Chap 10 - 01 - Understand Virt Essential Concepts and OS Virt Security - 08_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Virtualization and Cloud Computing

Kubernetes Security Challenges and Threats

01 02 03 04

Explosion of east- Increased attack Automating security Too many
west traffic surface to keep pace containers

05 06 07 08

Communication Default configuration Runtime security Compliance issues
between containers settings challenges

Kubernetes Security Challenges and Threats
Kubernetes enables an organization to automate application deployment, which leads to
tremendous growth in business. However, these deployments are vulnerable to attacks and
exploitation from adversaries. Thus, security is a critical component for all deployments of
Kubernetes. Containerization in clouds can be targeted through attacks such as ransomware
attacks, cryptomining, data stealing, and service disruption. The hyperdynamic nature of
containers is responsible for the following Kubernetes security challenges.
= Explosion of East-West Traffic: Since containers are dynamically deployed in multiple
hosts or clouds, east-west traffic (traffic flow within a data center) and internal traffic
should be monitored for attacks.

* Increased Attack Surface: Every container has an attack surface and vulnerabilities,
which can be exploited by an adversary. Further, container orchestration tools like
Docker and Kubernetes also increase the attack surface of the container.

= Automating Security to Keep Pace: Due to the dynamic nature and the constantly
changing environment of the container, old models and security tools cannot provide
complete protection. Therefore, there is a need to automate security for securing
containers.

* Too many containers: Containers communicate with each other and with internal and
external endpoints for proper functioning. However, if a container is exploited, all the
other connected containers in the environment can also be breached.

= Communication between containers: Containers communicate with each other and
with internal and external endpoints for proper functioning. However, if a container is
exploited, all the other connected containers in the environment can also be breached.

Module 10 Page 1279 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Virtualization and Cloud Computing

= Default configuration settings: Using the default settings in Kubernetes makes
application development faster and helps in easy communication with all the
components in the Kubernetes environment. However, using the default settings can
also make Kubernetes more vulnerable and less secure.

* Runtime security challenges: The transient and fast nature of the container makes it
difficult for an individual to monitor which container process is currently running.
Hence, it also makes it more complex to detect any running malicious process.
= Compliance issues: Organizations should follow the techniques to ensure that the
Kubernetes environment adheres to the security controls, industry standards, and
internal organizational policies that were devised for conventional application
architectures.

Module 10 Page 1280 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Virtualization and Cloud Computing

Container Management Platforms
L]
[ L1
aas Doclcke Docker is a container platform that helps in building, managing, and securing all the
@ Docker
> - applications and deploying them across cloud environments

i
- AR
AU TR T — ] : E Amazon Elastic Container Service (ECS)
E https://aws.amazon.com
https://ows.omazon.com

[ o e

06606
[Rnvpm—e :‘-‘
[ 1 5
[~ ]
Par— -
= i Microsoft Azure Container Instances (ACl)
[Sttty
r—— E https://azure.microsoft.com
https://ozure.microsoft.com
Cmere voas 0
e
o ot o § M s 0
eet ]
[~ i
ol
A
PR— s
- LE
' i @ Red Hat OpenShift Container Platform
::»..‘.».'.
eninen
vh e aros { https://www.openshift.com
https://www.openshift.com
U
il
:""" [~—rar
== ] g
P W S frsrpens e
vt1
ety wWit Sroem
e - !.st mogms - -
- : Portainer
g S
et
P ! https://www.portainer.io
et
oy
e
o o o
L =y :
s i :
o i Rancher
- H https://rancher.com
https://roncher.com
e
Pt https.//www.docker.com
https://www.docker.com [[e ¢9 ]] !

Copyright © by k L All Rights Reserved. Reproduction
Reproductionisis Strictly Prohibited.
Prohibited

Container Management Platforms
Listed below are various container management platforms:
=* Docker
Source: https://www.docker.com
Docker is an independent container platform that helps in building, managing, and
securing all applications, from traditional applications to the latest microservices, and
deploying them across cloud environments. Docker contains the latest container
content library and ecosystem with more than 100,000 container images, which allow
developers to create and deploy applications. Docker also features core building blocks,
such as Docker Desktop, Docker Engine, and Docker Hub, for easily sharing and
managing application stacks.

Module 10 Page 1281 EC-Council
Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Virtualization and Cloud Computing

& cocker
& Docer BF & Docker (T @®® conranen N Puges

Fiters
Fiters 1.V2%2% ofof 1,908
1508534
514 avaladle
avaladle maget.
maget Mest
Mott Poged ==
Oexier Cert®ed O
Ooxier. Oocher ¢Contfad. Oracle Database [nterprive
Oracle Databare Enterprine (dtion (< cocein
Edtion () ciar oo
cocaincinrun
¢ LSi
-
—— Dy Oracie
Oracie *» Usawted
Lsaated o yoor
yoar 290
ag0

Oracie Datatase 12¢ Interprite
Oracie Datadase Interprite (@non
(@non
Veetad Putiaher
tiaher ()
P
Offtand Images O
Ol
OFal rmapes Pt datad Py Donher

[ vewws amsee 8 |
4 Oracle fava & SE (Server (= cocnnn e "0
(Server JRE) (<
Cotegores O
Categores
&
N Upatatnd o monmah
By Oracia * Lptatnd momah apo
apo
Analytcs Lo

Framameni s
Aopatcn Feamemet
AppScaton Oracie Jiva
Oracie (Server RO
fova B 5L Server R1)

AGpicaticn
ACHACaton Infrastructure
It astructure
Apphcaton
Agphcaton Secvces
Secvices
Bave
Bate images
mages

Ostabases
Oeteboose ". ML Server Interprise
MySQL [d0n (&(2 cocats
[nterprise (tion (1imrin
(ntein
OevOps Tocds
DevOps Mm’
MM' By Oraca
Oracia » Lydurns
Lyduns 3 morens age

Foutured vnges
Fonhuadtnnges The works
That word ss most
most POPUL
POpuULS Open
0pen LowrCe
Lour(e Eatabase
Satabase yystem
vystem
Mesiagng Servces

Montoneeg
Montion e

Opwrating
Operateg Systerms

oy L
Programmng Lasgusies )
(iarein
)s
[inria |
VERIUD Pt e
Oracie
Oracle Webloge
Weblogie Server oocais cinrain
Server (2(7 oocain
Security e.
SETTT By Oeacie
Oeache co Updated
Updiuated & meemte ags
meet age
Srernge
Swrage
Oracie Webloge Server

Operanng Systeems
Systermn

Lrnan

| omos a0 |

Figure 10.14: Screenshot of Docker
= Amazon Elastic Container Service (ECS) (https://aws.amazon.com)
= Microsoft Azure Container Instances (ACI)
(ACl) (https://azure.microsoft.com)
(https.//azure.microsoft.com)
= Red Hat OpenShift Container Platform (https://www.openshift.com)
= Portainer (https://www.portainer.io)
= Rancher (https://rancher.com)

Module 10 Page 1282 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Virtualization and Cloud Computing

Kubernetes Platforms
°
L]

Kubernetes is an open-source container orchestration Ama.z io Eithc
Elnatic Knbanantes
Knbantotes
H: Service (EKS)
Kubernetes | engine for automating deployment, scaling, and :2 et/ o, cstaon com
https://aws.omazon.com
management of containerized applications

kubernetes Q Sewh + coean o
Docker Kubernetes Service (DKS)

Pusitont Woiamas CPU usage Memory usage O

nroen Canon -~ S ——— =3 Knative
i | o= https://cloud.google.com
https://cloud.google.com
Ve syrem £ o on

IBM Cloud Kubernetes Service
https://www.ibm.com

-.
13
i
Google Kubernetes Engine (GKE)
!

i

https://cloud.google.com

https//kubernetes.io

Kubernetes Platforms
Listed below are various Kubernetes platforms:

= Kubernetes
Source: https://kubernetes.io

Kubernetes is an open-source container orchestration engine for automating
deployment, scaling, and management of containerized applications. It also groups
different containers that make up an application into several logical units for easy
management and discovery. It allows users to take advantage of on-premises, hybrid, or
cloud infrastructure to migrate workloads from one place to another. Kubernetes can
also deploy and update secrets and application configurations without rebuilding the
container images and without exposing secrets in the stack configuration.

Module 10 Page 1283 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Virtualization and Cloud Computing

ij Q kubernetes Q
Q Search
Search CRIATE
+ cRgATr a

=3 Pods

Nodes

Persatont Volunes CPU usage Memory usage O
Nokes

Siceage Classer v el
i A.‘l\l[ A

e
l CNW

s o
l“‘l "o H;l "“»n "M Hw
|‘:1. (LR
"oH] "
V':t "m»
"x» "
"

T

Workloads

Cron Joks Pods -

Caerron Sets

Gyt s
Jebs @ - By
Rurang 00 27 marres
27 murres Ao
Ao |
EERCRT
e =

"W
Pod V] e Burvng
Rurmeng 0° 27 mewres 0 T
|
:::l : (/] e Rurnng
Bunming °[ meres
37 mares Ao
A |
EEREY
| SN

%
Staseld Sets (V] e Purvng
Rurng [0 wroes
wros [ o0 001 |
EESIT
e =

"
Orscovary ant Losd Balarcng (V] it furang
Bavng [¢ Whews
20 hours NN
J === 00 [
ERTTIT
R

n
Figure 10.15: Screenshot of Kubernetes

= Amazon Elastic Kubernetes Service (EKS) (https.//aws.amazon.com)
= Docker Kubernetes Service (DKS) (https://www.docker.com)
= Knative (https://cloud.google.com)
= |BM Cloud Kubernetes Service (https://www.ibm.com)
= (https.//cloud.google.com)
Google Kubernetes Engine (GKE) (https://cloud.google.com)

Module 10 Page 1284 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.