Site icon Check Point Blog

CloudGuard IaaS Supports Kubernetes and Container Security

By Amir Kaushansky, Product Manager, Cloudguard IaaS, published May 22nd, 2019

 

Almost 9000 people attended Check Point’s CPX 360 events in Bangkok, Las Vegas and Vienna earlier this year where we shared security best practices, product developments and roadmap with our customers and partners.

My session was about Kubernetes and Container Security. At the end of the session, I promised to update our customers and partners with relevant roadmap announcements during 2019, and I am happy to deliver the first announcement today:

Check Point CloudGuard IaaS now supports North-South inspection for improved Kubernetes security.

The new Container security functionality is available in native Kubernetes/OpenShift as well as managed Kubernetes services such as Azure Kubernetes Service (AKS), Amazon EKS, Google Kubernetes Engine, and others.

As part of this release, CloudGuard IaaS provides the following new features:

 

Additionally, CloudGuard IaaS allows you to automate your Kubernetes security using common scripting languages such as Terraform and Ansible.

What are a few common use cases for the new Container security functionality?

Application Control and Anti-Bot

One of the potential attack vectors in Kubernetes environments is to exploit a container and use its compute resource to spawn a bitcoin-mining container which is fetched from an external, malicious container registry. (You can read about a similar hack of Tesla’s Kubernetes deployment here.) Using CloudGuard IaaS, you can restrict communication to trusted registries only. Additionally, you can enable Anti-Bot and thereby prevent the malicious bitcoin-mining container from receiving commands from the unauthorized command and control server.

Scale Out Events

When a new pod is added to the Kubernetes environment in a scale out event, CloudGuard IaaS understands that there is a new podIt then gets the assigned IP address and updates the CloudGuard security gateway with this data. If the pod’s labels match a defined policy, the security gateway does not require any manual policy installation; it starts inspecting the traffic automatically according to the defined policy.

Vulnerability

If a new vulnerability is discovered in NGINX for example, and your engineering team estimates it will take 5 days to ship a new container, CloudGuard allows you to enable a specific IPS signature that will prevent anyone from taking advantage and exploiting the containers which use this NGINX version. Once your team deploys the containers with a non-vulnerable version, you can remove this IPS signature in order to release CloudGuard IaaS resources and improve performance.

You’re encouraged to try this new functionality for yourself:

Get a free trial of CloudGuard IaaS in the Marketplaces of Azure (with a limited-time special offer by Microsoft and Check Point), AWS, GCP or Oracle.

And please watch the Check Point blog for more announcements about Container and Kubernetes security.

To learn more visit www.checkpoint.com.

Exit mobile version