A new open source project called Trireme aims to simplify security for containers and Kubernetes. The software, developed by the startup Aporeto, tackles a basic security question: should container X be allowed to talk to container Y?
This is difficult because applications consist of multiple containers, and these containers may be created, migrated, updated, or destroyed at any time. Trying to build rule sets using traditional mechanisms such as VLANs, ACLs and firewall rules doesn’t seem feasible for the scale and rate of change in a container environment.
Instead, the Trireme software offers application segmentation and isolation by pushing policies as close to the application as possible. Trireme provides an authentication and authorization framework for container communication.
Here’s how it works at a high level. When a container is created, it includes a set of attributes about itself—for instance, whether it’s for production or development, a Web server or database, which libraries it uses, and so on.
Trireme uses attributes as an identifier, which it calls a label, around which to build policies. A very simple policy might state that a container associated with a production Web server can communicate with containers associated with a production database.
A policy engine stores these policies, and shares them out to Trireme agents. Trireme agents are lightweight applications that run in user space on a host, such as a bare-metal server, a virtual machine, or a Kubernetes node.
When a container initiates a communication with another container, the Trireme agent acts as a kind of proxy by inserting itself into the synchronization and acknowledgement steps of TCP.
The agent takes the container label and attributes and signs them cryptographically, and puts this into the payload of the SYN and SYN/ACK TCP packets.
At the other end of the connection, a second Trireme agent validates the signature, checks the label and attributes of the container, and then checks its policies to confirm whether the sending container is authorized to communicate with the recipient.
If the policy is allowed, the Trireme agent removes itself from the path and allows the network connection to be established. In other words, the agent only proxies the initial set-up, not the full transaction.
Some Things To Chew On
The idea of defining policy based on the attributes and functions of an object rather than on something like an IP address seems sensible. This approach can remove some of the friction that comes with relying primarily on the network and network identifiers (an IP address or port, for example), especially when those attributes can change so quickly.
However, the real test is how well it operates at scale in a production environment, with multiple stakeholders (developers, operation, security) all needing to coordinate on an identity framework. Labeling schema will have to be tightly defined, broadly deployed, and carefully enforced.
Aporeto envisions a kind of parallel labeling system, in which developers can use the labeling conventions they’re familiar with, with a higher-level system controlled by operations and security teams.
And there are always potential drawbacks with running host-based security applications.
For instance, they need to be tightly integrated with the orchestration system to ensure deployment, they need to communicate with a policy engine or management layer, and, regardless of how lightweight they may be, they will consume host resources. And of course, the Trireme applications themselves have to be managed and updated.
That said, every policy and security implementation comes with tradeoffs. Aporeto is betting that the benefits of its approach will win converts.
Aporeto was founded in 2015. It has not released its backers or the amount of funding it has received to date.
Co-founder & CEO Dimitri Stiliadis previously cofounded Nuage Networks. Co-founder and VP of Engineering Satyam Sinha worked in the Insieme business unit at Cisco, where he was a distinguished engineer. Co-founder Amir Sharif previously worked at Parallels and VMware and has extensive experience with containers and hypervisors.
-Trireme only works with TCP. The company aims to support UDP, but that’s a work in progress.
-At present, Trireme won’t work on hosts that use network acceleration techniques such as DPDK.
-Trireme uses Elliptic Curve cryptography to sign attributes.