Over the last few months I have been working more and more with Docker containers, consuming dockerfiles that have been generously shared amongst the awesome community. During that time the majority of my containers have worked flawlessly. At times, they have not. I can't complain too much as I didn't have to do anything, somebody went to the time and the effort to create these dockerfiles and share their work. The experience did change my view of Docker, however. A big part of the appeal to me was the open platform and collaborative ethos but now my expectations are more grounded.
Something that has been said for years about Android (I know this is an side but stick with me!) is that it's cool that it's so open and there's so many more apps in the store compared to iOS BUT there's a rub, the apps are not scrutinized as they should be. There's a lot of junk put out, apps that just don't work and in the worst case apps with malicious code.
Through my trials and tribulations with community sourced containers, I began to wonder about the possibility of community images possibly containing something malicious and it worried me. I had more experience with Turbo containers, where they manage the content in their Hub and provide support for all of their applications.
Containers by their very nature and particularly Docker containers can isolate an application and it's resources which provides some security benefits. Running applications completely isolated can help reduce the surface level for attack BUT if you are using code or re-using somebody else's code for your containers you may unintentionally be opening yourself up to attack through these containers you thought were more secure in the way of Trojan images, Denial-of-service attacks and more. With the growing popularity of Docker and it's move from just dev testing into more production environments it can be expected that vendors may start to deliver their products as containers in the future. How much do you trust them? How can you protect yourself!?
NeuVector have a product that can help!
NeuVector's security tool is itself running as a Docker container. There's an enforcer container running on all endpoints which performs real time scanning on all containers to search for vulnerabilities. There's also a centralized controller, which is also a container. This is like your command center. It provides dashboards for information about your environment, any threats, allows you to configure notifications and manage security policies across your containers.
The NeuVector site has a dashboard which provides health information about the containers in your environment including threats. Don't worry, you do not have to keep glued to the dashboard itself. You can set up notifications to alert when a threat has been detected.
If you detect a threat you can view the network activity to see drill down to see how the suspect container interacts with other containers in the environment or even if it tunnels to an external network. More than just being a great place to go when reactive, this part of the product is my favorite! It provides transparency of the containers in your environment and it updates real time.
Of course the product would be a little limited if all it gave was a visualization of the containers in your environment and warnings of threats without allowing you to actually do something with that information. There's a monitoring and a protect mode, as names suggest monitoring will present you with the information to make your own informed decisions, while protect will detect and protect!
With the Policy feature shown in the screenshot above, you can quickly modify routing rules for any container in your environment e.g. If you see that a certain container has been detected as a threat and is reaching out to the external network, you can quickly deny that traffic. This is awesome, you do not need to modify images, update scripts, restart container or anything yourself. NeuVector does the work and they do it instantly!
You can even take a proactive approach and use the policy feature to set blacklisting and whitelisting on all containers. e.g. Always block x traffic, explicitly allow traffic from y.
It's also very robust. If there's a network issue or say a machine running containers goes offline and is no longer communicating with the controller, you have peace of mind that when the machine reconnects to the network the enforcer will pick right back up where it left off by scanning the containers running on that system and reporting back in the dashboards.
You can find more info and sign up for a trial on their website: neuvector.com