Securing Containerized Environments with eBPF

When I started my career as a software engineer, a senior member of my team told me to investigate VMware because it was the future of computing (and, admittedly, because I was working at EMC). What I discovered fascinated me, and I spent many hours exploring features my virtualized development environment. My curiosity never waned even as I progressed my career and began to learn more about IT systems and the common challenges therein.

I remember working as a sales engineer at an application performance monitoring company when Docker first really started to get attention. We had prospects reaching out to our sales team constantly asking what we could do to support their applications running in containers. While our solution at the time was able to support the basic functionality required to run in containers, it was believed that Docker was trending towards being a fad in the commercial market for one key reason—security. At the time Docker was nascent and concerns around container compromise spreading within a host caused many companies to hold off on investing time and money into container based deployments.

My story with virtualization came rushing back to me as I spoke with Thomas Graf, Co-foudner and CTO at Isovalent, about cloud native networking and security. Thomas has a similar, albeit much more impressive and relevant, story about watching the transition of software deployments from physical hardware to virtual machines to containers. Graf was a kernel developer at Red Hat during the age of moving to virtualized infrastructure, and when he saw containers emerging as the next technology, he recognized the challenges that infrastructure and security teams were going to have maintaining the level of visibility and security they had managed to achieve in virtual machines.

Starting with Open Source

Graf first addressed the problem by starting Cilium. Cilium is open source software for securing network connectivity between applications deployed in Linux container management platforms like Docker and Kubernetes. At the core of Cilium is eBPF which allows sandboxed programs to run in the Linux kernel without changing kernel source code or loading kernel modules. eBPF makes the Linux kernel programmable which has led to the development of new infrastructure tooling for tasks like networking, security, and application profiling without jeopardizing execution efficiency or kernel safety.

Cilium utilizes eBPF to dynamically insert security control logic and gain network visibility without requiring changes to application code or container configuration. Cilium controls go beyond the traditional Layer 3 and 4 controls associated with firewalls which base controls on IP, port, and protocol data. Given that containerized environments are often ephemeral, Layer 3 and 4 identifiers like IP addresses and ports are highly volatile which makes traditional network controls difficult to implement at scale in these environments. To work in these ephemeral environments Cilium combines the Layer 3 and 4 metadata with Layer 7 metadata on individual application requests—such as HTTP method or header values—which allows Cilium to provided visibility and enforcement based on a service, pod, or container identity.

Enterprise Features built on Open Core

Graf then started Isovalent together with his Co-founder Dan Wendlandt, a VMware veteran and former founding engineer of Nicira, to build on the Cilium foundation and provide an open core solution that delivers specific enterprise features like multitenant governance and compliance controls. With Isovalent, security teams are able to provide a set of “ground rules”—such as what pods can communicate externally with the internet, what pods can talk within a given namespace, and what pods can talk with other namespaces—which are then managed automatically in the environment. Isovalent also provides features to address complex workflows related to security forensics, compliance, role-based access controls, and integration with legacy infrastructure that arise as platform teams engage with application and security teams within an enterprise organization.

TAG Cyber has seen many enterprise products based on open source solutions, but what is interesting about Isovalent is the different primary use cases for the open source and enterprise solution. Cilium is often first used by platform teams for the networking layer and then security teams begin utilizing it to bring back the visibility they are used to and to take advantage of the forensic capabilities that eBPF based data provides. This means that there is value for both developers and security teams which removes the common a point of contention often faced by modern security tools advocating a DevSecOps approach. With a strong investor backing and widespread adoption by development teams, Isovalent is uniquely positioned to bring security controls to containerized environments.