Review: How NeuVector protects containers throughout their lifecycle

Most traditional security products have very little visibility into containers running in the cloud. NeuVector protects containers from within the containerized environment.

boxes box idea outside the box it as a product surprise unique masterzphotois getty
masterzphotois / Getty / NeuVector

Businesses and organizations of all sizes are finally embracing cloud computing. Even holdout organizations like some large government agencies are starting to deploy private clouds, or hybrids that contain some mix of private and public cloud infrastructure. The benefits of cloud computing are numerous and well-known at this point. They include near infinite expandability, having an external provider worry about maintaining the base infrastructure, and the ability to spin up new servers or services in just a few seconds.

But the most advanced enterprises are taking cloud computing a step further, into the realm of containerization. The concept of containers is a pretty brilliant one because it provides all the benefits of cloud computing, like infinite expandability, but also provides individual control over each container, which is essentially a fully-operational and independent virtual machine.

A container can be created to fill almost any need, from a tiny microservice to a full operating system. And because each container has all the resources that it needs within its perimeter, it can easily be transported to other computing environments, such as moving from a development cloud to a production environment. Some large enterprise networks might deploy, move or modify thousands of containers every day.

Unfortunately, cybersecurity has been slow to catch up with advancements in containerization, and most traditional security products have very little visibility into containers running in the cloud. The closed and independent nature of containers means that cybersecurity scanning from the outside will yield limited results. And because most cybersecurity programs have little to no insight about how containers should and do work, even if a container is successfully scanned, the scanning program may not understand if the container is operating properly or not.

There are other issues as well. Containers can expand if they need more resources and might even be deployed or destroyed nearly instantly as needed. Most cybersecurity programs, especially things like scanners that check the network on a schedule, will almost always be operating with old information. And because containers are part of a network of other containers, they need to coordinate with one another and with the container orchestration software like Kubernetes or Docker. That causes an explosion of so-called east to west internal traffic, which is often not monitored by cybersecurity defenses.

The NeuVector container security platform was created specifically to safeguard containerized environments. In fact, it’s deployed as a privileged container itself within the environment that it will be protecting. From its position within the containerized environment, it can monitor all Layer 7 network traffic, including that moving between containers and the host orchestration software. In this way, it can protect against attacks made against individual containers or the entire environment.

NeuVector is designed to protect containers at every stage of their lifecycle, from creation to retirement, whether that is many years or just a few seconds. The five components of the platform are hardening and compliance, vulnerability management, application segmentation, behavior baselining and policy automation, and threat prevention and response. Pricing is an annual subscription fee based on the number of servers or nodes where it’s deployed. You can have unlimited containers running in each node without adding to the price.

Testing NeuVector

The protection begins when a container is first created. Before we started making containers for our demo environment, we configured NeuVector so that it knew our security policies. Certain protocols were either allowed or prohibited in our test environment. We could even define what resource libraries containers should be allowed to use, as well as a general idea of how much risk (basically how many known vulnerabilities) we would allow in our environment, and their severity. For example, we said we didn’t want any critical level common vulnerabilities and exposures (CVEs) in any of our containers.

NeuVector Dashboard CSO

The NeuVector dashboard not only shows vulnerabilities or problems within the network of containers, but also offers helpful suggestions about how to quickly improve areas that are causing the most trouble.

When we tried to deploy a container with a critical CVE, its creation was blocked by NeuVector. A note was sent back to us in our role as a developer explaining exactly why the container’s creation was denied. The same thing happened when we violated company policy about what actions a container could take. In this way, it becomes very difficult to add vulnerabilities into an existing network of containers.

NeuVector NotetoDevs CSO

Because NeuVector won’t even allow non-compliant containers to be deployed, it’s important to provide feedback to developers about why their containers are not spinning up. The messages can be crafted, but always contain the reason for the denial, and advice about how to make a container compliant.

Once programmed, you also can’t deploy a container that would break organizational policy, or the policies of heavily regulated industries such as healthcare or public utilities. NeuVector kept all new containers secure and in compliance.

NeuVector Rule Violations CSO

It’s easy to see unauthorized traffic and protocols, or attempts by containers or container administrators to break the rules. Those attempts are show as red lines. Good traffic that is following the rules is blue.

Once a container is deployed, NeuVector begins to monitor all the traffic going into it or being sent out. Beyond just enforcing blanket policies, developers can use the platform to restrict the container’s activities to just what is needed for it to accomplish its task. For example, a microservice might not need FTP access, or an SQL database may not need to talk at all with more than one or two other containers. NeuVector uses a zero-trust policy so valid traffic will need to be authorized, but it is highly customizable so that containers can perform whatever function is needed.

NeuVector Traffic CSO

Deployed as a privileged container itself, the NeuVector platform can see all traffic moving throughout the container network. This includes interactions with the container orchestration software, which it is also able to protect.

All network traffic within the containerized environment can be displayed with NeuVector. When looking at our test network, it was easy to see the blue arrows representing authorized traffic moving between containers, the external network, and the container orchestration software. Unauthorized traffic was shown as red arrows and lines. Suspicious traffic, such as that which was not prohibited but which had never occurred before, was yellow. It’s important to note that for this part of the test, NeuVector was running in monitoring mode. Otherwise it would have blocked any bad traffic.

Like with most security programs, it was easy to drill down on alerts, in this case unauthorized traffic or protocols. NeuVector provides a full forensic analysis and report when something bad is detected, including the rule that is being broken or the relevant vulnerability if applicable. It’s easy to fix any problems that are detected and then update either the specific policy for that container or the global policies for the cluster of containers.

NeuVector Improve CSO

Individual problems can be addressed, with full forensic support to explain the issues. The program also tries to group problems so that a single fix or rule change can positively affect multiple containers.

NeuVector is also fully automated, if you want it to be. You can set whatever levels of automation you feel comfortable with. The platform can automatically block traffic, stop suspected attacks, halt anomalous activity or simply alert about what it finds. Given the speed that organizations using containerization operate, it’s probably best to let NeuVector run automatically to instantly remediate potential threats.

In addition to a detailed report about the security of each container, NeuVector also provides a security picture for the entire containerized environment. There is even an overall risk score with an explanation about how it is calculated. The platform does a good job of explaining how to improve that score, including making suggestions that could greatly improve the security footing quickly if implemented. It can also generate detailed reports that show security levels and improvement over time.

The bottom line

Containers have some major advantages, even over baseline cloud computing and virtualization. But there is risk. Vulnerabilities that exist in apps running on traditional hardware are also present once containerized. But most cybersecurity programs can no longer protect them at that point. NeuVector can, while also improving the overall cyber health of the entire containerized environment.

Copyright © 2019 IDG Communications, Inc.

What is security's role in digital transformation?