Friday, November 20, 2015

Virtualized Containers: Security

Like my last post, this post is about virtualized containers.  If you're not sure what I'm talking about, it's the notion that we have at VMware that we can run containers on ESXi just as well if not better than running on a "bare metal" Linux host.

While this notion is controversial to some in the community, for us this is just a natural extension of what we already do.  Because we already virtualize a huge range of workloads, we already have experience with a wide range of performance, security and operational requirements.  Thus, adding a new workload is usually not a big deal.

We've already talked about performance, so let's talk about security.

One of the very nice things about virtualization is that it allows you to do things like micro segmentation.  That is to say, it allows you to provide very fine grained controls on your infrastructure so that a compromise in one area is less likely to penetrate other areas of your infrastructure.  Sometimes this is also referred to as "defense in depth."  However you describe it, it's
clear that it's better to have multiple barriers to a bad actor instead of just a "crunchy shell with a gooey center" approach. 

Whenever I think about defense in depth, I think about the medieval town of Entrevaux in France.  This town has a series of walls, gates, redoubts and a final bastion at the top of a hill.  Anybody trying to storm that town with crossbows, trebuchets and swords would have a tough time of it.

Short of stone walls, how do you make yourself safe in the modern world?  Well, we still have walls.  These days, they're virtual firewalls constructed to keep out the virtual bad guys but the concept is still the same.  Keep them out of your town but if they get in, make their life a living hell and pay a price in blood for every foot they advance.  In the virtual world, there are tons of ways to do this including our own NSX product.  

Regardless if how you choose to implement your containerized application, you will need to have some sort of strategy for containing bad actors.  If you have already solved this problem for your virtualized infrastructure, you can simply re-use this solution if you virtualize your containers also.  If not, you're going to need a new set of tools.

Another consideration is attack surface.  One interesting side-affect of a single purpose operating system is a very small attack surface.  Logically, you would assume that a single purpose operating system like ESXi would have a much smaller attack surface than a general purpose operating system like Linux.  In fact, the data backs up this assumption:

Based on data from the website CVE Details, ESXi has a much lower number of reported vulnerabilities than operating systems like Linux or Windows.  In fact, the attack surface is anywhere from 10x to 100x smaller depending on how your measure it and which operating system you pick.  I'm not trying to throw stones here.  I used to work on Windows and security is very important to Microsoft I can assure you.  You can also see that distros like RHEL are doing a great job of making sure they're fully patched before they ship.  However, there are some architectural advantages a smaller OS like ESXi has and this is one of them.

When you think about running workloads in large production environments, you have to assume that a bad actor is going to find their way into your environment sooner or later.  No mater how good you are, you will get hacked.  Thus, running with a least permissions model and increasing your chances of minimizing the danger with things like micro segmentation and small attack surfaces seems like a logical precaution.

Naturally, if the underlying platform won't run the workload you need or has crappy performance none of this matters.  Fortunately, with things like vIC and Photon Platform this isn't the case for virtualizing containerized workloads.

No comments: