1 research outputs found
Agile Network Access Control in the Container Age
Linux Containers, such as those managed by Docker, are an increasingly
popular way to package and deploy complex applications. However, the
fundamental security primitive of network access control for a distributed
microservice deployment is often ignored or left to the network operations
team. High-level application-specific security requirements are not
appropriately enforced by low-level network access control lists. Apart from
coarse-grained separation of virtual networks, Docker neither supports the
application developer to specify nor the network operators to enforce
fine-grained network access control between containers.
In a fictional story, we follow DevOp engineer Alice through the lifecycle of
a web application. From the initial design and software engineering through
network operations and automation, we show the task expected of Alice and
propose tool-support to help. As a full-stack DevOp, Alice is involved in
high-level design decisions as well as low-level network troubleshooting.
Focusing on network access control, we demonstrate shortcomings in today's
policy management and sketch a tool-supported solution. We survey related
academic work and show that many existing tools fail to bridge between the
different levels of abstractions a full-stack engineer is operating on.
Our toolset is formally verified using Isabell/HOL and is available as Open
Source