Hi, all,
Now I am doing some learning in warden. And
there is no doubt that warden make resource isolation come true among
difference apps in DEAs.
Meanwhile, at the time I was
studying the aspect of networking management in warden, I found that
actually network security assurance was not so strong as physical
machines or VMs.
Below are my points:
When
DEA pushes warden server to create a warden container, warden server
will setup iptables on the host. Then DEA starts an app instance in
warden container, warden server still does some configuration in
iptables of the host, specifically in port mapping and DNAT of the
incoming IP packet.
Under the policy above, the requests
away from the host have to do DNAT to reach app instance. And if some
malicious attack outside the host comes to app instances within
containers in the host, the firewall(iptables ...) can do some work to detect it.
However, Here is a scene that there are app1 and app2 of difference
users running in different warden containers on the same DEA host. As
long as app1 can get the correct IP:port of app2, app1 can reach app2's
IP:port. Since the request from app1, first reaches the virtual gateway
network interface set up for the one inside container, then reaches the
network interface on the host. On the host interface kernel will do SNAT
and routing work for the request, but nothing will be done with the
destination IP and port of the request, so if the destination IP and
port is another user's app in another container on the same host
exactly, the request will reaches its destination.
Then,
potential attacks become possible, as at the container level there is no
firewall. DoS attack seems to be possible in this kind of scene.
I am not sure if we can setup a firewall service in warden containers,
iptables or something like that? Two different iptables rules supported
by the same kernel while working for difference network interfaces ?
Any thoughts helps.
Thanks in advance.
---------------------
Hongliang Sun
Zhejiang University, China