Cohesive Networks - Ensuring a secure foundation for your AWS Containers Chris Swan - AWS London Loft 29 September 2015 AWS has a few ways to run Docker - Elastic Container Service, Elastic Beanstalk or installing Docker into EC2 instances. Whichever you choose Docker makes it easy to build and ship software, so how do you make sure you're building on secure foundations and shipping without known vulnerabilities? Research has shown that many DockerHub images carry vulnerable software; how much of a problem is this for your usage pattern? It’s also possible to build your own images ‘FROM scratch’, what are the pros and cons of doing that? The Docker security benchmark contains recommendations on image contents (amongst many other sensible suggestions), how easy is it to comply with?

1. Chris Swan, CTO, @cpswan
Ensuring a secure foundation
for your AWS Containers

2. © 2015
Why me?
Used to do IT security for two major Swiss Banks
Started using Docker July 2013
and decided to incorporate it into our VNS3 product as a plugin mechanism
Docker became part of Cohesive Networks VNS3 in April 2014
real users in production
before Docker itself went 1.0
Regular contributor to InfoQ on Docker, security and containers

3. © 2015
The Docker promise – Build, Ship, Run

4. © 2015
Running containers on EC2

5. © 2015
EC2 instances

6. © 2015
Elastic Beanstalk

7. © 2015
EC2 Container Service

8. © 2015
Where did that code come FROM
(and is it secure)?

9. © 2015
Official Images with Vulnerabilities
Image credit: Banyan Ops - http://www.banyanops.com/blog/analyzing-docker-hub/

10. © 2015
Packages in Official Images with High Priority Vulnerabilities
Image credit: Banyan Ops - http://www.banyanops.com/blog/analyzing-docker-hub/

11. © 2015
General Images with Vulnerabilities
Image credit: Banyan Ops - http://www.banyanops.com/blog/analyzing-docker-hub/

12. © 2015
Packages in General Images with High Priority Vulnerabilities
Image credit: Banyan Ops - http://www.banyanops.com/blog/analyzing-docker-hub/

13. © 2015
It’s not as bad as it might look
Image bloat can mean lots of potentially vulnerable code that never gets run
leaves something of an unexploded minefield
Taint inheritance
fix the root cause – fix a lot of images
Worst cases lie in deprecated versions
but the continued use of known vulnerable old versions of things is how
we end up with stuff that gets attacked so easily

14. © 2015
The manifest problem

15. © 2015
Take an example Dockerfile

16. © 2015
Each active line creates a layer
Base OS
Sources
Update repos
Install nginx
Mod nginx.conf
Mod index.html

17. © 2015
An images binds layers together

18. © 2015
The image is the unit of deployment

19. © 2015
What version of nginx is that?

20. © 2015
What version of OpenSSL is installed?

21. © 2015
And which bash?

22. © 2015
Problem 1 – non determinism
Whilst we want things to be cached in the short term e.g.:
apt-get install nginx
We perhaps don’t want it cached in the long term
What are those durations?

23. © 2015
Problem 2 – the manifest problem
When I run:
apt-get install nginx
I don’t know which version of nginx I just got
Should I?
nginx –v > some.log
Or maybe?
apt-cache policy nginx > some.log
Or should I have done this in the first place?
apt-get install nginx=1.1.19-1ubuntu0.7

24. © 2015
NB – These are package manager problems
But Docker is ‘the new package manager’
and it typically wraps the old ones

25. © 2015
So perhaps use a more sophisticated package manager

26. © 2015
Or avoid packages altogether
FROM scratch

27. © 2015
Docker Content Trust

28. © 2015
Overview of Docker Content Trust
Image credit: Diogo Mónica (Docker) - https://blog.docker.com/2015/08/content-trust-docker-1-8/

29. © 2015
Protection against image forgery
Image credit: Diogo Mónica (Docker) - https://blog.docker.com/2015/08/content-trust-docker-1-8/

30. © 2015
Protection against replay attacks
Image credit: Diogo Mónica (Docker) - https://blog.docker.com/2015/08/content-trust-docker-1-8/

31. © 2015
Protection against key compromise
Image credit: Diogo Mónica (Docker) - https://blog.docker.com/2015/08/content-trust-docker-1-8/

32. © 2015
Key components of Docker Content Trust

33. © 2015
Docker Security Benchmark

34. © 2015
It’s a document

35. © 2015
And there’s an accompanying tool
Image credit: https://www.docker.com/docker-security

36. © 2015
The benchmark covers
1.Host configuration
2.Docker daemon configuration
3.Docker daemon configuration files
4.Container Images and build file
5.Container runtime
6.Docker security operations

37. © 2015
Wrapping up

38. © 2015
For more detail
https://www.docker.com/docker-security
http://www.infoq.com/author/Chris-Swan

39. © 2015
And please check out Docker plugins to our VNS3
39
Isolated Docker containers within VNS3 allows Partners and Customers to
embed features and functions safely and securely into their Cloud Network.
Proxy Reverse Proxy Content Caching Load Balancer IDS Custom Container
Router Switch Firewall
Protocol
Redistributor
VPN
Concentrator
Scriptable
SDN
VNS3 Core Components

40. © 2015
Questions?