Hongliang Sun
May 20, 2014, 10:35:00 PM5/20/14
to vcap...@cloudfoundry.org
Hi, all,
Now I am doing some learning in warden. And there is no doubt that warden make resource isolation come true among difference apps in DEAs.
Meanwhile, at the time I was studying the aspect of networking management in warden, I found that actually network security assurance was not so strong as physical machines or VMs.
Below are my points:
When DEA pushes warden server to create a warden container, warden server will setup iptables on the host. Then DEA starts an app instance in warden container, warden server still does some configuration in iptables of the host, specifically in port mapping and DNAT of the incoming IP packet.
Under the policy above, the requests away from the host have to do DNAT to reach app instance. And if some malicious attack outside the host comes to app instances within containers in the host, the firewall(iptables ...) can do some work to detect it.
However, Here is a scene that there are app1 and app2 of difference users running in different warden containers on the same DEA host. As long as app1 can get the correct IP:port of app2, app1 can reach app2's IP:port. Since the request from app1, first reaches the virtual gateway network interface set up for the one inside container, then reaches the network interface on the host. On the host interface kernel will do SNAT and routing work for the request, but nothing will be done with the destination IP and port of the request, so if the destination IP and port is another user's app in another container on the same host exactly, the request will reaches its destination.
Then, potential attacks become possible, as at the container level there is no firewall. DoS attack seems to be possible in this kind of scene.
I am not sure if we can setup a firewall service in warden containers, iptables or something like that? Two different iptables rules supported by the same kernel while working for difference network interfaces ?
Any thoughts helps.
Thanks in advance.
---------------------
Hongliang Sun
Zhejiang University, China
Now I am doing some learning in warden. And there is no doubt that warden make resource isolation come true among difference apps in DEAs.
Meanwhile, at the time I was studying the aspect of networking management in warden, I found that actually network security assurance was not so strong as physical machines or VMs.
Below are my points:
When DEA pushes warden server to create a warden container, warden server will setup iptables on the host. Then DEA starts an app instance in warden container, warden server still does some configuration in iptables of the host, specifically in port mapping and DNAT of the incoming IP packet.
Under the policy above, the requests away from the host have to do DNAT to reach app instance. And if some malicious attack outside the host comes to app instances within containers in the host, the firewall(iptables ...) can do some work to detect it.
However, Here is a scene that there are app1 and app2 of difference users running in different warden containers on the same DEA host. As long as app1 can get the correct IP:port of app2, app1 can reach app2's IP:port. Since the request from app1, first reaches the virtual gateway network interface set up for the one inside container, then reaches the network interface on the host. On the host interface kernel will do SNAT and routing work for the request, but nothing will be done with the destination IP and port of the request, so if the destination IP and port is another user's app in another container on the same host exactly, the request will reaches its destination.
Then, potential attacks become possible, as at the container level there is no firewall. DoS attack seems to be possible in this kind of scene.
I am not sure if we can setup a firewall service in warden containers, iptables or something like that? Two different iptables rules supported by the same kernel while working for difference network interfaces ?
Any thoughts helps.
Thanks in advance.
---------------------
Hongliang Sun
Zhejiang University, China
tsjsdbd
May 23, 2014, 4:53:04 AM5/23/14
to vcap...@cloudfoundry.org
maybe could add some iptables rules in DEA, forbid the traffic between containers. like "src_IP and dst_IP are in same net, and both container's net,dorp it."
but the network security is still weak, there is no security group in DEA(CF).
James Bayer
May 27, 2014, 11:35:22 AM5/27/14
to vcap...@cloudfoundry.org
i talked to mark about this, and he wrote a bug [1] for some investigation.
there is an epic coming up for app security groups [2] [3] and we should get to reducing this surface area in that work.
On Fri, May 23, 2014 at 1:53 AM, tsjsdbd <tsj...@huawei.com> wrote:
maybe could add some iptables rules in DEA, forbid the traffic between containers. like "src_IP and dst_IP are in same net, and both container's net,dorp it."but the network security is still weak, there is no security group in DEA(CF).
--To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/dfffa6f0-1498-4399-b834-c3338798435f%40cloudfoundry.org.
You received this message because you are subscribed to the Google Groups "Cloud Foundry Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vcap-dev+u...@cloudfoundry.org.
Thank you,
James Bayer
Reply all
Reply to author
Forward
0 new messages