NeuVector Improves Container Security With Admission Control

EXCLUSIVE: The NeuVector 2.3 container firewall platform release provides new admission control capabilities that are directly integrated with the Kubernetes container orchestration platform. NeuVector is set to issue a new release of its platform on Dec. 4, providing organizations with enhanced capabilities to help secure cloud-native, container...

EXCLUSIVE: The NeuVector 2.3 container firewall platform release provides new admission control capabilities that are directly integrated with the Kubernetes container orchestration platform.

NeuVector

NeuVector is set to issue a new release of its platform on Dec. 4, providing organizations with enhanced capabilities to help secure cloud-native, container environments.

The NeuVector 2.3 release expands the container, cloud-native firewall technology with admission control security capabilities that can be directly integrated with the Kubernetes container orchestration platform.

"NeuVector uses the features of Kubernetes as a trigger and enforcement point for image deployment,"NeuVector CTO Gary Duan, told eWEEK. "By integrating with Kubernetes, via kube-apiserver, NeuVector can get notification for any image attempting to be deployed, then apply the policy, which an admin has configured in NeuVector to decide whether to allow/block the deployment through Kubernetes."

NeuVector's platform provides a container firewall that can filter application layer traffic to help identify anomalous behavior and traffic. The company was launched in January 2017 and has raised a total of $9 million in venture funding to date. In a video interview with eWEEK, Fei Huang CEO and co-founder of NeuVector, explained the core principles of his company's platform and approach to taking a network-centric view of container and cloud-native secrity.

Duan explained that admission control is a net new feature that is part of NeuVector's overall CI/CD pipeline integration for security. For example, he said that users today can fail a build, based on vulnerabilities using the Jenkins plug-in from NeuVector. They can also automatically scan new or updated images in repositories.

"Now, with admission control, they will be able to block deployment of containers based on various criteria such as vulnerabilities, labels, users, namespace etc," Duan said. "So, now we have improved security enforcement for the entire Build-Ship-Run pipeline."

Additionally, he explained that admission control uses the NeuVector registry scanning results to determine whether the image should be allowed to be deployed. NeuVector can also verify the digital signature of images for admission control.

Enforcement

There are multiple ways that policies can be enforced in a Kubernetes based deployment, including using the Container Networking Interface (CNI) as a hook to block and quarantine access. Duan explained that while NeuVector is compatible with all CNI /network plug-ins, it does not rely on them to enforce network policy.

"We have built our own layer-7 packet filtering technology which can run as an inline firewall for selected services," Duan said. "With a run-time feature called Response rules, users are able to define policies such as if vulnerable images are found in containers, then the containers can be network quarantined."

The first release of the admission control feature is only being made available for Kubernetes, and Kubernetes based system including OpenShift and Rancher. Duan said that NeuVector is consider adding other container orchestration system, including Docker Swarm to the product roadmap in 2019.

RBAC

There are multiple security hooks that are available in Kubernetes, including Role Based Access Control (RBAC), which is a feature that is used by organization to help secure workloads based on identity.

Duan said that admission control and RBAC are two different types of security features. He explained that NeuVector focuses on validating the security policy to allow container deployment, for example, vulnerability policy for specific users/namespaces.

"Kubernetes users can still be able to deploy vulnerable images with RBAC in place," he said.

Looking foward, NeuVector will be looking at potential integration with the Istio service mesh, which is an increasingly popular cloud native approach that is run alongside Kubernetes.

"We will continue to build on our container network security expertise and add more network threat intelligence," Duan said. "We will also integrate our security mesh technology with service mesh’s more tightly."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Source: www.eweek.com