Try

    It's Time to See Container Traffic

    by Nubeva 31 January 2020

    Read Time: 3 min. 29 sec.

    TL;DR

    Use of containers means added complexity - especially if you want security and also need to "see" into container-to-container traffic. Nubeva has a new way to capture packets and decrypt packets using your tools, enabling security teams to minimize risks and see their critical container traffic to inspect and monitor the network for threat hunting, response and forensics. 

     

    During the past couple of years, we have all witnessed a massive uptake in the use of containers and microservices to create and deliver enterprise applications. According to a 2019 survey, 89.7% of respondents said they run containers1! In addition, Kubernetes adoption increased 57% year over year.2 Indeed, IT organizations dove headfirst into the use of optimized application delivery. In fact, 70 percent of survey respondents said they run nearly half of their applications in container environments.1 

    Why the shift? Because containers provide DevOps teams with the ability to move more quickly. Containers also:

    • Increase portability
    • Improve scalability
    • Provide simple and fast deployment
    • Enhance productivity 
    • Improve security

    We all want the highest level of security in our network architecture. But with the adoption of containers, and the use of orchestrators like Kubernetes now deployed in nearly every data center, there are new blind spots that need to be overcome. Let me explain. 

    Network security professionals need to perform network monitoring or inspection of traffic between containers, commonly known as intra- and inter-container monitoring. In order to monitor this traffic effectively, you need the following:

    1. Access to packets: Kubernetes doesn’t provide built in facilities to access these packets. In addition, you don’t know where the traffic is coming from and that makes it difficult to capture.
    2. Ability to decrypt and see encrypted traffic: Current best practices recommend that all traffic is encrypted using the latest TLS protocols, and most third-party sessions and cloud calls are encrypted with TLS 1.2 with PFS or above by default. With new encryption standards, decryption of traffic in container environments is next to impossible, not to mention impractical.
    3. Access to inspection tools: Your security inspection tools will be of great help…but only if you can get the packets and decrypt the traffic so the tool(s) can see it.

    Options to Inspecting Container Traffic

    In short, there are two less-than-desirable alternatives to traffic inspection in container environments. 

    The first is not to do network traffic inspection. In this case, you rely solely on container-level application monitoring, which means you only log the information coming out of each container, not the traffic on the wire traveling between containers. Are you a gambler with your enterprise security initiatives? Because in this case, you’re forced to trust that containers aren’t a) already “owned” by malicious software, and b) not misconfigured. For these reasons, every security program should have application monitoring and network monitoring. More controls result in risk reduction.

    The second alternative is to hairpin traffic coming out of Kubernetes through an appliance that inspects the traffic – or creates copies of the traffic for inspection. This is also an untenable solution for security and DevOps professionals. These containerized apps move critical information and customer data for your enterprise and the more you deploy containers, the more at risk your organization becomes.

    The Solution

    Nubeva offers a new way to capture packets and decrypt packets using your tools. Deployed as a DaemonSet on your Kubernetes pods or nodes in your system, you are able to tap and mirror inter- and intra-Kubernetes traffic to one or many tools with advanced filtering and slicing included.

    Paired with Nubeva TLS Decrypt, you can restore complete network visibility. The patent-pending Symmetric Key Intercept, introduces a new way to discover the symmetric keys providing the industry’s only true solution for decryption of modern TLS. This allows organizations to decrypt nearly any protocol and cipher; with any tool and any packet broker system; and it works in any cloud where it can decrypt any session - north-south or east-west. This includes sessions to tier two servers and services such as clouds and other third parties.

    The combined software solution is a modular overlay that fills holes in your existing infrastructure to preserve investments in inspection tools, policies and procedures – while enabling full-time and event monitoring. 

    At last, security teams can minimize risks and see their critical container traffic to inspect and monitor the network for threat hunting, response and forensics. 

    For more information about how to see and inspect your container and Kubernetes traffic, visit https://www.nubeva.com/containers_kubernetes  or contact us for a short demo at info@nubeva.com

    1. 2019 Container Adoption Survey, sponsored by Portworx and Aqua Security, https://go.portworx.com/2019-Container-Adoption-Survey.html
    2. “Survey Sees Significant Spike in Kubernetes Adoption,” Container Journal, July 31, 2019,  https://containerjournal.com/topics/container-ecosystems/survey-sees-significant-spike-in-kubernetes-adoption/

    Tags: visibility decryption kubernetes containers
    resources banner desktop

    Want to learn more?

    Request a Demo
    resource banner screen

    Sign Up for FREE Trial

    Sign Up

    Subscribe Here!

    View video Blog Feature Image (4)