Before deploying any container-based applications, it’s crucial to first protect its security by ensuring a Docker, Kubernetes, or other container firewall is in place. There are two ways to implement your container firewall: manually or through the use of a commercial solution. However, manual firewall deployment is not recommended for Kubernetes-based container deployments. Regardless, with either strategy, creating a set of network firewall rules to safeguard your deployment is critical so that the containers are defended from unwanted access into your sensitive systems and data.
The accelerated discovery of new vulnerabilities and exploits reinforces the necessity of proper container security. The creativity of the hackers behind the Apache Struts, the Linux stack clash, and the dirty cow exploits – all made infamous by major data breaches and ransomware attacks – prove that businesses never know what is coming next. Furthermore, these attacks feature a sophistication that requires more than just vulnerability scanning and patching to address the threats.
Exploits often proceed through a series of events — or “kill chain” — where an attacker will gain entry into one vulnerable system and then escalate their access privileges and scan additional systems before ultimately breaching data and inflicting damage. A proactive container firewall strategy can help detect a kill chain at multiple stages and curtail such attacks, even in cases where zero-day exploits are involved.
With that being said, deploying a firewall to protect containers isn’t always simple. By nature, container deployments dynamically scale, update, and move across hosts and clouds as needed to optimize the environment. Orchestration tools manage IP addresses for pods and containers, making it even more difficult to gain visibility into the network traffic. Every container includes virtualized network interfaces that the container — be it Docker, Kubernetes, or another program — and the environment’s orchestration tools will automatically deploy. Because of this highly dynamic nature, it’s a hefty challenge for traditional firewall rules and iptables to inspect traffic and defend containers from unwanted access.
Approaching Container Firewall Protection
The choices available for container firewall deployments are as varied as those for traditional firewalls and include the following.
- Layer 3/4 filtering. Container security can be based on IP addresses and ports. It’s also possible to use the Kubernetes network policy and other Kubernetes tools to update rules in a dynamic manner, protecting deployments as they change and scale. It should be noted, however, that these tools aren’t equipped to achieve real-time traffic monitoring and visualization (or robust abilities to respond to these issues).
- Web application attack detection. Internet-facing containers running web applications can be protected through methods that detect common attacks, in line with the functionality of a web application firewall (WAF). However, be aware that this is limited to common external attacks; the multi-protocol filtering needed to safeguard internal container-to-container traffic is beyond the scope of this method.
- Full Layer-7 Docker container firewall. With a container firewall featuring Layer 7 filtering and deep packet inspection of inter-container traffic, it’s possible to secure containers using network application protocols. At the same time, this type of firewall features integration with the container run-time engine and cloud container orchestration tools such as Kubernetes, behavioral learning that automates policy creation, whitelist-based protection, and application threat protection to support cloud and host security.
Manually Configuring a Docker Container Firewall
For those with confidence in their Linux networking capabilities — and no requirement to routinely scale or update their containers and host clusters — manually configuring a Docker container firewall is an option.
The basic steps for accomplishing this (for example, on a Debian host) are as follows:
- Set iptables to false to ensure that Docker won’t overwrite your rules.
- Check that the rules you create will be saved in a persistent manner.
- Add allow/forwarding rules (I/O interface, ICMP, Docker).
- Add firewall rules for incoming and outgoing traffic, as well as traffic routing. Be certain that containers remain able to access the Internet as necessary.
- Load these firewall rules.
- Allow or restrict host-to-host container communication with icc set to equal true (with iptables set to false, this will also be manually configured).
A more detailed tutorial for this process, written by Antonios Chariton, is available here.
Following these steps will put controls in place over basic network communications. More nuanced command over which containers are able to communicate with others can be achieved with further rule updates or a commercial Docker container solution that automates these capabilities. As a practical matter, it’s undesirable (and may even be impossible) to manually update container-to-container rules in a highly dynamic environment.
A Cloud-Native Approach
While cloud-native Docker container firewalls are similar to next-generation firewalls or WAFs, they feature key differences when it comes to the cloud and the hosted-security features they deliver. By providing protections within the cloud-native container environment, these firewalls are in a position to safeguard not only external north-south traffic but also internal east-west traffic — while at the same time isolating and protecting workloads, application stacks, and services within the dynamic container environment.
Using Behavioral Learning to Enable Automatic Policy Creation
It’s possible for a container firewall to learn what behavior is normal for each container-based service within the container environment. By collecting as much behavioral data as available, the firewall can then systematically understand the intent of an application, manage security policy to support this intent automatically, and recognize (and disallow) behavior that is out of line with this intent, such as those occurring during malicious attacks.
A Word on Deep Packet Inspection
Deep packet inspection (DPI) techniques are another essential security need that container firewalls can deliver. All exploits make use of predictable attack vectors: malicious HTTP requests might have a malformed header, or include an executable shell command within the extensible markup language (XML) object. Effective detection deployments can look for and recognize these methods. DPI adds a needed certainty to this process, allowing a container firewall to vet each container connection in real-time and judge whether packets should be allowed to proceed, or if they represent an attack.
Whether manually deploying a container firewall or going with a commercialized option, it’s crucial to the security of any container environment that your solution be able to detect privilege escalations and suspicious processes in hosts and containers, scan these for vulnerabilities, and monitor their activity and behavior. Commercialized container network security options generally provide these endpoint security and auditing features in addition to robust firewalling features. Security auditing and compliance testing tools — such as the Docker Bench for Security or CIS Kubernetes benchmarks — can be valuable in putting your container environment to the test and pointing out specific needs for security improvements.