Technical Report on Container Security (V)-2

Technical Report on Container Security (V)-2

março 20, 2019 | Adeline Zhang

Security Tools – NeuVector

About NeuVector

NeuVector[I] is the first company to take up development of Docker/Kubernetes security products. With a commitment to assuring the security of enterprise-wide container platforms, the company provides products that are suitable for deployment across multi-cloud and on-premises production environments.

  1. Cloud-Native Container Deployment

NeuVector provides in-depth runtime visibility into the container network, monitors “east-west” container traffic, performs proactive isolation and protection, and ensures the security of hosts and within containers. Through seamless integration with container management platforms, it achieves automation of application-level container security.

Figure 5.11 NeuVector deployment topology

NeuVector is distributed as a cloud-native container, which can be quickly deployed, managed, and upgraded via any standard container management platforms, such as Kubernetes, Docker, OpenShift, Rancher, and Mesosphere. In addition, it supports various public cloud- and private cloud-hosted container service platforms like AWS ECS, EKS, Google GKE, IBM Cloud, Docker Datacenter, Azure, Alibaba Cloud, and VMware PKS.

  1. Container Environment Visibility

NeuVector provides flexible support for various installation environments and can be deployed in advance or at a later time to automatically discover and protect running containers and newly deployed containers in real time. After being deployed, NeuVector will automatically learn all containers’ network behaviors and the behaviors within containers. Based on a comprehensive analysis, it will present a real-time container networking diagram. Such powerful container visibility is useful for security monitoring, topology analysis, instant adjustment, event response, container network packet capture, and even application container debugging.

Figure 5.12 NeuVector’s container environment visibility

  1. Security Audit

NeuVector supports various security audit functions. It provides a wide range of security audit reports regarding Docker Bench scanning, Kubernetes CIS Benchmark scanning, container vulnerability scanning, and container host scanning results. Audit results can inform proactive security policies, enabling the security system to automatically respond, detect, control, and prevent any security events when containers are deployed in an active or passive manner. NeuVector supports scanning of container image repositories and provides a Jenkins plug-in to help developers test container security risks.

Figure 5.13 NeuVector security audit

NeuVector can help customers conduct various standards compliance checks and industry compliance checks. Such standards include Payment Card Industry Data Security Standard (PCI DSS), EU General Data Protection Regulation (GDPR), and Health Insurance Portability and Accountability Act of 1996 (HIPPA).

  1. Multidimensional Protection

NeuVector protects containers at runtime from various aspects. Its functions include automatic container isolation at the level of network applications and automatic learning of container security policies according to containers’ behaviors to detect malicious behaviors within containers, such as abnormal processes, abnormal file system read/write, and privilege escalation.

NeuVector also comes with a proactive protection function to prevent various prevalent cyberattacks, such as Slowloris DDoS, SQL injection, DNS attacks, SSH heartbleed, and reverse shell. Moreover, NeuVector can monitor container hosts for abnormal behaviors to implement all-round protection of container production environments. With such multivector and multidimensional protection come huge amounts of event data, making it possible to anatomize an event throughout the kill chain.

Figure 5.14 Multidimensional protection of containers at runtime

In terms of security response and management, NeuVector can generate alerts upon detection of suspicious behaviors, block malicious behaviors, isolate containers or services, tear down network sessions, and automatically capture network sessions and packets for security analysis and forensics. NeuVector can integrate with standard security information and event management (SIEM) systems and provide support for wbhooks, syslog, REST APIs, and CLI.

NeuVector on Docker/Kubernetes provides advanced security functionality to ensure containers’ security throughout the lifecycle of containers that extends from development, testing, and deployment to O&M, upgrade, and production.

Figure 5.15 NeuVector’s security assurance throughout the lifecycle of containers

(To be continued)

[I] NeuVector,