMP
-A INPUT -p icmp -j ACCEPT
# Docker
-A FORWARD -i docker0 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o docker0 -j ACCEPT
# Incoming
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -j DROP
# Outgoing
-A OUTPUT -j ACCEPT
# Routing
-A FORWARD -j DROP
COMMIT
For a detailed description of each of the steps above, please see this excellent guide by Antonios Chariton.
All of these efforts control basic networking communication into and out of hosts. However, if you want more fine grained control over which containers can talk to others you’ll need to update rules or go with a commercial docker container firewall solution, which will do these things automatically for you.
You don’t want to be updating container to container rules manually, and in fact that is pretty much impossible in any dynamic environment. For example, imagine trying to create firewall rules for this Docker swarm networking setup.
There are many different types of traditional firewalls, and for container deployments there are also several choices for firewall protections, such as:
- Layer 3 / 4 filtering. Like the above example, protections can be based on IP address and ports. Kubernetes Network Policy and other tools built on Kubernetes can dynamically update rules as deployments scale or change. However, these are not designed with the real-time traffic visualization, monitoring, and response that are possible with a true firewall.
- Web application attacks. Common web application attacks can be detected on containers that are internet facing, similar to how a web application firewall (WAF) performs. While these have useful protections against common attacks like DDoS, they are not designed for multi-protocol filtering of the east-west traffic often found with containers.
- Full layer 7 Docker container firewall. A container firewall with Layer 7 filtering can protect based on network application protocols and provides the most flexible and powerful protections, often including all capabilities above.
What is a ‘Cloud-Native’ Docker Container Firewall?
DOWNLOAD THE GUIDE
A Docker container firewall has similar capabilities but is different in critical ways than a next generation firewall (NGFW) and web application firewall (WAF). It may also have more cloud and host security features than you’d expect in a typical firewall.
A cloud-native Docker container firewall is able to isolate and protect workloads, application stacks, and services, even as individual containers scale up, down, or across hosts. It provides similar protections that traditional firewalls provide for north-south traffic, but in a cloud-native environment for all container traffic. This includes east-west, north-south, and container to non-container traffic. It must also protect the ingress and egress from containers to external networks and legacy applications.
Key Features of a Docker Container Firewall
- Integrated with container run-time engine
- Integrated with cloud container orchestration tools
- Behavioral learning based to automate policy creation
- Whitelist based protection
- Layer7 deep packet inspection of inter-container traffic
- Application threat protection
- Other host and cloud security features
A Behavior-based Security Policy
Because of the immutable nature of container deployments, it is possible to automate the initial creation of a security policy. Combining behavioral learning techniques with container deployment manifests can provide the information needed to automate such a policy.
The behavior-based automated policy creation takes into account:
- Valid network behavior, including application protocols using Layer 7 deep packet inspection techniques
- Container context such as links and dependencies
- Processes running and syscalls
- User context such as roles, projects and privileges
By learning the expected behavior of a container based service and utilizing as many criteria as possible, a container firewall can:
- Infer the ‘intent’ of the developer and application’s behavior
- Automate the creation and update of the security policy, and
- More accurately detect suspicious behavior during run-time.
A Deeper Look at Deep Packet Inspection (DPI)
A Docker container firewall should protect containers with a combination of DPI techniques and other container security features.
In the Equifax data breach, had a set of DPI-enabled pattern match signatures been deployed, the compromise could have been prevented. The attack vectors within all the working exploits use predictable patterns. The malicious HTTP requests either have a malformed header or have an executable shell command embedded in the XML object. However, these indicators are only obvious to people or detection tools that understand how the protocols and applications work. Signatures can be developed based on the attack patterns, but to limit the false positive and false negative alerts, we must resort to DPI (deep packet inspection) techniques.
All of this context helps the pattern match algorithms to accurately look for patterns within specific locations. DPI is a critical capability to determine, in real-time, on a connection by connection basis, whether the packets should be allowed through, blocked, or generate an alert.
However, as can be seen in the diagram above, DPI should be combined with a behavioral learning based solution which takes into account other important indicators which should be monitored.
How to Deploy NeuVector as a Docker Container Firewall
Deploying NeuVector is as simple as deploying application containers. The same orchestration tools used for managing applications can be used for the NeuVector containers. Simply deploy the Controller to one or more hosts, and an Enforcer on each host to be protected. NeuVector provides sample config files for popular platforms such as Kubernetes, RedHat OpenShift, Rancher, Docker EE, AWS ECS and native Docker Compose. As an example, a Kubernetes based deployment is as easy as:
- Copying over the sample config file for the appropriate Kubernetes (or Openshift, Rancher etc) version
- Labeling management nodes for the Controller if desired
- Creating a separate namespace for the NeuVector containers
- Creating a secret for pulling NeuVector from Docker Hub (or pull from a local registry)
- Deploying the console service, controller deployments, and enforcer daemonset pods using ‘kubectl create’
- Running test traffic through the applications(s) for NeuVector to learn the behavior and automatically create the policy
- Reviewing the policy and if satisfied (or after customizing) setting NeuVector to protect the application containers.
NeuVector provides a real-time view application and network behavior and is useful for visualization of connection flows as well as debugging of application traffic between containers during testing.
Going Beyond the Container Firewall
Because a Docker container firewall is itself a distributed system with host-based inspection and protection points, many security functions are possible. These include:
- Detecting privilege escalations and suspicious process in hosts and containers
- Vulnerability scanning of hosts and running containers
- Security auditing and compliance testing such as running the Docker Bench and CIS Kubernetes benchmarks for security
It can be seen that a Docker container firewall is really much more than a traditional NGFW or WAF firewall because it is monitoring host and container activity in addition to network behavior of containers. That makes it possible to detect and prevent attacks such as the Equifax data breach earlier and during several points in the ‘kill chain’ of events.
