Almost 9000 people attended Check Point’s CPX 360 occasions in Bangkok, Vegas and Vienna captured where we shared security guidelines, product developments and roadmap with this customers and partners.
My session involved Kubernetes and Container Security. In the finish from the session, I guaranteed to update our customers and partners with relevant roadmap bulletins during 2019, and i'm pleased to provide the first announcement today:
Check Point CloudGuard IaaS now supports North-South inspection for improved Kubernetes security.
The brand new Container security functionality will come in native Kubernetes/OpenShift in addition to managed Kubernetes services for example Azure Kubernetes Service (AKS), Amazon . com EKS, Google Kubernetes Engine, yet others.
Included in this release, CloudGuard IaaS offers the following additional features:
- Secure the traffic between Kubernetes microservices as well as your on-premises or cloud assets (also referred to as “North-South traffic”) using IPsec Virtual private network. For instance: CloudGuard IaaS enables you to definitely configure Virtual private network involving the cloud atmosphere as well as on-premises, for your microservice to speak safely together with your on-premises database.
- Outgoing and incoming traffic inspection using all Check Point security blades, including Invasion Prevention Service (IPS), Anti-Virus, Anti Bot, and Virtual private network, supplying advanced threat prevention for your Kubernetes atmosphere and container deployment.
- Dynamic policy that changes because the Kubernetes atmosphere changes, including an access policy that is dependant on Kubernetes tags (labels, services, etc.).
- Full HTTPS support: CloudGuard IaaS enables you to definitely perform inspection of SSL/TLS traffic that flows to some microservice. It enables you to select whether or not to inspect the traffic in order to pass it and route it in line with the Server Name Indication (SNI).
- Virtual Patching: Containers are made using packages which might contain vulnerabilities. In situation a vulnerability was discovered inside a package, updating the affected containers might take a couple of days or perhaps a couple of several weeks in some instances. CloudGuard IaaS provides the opportunity to define virtual patching, which prevents exploiting this vulnerability before you deploy new containers having a non-vulnerable package.
Furthermore, CloudGuard IaaS enables you to definitely automate your Kubernetes security using common scripting languages for example Terraform and Ansible.
What exactly are a couple of common use cases for that new Container security functionality?
Application Control and Anti-Bot
Among the potential attack vectors in Kubernetes environments would be to exploit a container and employ its compute resource to spawn a bitcoin-mining container that is fetched from your exterior, malicious container registry. (Read in regards to a similar hack of Tesla’s Kubernetes deployment here.) Using CloudGuard IaaS, you are able to restrict communication to reliable registries only. Furthermore, you are able to enable Anti-Bot and therefore avoid the malicious bitcoin-mining container from receiving instructions in the unauthorized command and control server.
Scale Out Occasions
Whenever a new pod is put into the Kubernetes atmosphere inside a scale out event, CloudGuard IaaS realizes that there's a brand new podIt then will get the assigned Ip and updates the CloudGuard security gateway with this particular data. When the pod’s labels match a precise policy, the safety gateway doesn't need any manual policy installation it starts inspecting the traffic instantly based on the defined policy.
Vulnerability
If your new vulnerability was discovered in NGINX for instance, as well as your engineering team estimates it will require five days to ship a brand new container, CloudGuard enables you to definitely enable a particular IPS signature which will prevent anybody from making use and exploiting the containers designed to use this NGINX version. When your team deploys the containers having a non-vulnerable version, you are able to remove this IPS signature to be able to release CloudGuard IaaS sources and improve performance.
No comments:
Post a Comment