NeuVector Improves Container Security With Admission Control

EXCLUSIVE: The NeuVector 2.3 container firewall platform release provides new admission control capabilities that are directly integrated with the Kubernetes container orchestration platform.

NeuVector

NeuVector will issue a new release of its platform on Dec. 4, providing organizations with enhanced capabilities to secure cloud-native, container environments.

The NeuVector 2.3 release expands the container, cloud-native firewall technology with admission control security capabilities that can be directly integrated with the Kubernetes container orchestration platform.

"NeuVector uses the features of Kubernetes as a trigger and enforcement point for image deployment," NeuVector CTO Gary Duan told eWEEK. "By integrating with Kubernetes, via kube-apiserver, NeuVector can get notification for any image attempting to be deployed, then apply the policy, which an admin has configured in NeuVector to decide whether to allow or block the deployment through Kubernetes."

NeuVector's platform provides a container firewall that can filter application layer traffic to help identify anomalous behavior and traffic. 

The company was launched in January 2017 and has raised $9 million in venture funding. In a video interview with eWEEK, Fei Huang, CEO and co-founder of NeuVector, explained the core principles of his company's platform and its network-centric view of container and cloud-native security.

Admission control is a net new feature that is part of NeuVector's overall CI/CD pipeline integration for security, according to Duan. For example, he said users today can fail a build based on vulnerabilities using the Jenkins plug-in from NeuVector. They can also automatically scan new or updated images in repositories. 

"Now, with admission control, they will be able to block deployment of containers based on various criteria such as vulnerabilities, labels, users, namespace etc.," Duan said. "So, now we have improved security enforcement for the entire Build-Ship-Run pipeline."

Additionally, he explained that admission control uses the NeuVector registry scanning results to determine whether the image should be allowed to be deployed. NeuVector can also verify the digital signature of images for admission control.

Enforcement

There are multiple ways that policies can be enforced in a Kubernetes-based deployment, including using the Container Networking Interface (CNI) as a hook to block and quarantine access. Duan explained that while NeuVector is compatible with all CNI/network plug-ins, it does not rely on them to enforce network policy.

"We have built our own Layer 7 packet filtering technology, which can run as an inline firewall for selected services," Duan said. "With a run-time feature called Response rules, users are able to define policies such as if vulnerable images are found in containers, then the containers can be network quarantined."

The first release of the admission control feature is only being made available for Kubernetes and Kubernetes-based systems including OpenShift and Rancher. Duan said NeuVector is considering adding other container orchestration system, including Docker Swarm, to the product roadmap in 2019.

RBAC

There are multiple security hooks that are available in Kubernetes, including Role Based Access Control (RBAC), which is a feature used by organizations to help secure workloads based on identity.

Duan said that admission control and RBAC are two different types of security features. He explained that NeuVector focuses on validating the security policy to allow container deployment—for example, vulnerability policy for specific users and namespaces. 

"Kubernetes users can still be able to deploy vulnerable images with RBAC in place," he said.

Looking forward, NeuVector will be looking at potential integration with the Istio service mesh, which is an increasingly popular cloud-native approach that is run alongside Kubernetes. 

"We will continue to build on our container network security expertise and add more network threat intelligence," Duan said. "We will also integrate our security mesh technology with service meshes more tightly."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.