A recent article “SUSE Launches NeuVector: The industry’s first Open Source container security platform” was republished on major IT news sites. As a new member of the SUSE family, it’s amazing to have fulfilled the open source commitment after 3 months. So what is it about NeuVector that SUSE likes? And compare the open source security products of various security vendors and what are the breakthroughs? Next, I’ll take a brief look at NeuVector from a SecDevOps perspective.

Open source cloud native security product status

NeuVector is not open sourcing a component or security tool, but a complete container security platform. This is quite different from the open source strategies of the other major cloud native security vendors. Currently, active open source vendors in the cloud native area include: Aqua Security, Falco(SysDIG), Anchore, Fairwinds, Portshift, and Stackrox, which was acquired by Red Hat, along with Security tools from big companies like Clair. While traditional security vendors have native security oriented products, but few software open source. Cloud native security products have become an important track for innovative security manufacturers to break through traditional manufacturers. Open source is more of a litmus test for their products.

project vendor link Star type Open time
clair Quay github.com/quay/clair 8.4 k. Image scanning 2015-11-13
trivy Aqua Github.com/aquasecurit… 10.1 k. Image scanning 2019-04-11
kube-hunter Aqua Github.com/aquasecurit… 3.4 k. Vulnerability scanning 2018-07-18
kube-bench Aqua Github.com/aquasecurit… 4.5 k. CIS security baseline 2017-06-19
starboard Aqua Github.com/aquasecurit… 968 Dashboard 2020-03-17
tracee Aqua Github.com/aquasecurit… 1.5 k. System event tracking based on eBPF 2019-09-18
anchore-engine anchore Github.com/anchore/anc… 1.4 k. Vulnerability scanning 2017-09-06
kyverno kyverno.io Github.com/kyverno/kyv… 1.8 k. Kubernetes policy and auditing 2019-02-04
GateKeeper OPA (sysdig) Github.com/open-policy… 1.3 k. Kubernetes policy and auditing 2018-10-26
falco falcosecurity(sysdig) Github.com/falcosecuri… 4.4 k. System event tracking and warning based on kernel module 2016-01-19
terrascan accurics.com Github.com/accurics/te… 2.7 k. General IaS configuration scan 2017-09-11
Kubei portshift Github.com/cisco-open/… 489 Image scan (with panel) 2020-03-22
Polaris Fairwinds Github.com/FairwindsOp… 2.4 k. Configure scanning and policies 2018-11-15
kubesec controlplaneio Github.com/controlplan… 667 Kubernetes configuration scanning 2017-10-10
KubeEye KubeSphere Github.com/kubesphere/… 424 Policy-based Kubernetes cluster configuration scanning 2020-11-07
kube-linter Stackrox(RedHat) Github.com/stackrox/ku… 1.8 k. Kubernetes configuration scanning 2020-08-13

In the table above, we list the major open source projects from various security vendors. As can be seen from the table above, open source security software is currently concentrated in four categories:

  1. Mirroring vulnerability scan
  2. Compliance, baseline scanning
  3. Kubernetes security policy and configuration management
  4. Threat detection

In addition to the above four types of tools, network security is also an important part of cloud native security. However, it is mainly supported by CNI network plug-ins at present, and related products are not found in other security vendors. These tools are currently in a relatively fragmented state. With the exception of the Starboard project, which is a simple security platform that integrates Aqua’s open source security product line, no other vendor has opened source a platform-level project like NeuVector. Starboard is currently limited to automatic vulnerability scanning, configuration auditing, CIS baselines and other basic functions. With the above tools alone, it is difficult for operations developers to integrate them into a comprehensive security solution. According to the number of stars in each project, it can be seen that various scanning tools such as Trivy and TerraScan are more popular among community users than Falco, a run-time security tool. This has to do with the fact that scanning tools are easier to implement and can quickly integrate with the CI/CD pipeline. Run-time security tools need to be integrated with other IT systems or redeveloped to play a role in security protection. The difficulty of learning, using and implementing has greatly hindered its popularity. NeuVector’s open source approach is likely to change that, allowing the community to easily deploy a complete security platform with features previously available on paid commercial platforms.

Cloud native container security platform

Next, let’s take a look at what unique open source features NeuVector has as a cloud-native container security platform.

A unified platform

First of all, as a platform, it should have unified installation and deployment capabilities, and users do not need to think about how to integrate various security components to meet the corresponding security requirements. Currently, NeuVector can be easily deployed on an existing Kubernetes cluster using the officially provided Helm installation package or yamL files. NeuVector consists of five main services:

  • Manager, NeuVector’s Web console, provides a unified management UI for users to view security events, manage security solutions, rules, and so on.
  • Controller, Backend Server and Controller that manages components such as Enforcer and Scanner, distributes security policies, and schedules scanning tasks.
  • Scanner: The user performs vulnerability scanning and baseline scanning.
  • Enforcer, a lightweight container for intercepting system events, enforcing security policies, and more. Normally run as a Daemon set on each node in the cluster.
  • Updater, used to update the CVE database.

Second, a unified management plane. Manage various assets in Kubernetes platform, such as containers, images, hosts, processes, etc. Configure rules and policies for various components. Perform scheduled tasks such as compliance scan, mirror scan, etc. NeuVector is now relatively full-featured, similar to the main features of commercial platforms such as Sysdig and Aqua. After a successful NeuVector installation, the user can open the NeuVector console from a browser. The navigation bar of the console contains five core functions, such as asset management, policy management, security risk, notification, platform setting and federated cluster, which can be seen after the expansion of its powerful functions.

Assets Policy Security Risks Notifications Settings
Platforms Admission Control Vulnerabilities Security Events Users & Roles
Nodes Groups Vulnerabilities Profile Risk Reports Configuration
Containers Network Rules Compliance Events LDAP/AD Settings
Registries Response Rules Compliance Profile SAML Setting
System Components DLP Sensors OIDC Settings
WAF Sensors

Thirdly, the linkage ability between components. NeuVector automatically discovers the behavior of applications, containers, and services. Through the learning mode, monitoring mode, protection mode conversion effectively improve the efficiency. Once the known container behavior is modeled, any violation of the rules triggers a security event. These Security Events will be summarized into the Security Events module, and the Response Rules of the event will be configured through Response Rules, and the Response actions such as alarm notification and automatic blocking will be executed.

Visual security threat analysis panel

The visual panel of NeuVector can effectively help administrators analyze current system risks. Security events, host/container vulnerabilities, and Ingress/Egress traffic are displayed. PDF and CSV export functions are also supported to facilitate report generation and analysis.

Asset management

Asset management shows information about nodes, containers, mirror repositories, and NeuVector’s own components. View security risks of related assets from different perspectives and perform scanning tasks for different assets.

Event notification

NeuVector’s notification module contains security events, risk (compliance and vulnerability) events, and system events.

A security event records events that violate the whitelist or match blacklist events. For example, we can set up a whitelist in the network rules, and all network connections that are not allowed in the whitelist will be blocked and security events logged. You can also view network, process, and file events. And modify event rules to add false positives into trust events.

User rights management and authentication system integration

The NeuVector console has user management capabilities that restrict user permissions. In addition, it can be integrated with third-party user management systems, such as LDAP, SAML, and OIDC, to simplify user authorization by matching user group permissions in the user management system. Method Users integrate existing user authorization infrastructure.

Federated Cluster Management

NeuVector supports multi-cluster management. After creating a primary cluster, you can configure federated rules in the primary cluster. These rules can be automatically distributed to other clusters. Using a federated cluster, you can centrally deploy and manage the security policies and rules of each cluster, simplifying the management process. The managed cluster has no right to change these federal rules, which ensures that the managed cluster will not violate the security rules and improves the security of the managed cluster.

Functional comparison

Next, let’s take a look at how NeuVector’s built-in security toolkit compares to the current mainstream open source security tools.

Mirroring vulnerability scan

Clair, Trivy, and Anchore-Engine dominate most of the open source market, and there are commercial products like Snyk. In these projects, Trivy, as a late comer, surpassed Clair and became the most popular tool in just three years, which is closely related to Trivy’s powerful functions. Trivy supports vulnerability scanning for Alpine, RHEL, CentOS, Ubuntu and other software packages. It also supports vulnerability scanning for dependency packages based on development languages such as Go, Python, PHP, Node.js Java,.NET, etc. GitHub Action based automation task will pull the latest vulnerability information from the official CVE vulnerability library of major manufacturers, and update the Trivy vulnerability library in time.

As can be seen from the code base of NeuVector, vulnerability scanning can support detection based on APK, DPKG and RPM distribution packages at present, and the core code is very concise. However, since it has not released the vulnerability database, it is difficult to judge the accuracy and comprehensiveness of its vulnerability scanning. We also need to wait for NeuVector to release its next open source plan to fully understand its development plans. It is believed that NeuVector’s vulnerability scanning should be difficult to shake Trivy’s position in the short term.

compliance

NeuVector’s built-in compliance detection support includes CIS Kubernetes/ Docker Benchmarks, as well as industry-standard compliance detection templates such as PCI, NIST,GDPR, and HIPAA. Benchmarks support automatic detection of OpenShift and GKE by CIS Kubernetes Benchmarks, but because the CIS Kubernetes Benchmarks script does not yet support custom rules, Currently, cluster environments deployed in private clouds or using third-party installation tools are limited. In addition, because NeuVector’s inspection code is developed by bash scripts, it is not as extensible and configurable as Kube-Bench.

Currently, other compliance testing tools are only for one standard, and it is difficult to take care of other standards. NeuVector is more comprehensive and universal. Users can customize compliance testing scripts, and they can customize compliance testing for hosts or containers or third-party components. Not limited to CIS or other standard rules. On the other hand, you are advised to use custom compliance detection scripts with caution because they have the root execution permission of hosts and containers and are not restricted by commands, resulting in potential security risks.

Network topological graph

The network topology diagram uses a visual way to display the network communication relationship between container-container and container-host, which helps us analyze potential security risks and improves the observability of the network. Weave Scope and Cilium Hubble both support network topological mapping. Weave Scope is available for a wider range of applications, not just Kubernetes, but also Docker, Mesosphere, and more. Hubble relies on Cilium, but Cilium not only has superior performance, but also takes observability and security as its primary functional characteristics. Therefore, Hubble is also widely used as its core component. And Cilium, as a popular plugin in the community, is poised to surpass Calico in the future.

From the perspective of functions, Weave Scope focuses more on network performance analysis and debugging, and supports plug-ins to customize UI functions. Hubble is more inclined to microservice governance, which can display the dependence relationship of microservices and provide better support for application layer protocols. It can also be observed which services initiate Internet access or domain name resolution as well as network connections intercepted by network policies.

NeuVector’s Network Activity feature focuses on Network security. Helps network administrators identify abnormal traffic. Manage network security policies and execute isolation commands. Although their views have similar functions and principles, the significance of horizontal comparison is limited due to their different functional focus.

Kernel Event Auditing

Analyzing system and application behavior through kernel events is an important part of run-time security detection. Events in the system monitored by the Linux kernel are generated at a very fast speed and require high efficiency of the core module. Therefore, eBPF is currently used in mainstream solutions, such as Tracee, which uses eBPF + Golang as the event collection engine. Kernel modules are another option, and Falco currently supports both eBPF and kernel modules, providing greater flexibility and better support for older kernels. NeuVector also lacks design documentation for event collection, and due to time constraints, the pattern of NeuVector event collection has not been thoroughly understood in code. In terms of code structure alone, the code is relatively complex, lacking comments, and the relationships between components are hard to determine just by naming. I hope the official can improve the relevant documents as soon as possible for further understanding and analysis.

Install the trial

Next we’ll install a trial NeuVector using KubeSphere.

Enter the Kubectl terminal

First log in to KubeSphere Console, go to “Platform Management”, and select “Cluster Management”.

Go to “Ks-Installer”, select “Application Load”, select “Workload”, set the project to “kubesphere- System “, select “Ks-Installer”.

The Pod terminal of ks-Installer is displayed.

Install NeuVector using helm

  • Create a namespace
kubectl create namespace neuvector
Copy the code
  • Create serviceaccount
kubectl create serviceaccount neuvector -n neuvector
Copy the code
  • Add the HELM repository for Neuvector
helm repo add neuvector https://neuvector.github.io/neuvector-helm/
Copy the code
  • Install neuvector
helm install my-neuvector --namespace neuvector neuvector/core
Copy the code

  • Replace the mirror

    Because neuVector images require permissions to obtain, we replace the image with the Preview version for more installation information: github.com/neuvector/n…

kubectl setImage deployment. Apps/neuvector - controller - pod * = neuvector/controller in the preview: 5.0.0 - preview. 1 - n neuvector kubectlsetImage deployment. Apps/neuvector - manager - pod * = neuvector/manager in the preview: 5.0.0 - preview. 1 - n neuvector kubectlset image deployment.apps/neuvector-scanner-pod *=neuvector/scanner.preview:latest -n neuvector
kubectl setImage daemonset. Apps/neuvector - enforcer - pod * = neuvector/enforcer. Preview: 5.0.0 - preview. 1 - n neuvector kubectl get cronjob/neuvector-updater-pod -n neuvector -o yaml | sed's#image: registry.neuvector.com/updater:latest#image: neuvector/updater.preview:latest#' | kubectl replace -f -
Copy the code

  • View the neuVector service status

Visit neuvector UI

  • Use kubernetes node IP and node port to access neuvector UI, e.g. http://1.2.3.4:34567
  • Default user password:admin/admin
  • Terms of use click “I accept”
  • To change the default password, click on the user select “My Profile “, click on “EDIT Profile”
  • View the Dashboard

The open source community

According to the Github repository, NeuVector open source is still in its infancy. The code has just been announced, there is no RoadMap, no Release Plan, no clear governance for the community. All these problems need to be solved. Given the maturity of the Rancher community, it should only be a matter of time before NeuVector gets back on track.

conclusion

NeuVector fills the security product gap. Although each function module is not the strongest in the industry, its full life cycle security governance ability is beyond the reach of other open source tools. If NeuVector can become an open platform in the future, integrating the best tools in the industry to learn from each other, it will surely play a bigger role and gain a foothold in the open source security market.

This article is published by OpenWrite!