Echoing the Java boom of the late 1990s and early 2000s, container applications have exploded on to the 2010s scene...
as a cross-platform trend. And similar to Java, containers reside on any platform so long as it has the correct software installed.
Docker leads in container adoption among IT shops today. To secure Docker and other container software that operate across platforms, one question arises: Should system administrators focus on containers as a new attack vector, or should they focus on the host machine?
Docker on Windows
As of the time of this writing, the Windows edition of Docker is only available on Windows 10 Pro, and it further requires Microsoft Hyper-V to virtualize the Docker engine environment and to virtualize specific features within the Linux kernel. The prudent systems administrator would do well to ensure that minimal traffic is shared between the virtual machine and the host machine for secure Docker containers. A certain amount of communication must transpire between the host and VMs since Docker does not run natively on Windows. What does run on the Windows host is a Docker client built specifically for the Windows environment.
On Windows, host-based antivirus software is paramount, especially if end users connect to the Windows machine remotely. Conduct careful and frequent examinations of the process list on the host machine, and endeavor to perform periodic packet captures. Lastly, because the Docker daemon runs within a VM, Hyper-V allocates a virtual IP address to Docker Machine. Therefore, when conducting packet captures, configure the tool, such as Wireshark, to sniff specifically on the docker-machine IP address. For example, if Hyper-V allocates an IP address of 192.168.1.1 to the Docker machine, then run a capture from the host machine with the following filter:
This lets the systems administrator see all inbound and outbound traffic to the Docker machine.
To get even more granular when you secure Docker, consider the fact that the Docker daemon typically communicates on TCP port 2375 for unencrypted traffic and TCP port 2376 for encrypted traffic. The relevant Wireshark filter would resemble the following:
ip.addr==192.168.1.1 && (tcp.port eq 2375 || tcp.port eq 2376)
With this filter in place, Wireshark should display only traffic to and from the Docker daemon.
Docker for Linux
Docker on Linux is a little more straightforward, as Docker is a native Linux application, built to interact directly with LXC containers. Therefore, unlike Windows setups, Docker does not require a VM -- the Docker daemon can run on a localhost.
Antivirus software is not vital to secure Docker on Linux machines. However, if policy dictates that antivirus software must be installed on all nodes, then the systems administrator can install one of the open source variety, such as Clam AntiVirus.
Linux alone cannot secure Docker. On the contrary, when administrators allow a subset of end users access to the Docker daemon, they are implicitly granted root access. Therefore, use great caution when granting access. Within the context of Docker, when an end user accesses the daemon, the user could alter the host machine's file system, even without intending to do so.
When the developers, IT team or business leaders decide to utilize Docker containers, systems administrators should take comfort in the fact that some of their usual burden is eased by Docker's cross-platform portability. However, admins cannot ignore that the cross-platform nature of Docker containers also gives rise to various other issues, not the least of which is security.
Don't stop with the OS: Follow a thorough container security process
Security plays a critical role in functional DevOps
Build security into the DevOps way of life
Docker and ecosystem ramp up security feature offerings