Using Web App Firewalls and Container Firewalls to Secure App Containers

DZone 's Guide to

Using Web App Firewalls and Container Firewalls to Secure App Containers

The rise of container-based applications calls for organizations to enlist security technology stacks that are designed to meet the needs of these new environments.

· Security Zone ·
Free Resource

The shift from monolithic applications to containerized environments and microservices has had two significant effects: it’s made applications much easier to deploy and manage, but more difficult to secure. When it comes to utilizing web application firewalls (WAFs) and/or container firewalls as a security strategy for application containers, developers often have questions about the differences between these techniques and what role each should play.

In brief, the responsibility of WAFs is to protect web applications from threats within external traffic, and they tend to be effective in thwarting the most common attacks that web applications experience. By their nature, however, WAFs have difficulty viewing east-west internal traffic within – or between – hosts. Because of this, WAFs are ineffective at protecting container environments from malicious internal traffic hiding within that dynamic environment (where containers rapidly pop in and out of existence and the communications between them are well beyond what a WAF can parse).

On the other hand, container firewalls are designed to address that need, adeptly monitoring internal traffic and isolating suspicious activity to safeguard the environment. Container firewalls also include some features that overlap with the protections WAFs offer, as well as capabilities that assist in the implementation of continuous container security. Because of the risks present throughout the rapid build-ship-run cycle of today’s applications, security measures need to be in place at every stage of this process. These measures should include tools that scan containers for code and image vulnerabilities pre-deployment, in addition to both cloud-native container security and traditional web application security. The need for both network and application security is further magnified by the fact that each container has uniquely mapped network interfaces, which are utilized dynamically moment-to-moment as the container environment’s orchestration system deems optimal.

Let’s take a closer look at the key features – and differences – of container firewalls and WAFs.

Container Firewalls

Container firewalls are designed to inspect and vet all traffic within the container environment, as well as traffic connecting external networks or legacy applications to those containers. This contrasts with WAFs, which instead safeguard traffic from web-based clients to front-end applications. Container firewalls, therefore, shouldn’t replace WAFs (nor next-generation firewalls, nor IDS/IPS systems) which are designed specifically to protect the edge. That said, container firewalls do have some of the same capabilities as WAFs, for the purpose of protecting against application attacks that arise internally.

Container firewalls include these components:

  • Application intelligence – Container firewalls can use meta-data and behavioral analysis to understand the intent of applications (therefore recognizing when traffic is suspiciously out of line with these intents). This intelligence includes providing application-based (Layer 7) protocol inspection and protection without using IPtables or L3/L4 rules alone. Container firewalls can also recognize and enforce policies based on commonly-used application protocols like Redis, MySQL, or MongoDB.
  • Cloud-native – The cloud-native nature of container firewalls allows them to comprehend the activities of orchestration and container platform services like DNS and load balancers, as well as network overlays, namespaces, and deployment models like services, pods, and replications.
  • Whitelist-based rules – Container firewalls function by recognizing and allowing appropriate application behavior. They adapt these rules automatically as changes or updates occur.
  • Blacklist and custom rules – Rules for behavior that is not allowed can also be set based on container labels, IP addresses or ranges, or other L3/L4 policies.
  • Integration with container orchestration – This is a key aspect that enables container firewalls to protect container environments: interfacing with container orchestration provides the container firewall with awareness of updates to the dynamic container environment, while also allowing it to scale across hosts or even clouds.
  • CI/CD compatible – Container firewalls feature the automated deployment and management necessary to serve the needs of a continuous integration and delivery pipelines.
  • Container threat protection – Similar to WAFs, container firewalls offer protection against DDoS, DNS, and other common application-level attacks.
  • Container specific packet analysis – Packet capture on a container specific basis is useful for debugging applications as well as investigating threats and violations.

Web Application Firewalls

WAFs are intended to protect against threats arriving via web-based traffic, usually within HTTP/S traffic interacting with an application’s front-end. Effective WAFs are capable of detecting and defending against the most common and dangerous web application security risks.

WAFs generally include these features:

  • Application attack detection – WAFs can recognize SQL injection, cross-site scripting (XSS), DDoS, DNS, and other common attack methods.
  • Support for common protocols, logic, and object formats – WAFs come equipped to secure standard web application formats such as JavaScript, SQL, HTML, XML, JSON, cookies, and more.
  • Support for HTTP and HTTPS – WAFs will handle SSL termination either directly or by relying on a load balancer.
  • Virtual patching – When vulnerabilities are known but a full patch is not yet available, WAFs are capable of utilizing blacklist policies to achieve effective - if temporary - patches.

More Than Just a Container Firewall

Although the term ‘container firewall’ conveniently describes network security for container connections, container firewall solutions contain more than network security features. Additional container security features include:

  • Container and host process monitoring – Hackers can start suspicious processes such as port scanning or reverse shells, or escalate a user’s privileges to root.
  • Vulnerability scanning – All running containers and their hosts should be scanned regularly for vulnerabilities and updated if needed.
  • Compliance testing and auditing – In addition to vulnerability scans, running Docker Bench and Kubernetes CIS benchmarks to test security settings should be done automatically.

The rise of container-based applications calls for organizations to enlist security technology stacks that are designed to meet the needs of these new environments. By combining a container firewall and a WAF as part of a well-planned layered security strategy, organizations can benefit from the strengths of each to secure the entirety of this infrastructure.

Gary Duan is CTO at NeuVector, a container firewall company that uses behavioral learning to secure containers during run-time.

container orchestration, container security, docker security, security, web application security

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}