CloudGuard IaaS Supports Kubernetes and Container Security
By Amir Kaushansky, Product Manager, Cloudguard IaaS, published May 22nd, 2019
Almost 9000 people attended Check Point’s CPX 360 events in Bangkok, Las Vegas and Vienna earlier this year where we shared security best practices, product developments and roadmap with our customers and partners.
My session was about Kubernetes and Container Security. At the end of the session, I promised to update our customers and partners with relevant roadmap announcements during 2019, and I am happy to deliver the first announcement today:
Check Point CloudGuard IaaS now supports North-South inspection for improved Kubernetes security.
The new Container security functionality is available in native Kubernetes/OpenShift as well as managed Kubernetes services such as Azure Kubernetes Service (AKS), Amazon EKS, Google Kubernetes Engine, and others.
As part of this release, CloudGuard IaaS provides the following new features:
- Secure the traffic between Kubernetes microservices and your on-premises or cloud assets (also known as “North-South traffic”) using IPsec VPN. For example: CloudGuard IaaS allows you to configure VPN between your cloud environment and on-premises, in order for your microservice to communicate securely with your on-premises database.
- Incoming and outgoing traffic inspection using all Check Point security blades, including Intrusion Prevention Service (IPS), Anti-Virus, Anti Bot, and VPN, providing advanced threat prevention to your Kubernetes environment and container deployment.
- Dynamic policy that changes as the Kubernetes environment changes, including an access policy that is based on Kubernetes tags (labels, services, etc.).
- Full HTTPS support: CloudGuard IaaS allows you to perform inspection of SSL/TLS traffic that flows to a microservice. It allows you to choose whether to inspect the traffic or to pass it and route it based on the Server Name Indication (SNI).
- Virtual Patching: Containers are built using packages which may contain vulnerabilities. In case a vulnerability is discovered in a package, updating the affected containers may take a few weeks or even a few months in some cases. CloudGuard IaaS provides the ability to define virtual patching, which prevents exploiting this vulnerability until you deploy new containers with a non-vulnerable package.
Additionally, CloudGuard IaaS allows you to automate your Kubernetes security using common scripting languages such as Terraform and Ansible.
What are a few common use cases for the new Container security functionality?
Application Control and Anti-Bot
One of the potential attack vectors in Kubernetes environments is to exploit a container and use its compute resource to spawn a bitcoin-mining container which is fetched from an external, malicious container registry. (You can read about a similar hack of Tesla’s Kubernetes deployment here.) Using CloudGuard IaaS, you can restrict communication to trusted registries only. Additionally, you can enable Anti-Bot and thereby prevent the malicious bitcoin-mining container from receiving commands from the unauthorized command and control server.
Scale Out Events
When a new pod is added to the Kubernetes environment in a scale out event, CloudGuard IaaS understands that there is a new podIt then gets the assigned IP address and updates the CloudGuard security gateway with this data. If the pod’s labels match a defined policy, the security gateway does not require any manual policy installation; it starts inspecting the traffic automatically according to the defined policy.
Vulnerability
If a new vulnerability is discovered in NGINX for example, and your engineering team estimates it will take 5 days to ship a new container, CloudGuard allows you to enable a specific IPS signature that will prevent anyone from taking advantage and exploiting the containers which use this NGINX version. Once your team deploys the containers with a non-vulnerable version, you can remove this IPS signature in order to release CloudGuard IaaS resources and improve performance.
You’re encouraged to try this new functionality for yourself:
Get a free trial of CloudGuard IaaS in the Marketplaces of Azure (with a limited-time special offer by Microsoft and Check Point), AWS, GCP or Oracle.
And please watch the Check Point blog for more announcements about Container and Kubernetes security.
To learn more visit www.checkpoint.com.