eBPF: Modern Security for Modern Environments

Cprime
4 min readFeb 7, 2022

Nowadays, we usually build software in containers. And if you don’t want to lag behind with your cybersecurity, you need to adapt to the way containers work.

The traditional IP:PORT: PROTO-based approach is inefficient when it comes to containers. If you invest in modern infrastructure, you should invest in modern security as well. In this post, you’ll learn what the limitations of traditional security are and how modern security works with eBPF technology.

IP:PORT: PROTO

Most traditional security tools work based on the IP:PORT: PROTO approach. They take the IP address of the machine, port, and protocol. And based on these three bits of information, they make some decisions. For example, they decide to block or allow the traffic.

This approach worked fine for physical and virtual machines. However, when it comes to containers? Not so much.

This is mainly because the IP address for a container can change anytime. In fact, it’s part of the job of a container orchestrator to move containers from one node to another. Port and protocol also don’t mean much because most containers will talk to each other through HTTP REST API. So, your security tool will no longer be able to understand and distinguish the traffic. And that’s a problem.

Modern Container Networking Security

So, what can you do to secure your containers, you ask? Well, the answer is simple. You need a Layer 7 aware security tool. You need a tool that understands HTTP (and other protocols) traffic and can make security decisions based, for example, on HTTP headers and methods instead of only based on IP address.

Here’s a simple example. You have a virtual server with an IP of 10.0.0.2. And on that server, you have a container that needs access to your MySQL database on another machine. If you create a firewall rule that allows 10.0.0.2 to access 10.0.0.3 on port 3306, your container will be able to talk to the database. However, the host machine will also be able to talk to the database, and any other container running on that machine will also be able to talk to the database. And normally, you’ll have dozens of different containers on one machine.

You need a tool that lets you specify which container can talk to the database, not which IP address. Enter modern container networking security.

eBPF

eBPF is a Linux kernel technology that allows you to build mini-programs that run on a kernel level. In this post, we’ll talk about eBPF in the context of container networking security. But eBPF isn’t limited to that use case.

When it comes to containers — or, to be more precise, cloud-native security — the best option to benefit from eBPF is to use a tool called Cilium. Simply put, Cilium is a tool that uses eBPF under the hood to provide modern security for modern environments.

So, what can Cilium do for you when it comes to security?

Layer 7 Awareness

First and foremost is the fact that Cilium understands APIs and Layer 7 protocols. This means that it can allow or block traffic from one container to another based on HTTP headers or methods, Kafka topics, gRPC traffic, and more. This is a real game-changer in the cloud-native world.

You can, for example, instruct Cilium for a particular container to only allow HTTP GET methods to the endpoint /users and HTTP GET and POST methods to the endpoint /posts in another container. Or, you can say that container X is only allowed to consume from Kafka topic “incoming,” but container Y is allowed to produce to that topic as well.

Advanced Network Policies

By default in the Kubernetes cluster, all containers can talk to each other. Of course, this isn’t the ideal situation. Cilium lets you implement advanced network policies that are enforced directly by eBPF. Cilium also takes DNS into consideration for policies management, which means you can enforce policies based on DNS names as well. This allows Cilium to cope well with the always-changing containers environment.

Summing up and Learning More

Containers bring many benefits, but they also bring more complicated networking. This makes traditional security work poorly with containers. You can use your existing tools for container-based environment security. But this approach will be far from perfect and will probably lead to a poor user experience.

Cilium and eBPF can help you solve that problem. They provide you with modern networking and security capabilities.

If you want to learn more about cybersecurity, check out our Cybersecurity Hackathon here. And remember that Cprime has many other courses as well.

--

--

Cprime

An Alten Company, Cprime is a global consulting firm helping transforming businesses get in sync.