Securing the network for VMs or Containers

Securing Securing
KVM / containerKVM / container
networksnetworks
Marian HackMan MarinovMarian HackMan Marinov
<mm@siteground.com><mm@siteground.com>
Chief System ArchitectChief System Architect
SiteGroundSiteGround

Who am I?Who am I?Who am I?Who am I?
❖ Chief System Architect of Siteground.com
❖ Sysadmin since 1996
❖ Organizer of OpenFest, BG Perl Workshops,
LUG-BG and similar :)
❖ Teaching Network Security and Linux System
Administration at Sofia University

DISCLAMERDISCLAMERDISCLAMERDISCLAMER
❖ I'll be looking only at the network on the host
machine
❖ The only proper way of securing the network
between your VMs / containers and the host
machine is to know your infrastructure.
This includes MAC, IP addresses and their actual
location.

❖ Basic things that have to protect from
 arp spoofing
 ip spoofing
 traffic leaking / sniffing

KVM networkingKVM networkingKVM networkingKVM networking
❖ What network options does KVM give us?
 vnet device on the host
 macvtap
 Virtual Distributed Ethernet (VDE)
 assign a physical device (SR-IOV)
Single Root I/O Virtualization (SR-IOV)
 assign a physical device (eth, wlan)

KVM networkingKVM networkingKVM networkingKVM networking
❖ What network options does KVM give us?
 NAT
 Routing
 Bridge
 OpenVswitch
 ProxyARP

Container networkingContainer networkingContainer networkingContainer networking
❖ What network options are available for
containers?
 macvlan (tap & tun)
 veth pair (routing or NAT)
 VDE (using tap devices)
 move any network device into the
container (eth, tun/tap, vlan, wlan, etc.)

Container networkingContainer networkingContainer networkingContainer networking
❖ What network options are available for
containers?
 Bridge
 OpenVswitch
 Routing
 NAT
 ProxyARP

Protections?Protections?Protections?Protections?
❖ How can we secure all those options?
 VLANs

 VLANs
 Routing

 VLANs
 Routing
 Static ARP

 VLANs
 Routing
 iptables

 VLANs
 Routing
 iptables
 ebtables

 VLANs
 Routing
 iptables
 ebtables
 arptables

 VLANs
 Routing
 iptables
 ebtables
 arptables
 ip6tables

Network setupNetwork setupNetwork setupNetwork setup
VM-1VM-1
LXC-1LXC-1
VM-2VM-2
LXC-2LXC-2
Using a Router

VM-1VM-1
LXC-1LXC-1
VM-2VM-2
LXC-2LXC-2
Using a Bridge

Attacking theAttacking the
bridged networkbridged network
Attacking theAttacking the
❖ arp poisoning
 VM-1 arp cache poison of the HOST
 VM-1 arp cache poison of VM-2
 As simple as:
# ip a a 10.0.0.1/24 dev eth0
# arping -i eth0 -U 10.0.0.1
 Can be even easier:
# arpspoof -i eth0 -t 10.0.0.1 -r 10.0.0.15

Protecting theProtecting the
❖ Preventing arp poison on the HOST
 adding static ARP entries:
# ip n a 10.0.0.15 lladdr 01:81:36:ec:05:ee
nud permanent dev vnet1

❖ Preventing arp spoofing to the
VMs/Containers
 configure ARPTABLES
# arptables -P OUT DROP
# arptables -A OUT -j ACCEPT -s GW
-i eth0 -z xx:xx:xx:xx:xx:xx
# arptables -A OUT -j ACCEPT -s 10.0.0.15
-i vnet1 -z xx:xx:xx:xx:xx:xx
# arptables -A OUT -j ACCEPT -o vnet1

VM-1VM-1
LXC-1LXC-1
VM-2VM-2
LXC-2LXC-2
Using a Bridge
eth0: 10.12.0.12
# brctl show
bridge bridge id interfaces
br0 8000.028037ec0200 eth0
vnet1
vnet2

VM-1VM-1
LXC-1LXC-1
VM-2VM-2
LXC-2LXC-2Using a Bridge
eth0: 10.12.0.12
VM1: ping -c1 10.12.0.12
PING 10.12.0.12 (10.12.0.12) 56(84) bytes of data.
64 bytes from 10.12.0.12: icmp_seq=1 ttl=64 time=0.086 ms

VM-1VM-1
LXC-1LXC-1
VM-2VM-2
❖ We now have many options
we can use bridge vlan filtering
using ingress policy
using ebtables
using namespaces
ebtables filter (drop all traffic on that interface)
arptables filter
iptables filter (drop all traffic on that interface)
don't forget about IPv6 ☺

VM-1VM-1
LXC-1LXC-1
VM-2VM-2
# echo 1 > /sys/class/net/br0/bridge/vlan_filtering
# bridge vlan del dev br0 vid 1 self
# bridge vlan show
port vlan ids
eth0 1 PVID Egress Untagged
vnet1 1 PVID Egress Untagged
br0 None

VM-1VM-1
LXC-1LXC-1
VM-2VM-2
# echo 1 > /sys/class/net/br0/bridg
# bridge vlan del dev br0 vid 1 sel
# bridge vlan show
port vlan ids
eth0 1 PVID Egress Untagged
br0 None
HOST

VM-1VM-1
LXC-1LXC-1
VM-2VM-2
ingress filter
# tc qdisc add dev br0 handle ffff: ingress
# tc filter add dev br0 parent ffff: u32
match u8 0 0 action drop
ebtables:
# ebtables -A INPUT --logical-in br0 -j DROP

VM-1VM-1
LXC-1LXC-1
VM-2VM-2
LXC-2LXC-2
Using a Bridge
HOST
eth1
br0
eth0
vnet1
vnet2
vm-bridge

# ip netns add vm-bridge
# ip link set netns vm-bridge eth0
# ip link set netns vm-bridge vnet1
# ip link set netns vm-bridge vnet2
# ip link del dev br0
# ip netns exec vm-bridge brctl addbr br0
# for i in eth0 vnet1 vnet2; do
> ip netns exec vm-bridge brctl addif br0 $i
> ip netns exec vm-bridge ip link set up dev $i
> done
# ip netns exec vm-bridge ip link set up dev br0

Disabling ARP on bridge br0:
# ip link set arp off dev br0
# ip l l dev br0
8: br0: <BROADCAST,MULTICAST,NOARP,UP,LOWER_UP>
mtu 1500 qdisc noqueue state UP mode DEFAULT group d
link/ether 50:54:33:00:00:04 brd ff:ff:ff:ff:ff:ff

VM-1VM-1
LXC-1LXC-1
VM-2VM-2
LXC-2LXC-2
Using a Router
VM1: 10.0.0.4/30
VM2: 10.0.0.8/30
HOST: 10.0.0.0/30

VM-1VM-1
LXC-1LXC-1
VM-2VM-2
LXC-2LXC-2If you want flexibility,If you want flexibility,
you add a routing protocolyou add a routing protocol
bgp1bgp1 bgp2bgp2

VM-1VM-1
LXC-1LXC-1
VM-2VM-2
LXC-2LXC-2If you want flexibility,If you want flexibility,
you add a routing protocolyou add a routing protocol
You now need to protect the
BGPs from bogus announcements
bgp1bgp1 bgp2bgp2

Protect the HOSTProtect the HOSTProtect the HOSTProtect the HOST
Prevent access to the host node with policy routing
# echo “200 vnet1” >> /etc/iproute2/rt_tables
# ip route add 0/0 via x.x.x.x table vnet1
# ip route add 10.0.0.15 dev vnet1 table vnet1
# ip rule add iif vnet1 table vnet1
# ip rule add oif vnet1 table vnet1

Prevent spoofing of IPsPrevent spoofing of IPsPrevent spoofing of IPsPrevent spoofing of IPs
Limit the source IPs of all clients:
# iptables -P FORWARD DROP
# iptables -A FORWARD -j ACCEPT -i vnet1 -s 10.0.0.15
# iptables -A FORWARD -j ACCEPT -i vnet2 -s 10.0.0.16

THANK YOUTHANK YOUTHANK YOUTHANK YOU
Marian HackMan Marinov
<mm@siteground.com>

Securing the network for VMs or Containers

More Related Content

What's hot (20)

Viewers also liked (19)

Similar to Securing the network for VMs or Containers (20)

More from Marian Marinov (20)

Recently uploaded (20)

Securing the network for VMs or Containers