KEMBAR78
Linux Native, HTTP Aware Network Security | PDF
Thomas Graf, profile picture
Uploaded byThomas Graf
PDF, PPTX2,334 views

Linux Native, HTTP Aware Network Security

Thomas Graf, CTO and co-founder of Covalent, discusses the challenges of network security in a microservices architecture, highlighting the limitations of traditional methods like iptables. He emphasizes the need for modern approaches using BPF (Berkeley Packet Filter) to enhance security and optimize performance in dynamic environments. The document also briefly touches on Cilium, a project that utilizes BPF for improved container networking and security policies.

Download as PDF, PPTX
Title. Thomas Graf CTO & Co-Founder @ Covalent Linux-Native, HTTP-Aware Network Security
Application Architectures Delivery Frequency Operational Complexity Single Server App Yearly Low Distributed Microservices App 10-100 x’s / day Extreme 3-Tier App Monthly Moderate CODE CONSISTENCY AT VELOCITY
Network Security has not evolved $ iptables -A INPUT -p tcp -s 15.15.15.3 --dport 80 -m conntrack --ctstate NEW -j ACCEPT The world still runs on iptables matching IPs and ports:
Your HTTP ports be like …
L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” API
L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” API GET /store/myItem HTTP/1.1
L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” API GET /store/myItem HTTP/1.1 FROM frontend ALLOW tcp:80
L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” GET /store/{id} API GET /store/myItem HTTP/1.1 FROM frontend ALLOW tcp:80
L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” GET /healthz GET /store/{id} PUT /store/{id} PUT /config API GET /store/myItem HTTP/1.1 FROM frontend ALLOW tcp:80
L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” GET /healthz GET /store/{id} PUT /store/{id} PUT /config API attacksurface GET /store/myItem HTTP/1.1 FROM frontend ALLOW tcp:80
L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” GET /healthz GET /store/{id} PUT /store/{id} PUT /config API exposed exposed exposed FROM frontend ALLOW tcp:80 GET /store/myItem HTTP/1.1 OK
L4 security has become meaningless in the age of microservices
L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” GET /healthz GET /store/{id} PUT /store/{id} PUT /config API GET /store/myItem HTTP/1.1
L3/L4 Network Security for microservices Pod “Frontend” Pod “Store” GET /healthz GET /store/{id} PUT /store/{id} PUT /config API FROM frontend ALLOW GET /store/.* GET /store/myItem HTTP/1.1
We demand a demo!
BPF – The Superpowers inside Linux
What is BPF? .insns = { BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152), BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0), BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42), BPF_EXIT_INSN(), }
What is BPF? SOURCE CODE [C] </> USER SPACE
What is BPF? SOURCE CODE [C] </> BYTE CODE [BPF] USER SPACE </>
What is BPF? SOURCE CODE [C] </> BYTE CODE [BPF] VERIFIER + JIT USER SPACE KERNEL </>
What is BPF? SOURCE CODE [C] </> BYTE CODE [BPF] VERIFIER + JIT USER SPACE KERNEL </> SANDBOX BPF
What is BPF? SOURCE CODE [C] </> BYTE CODE [BPF] VERIFIER + JIT USER SPACE KERNEL </> SANDBOX BPF Process Process
What is BPF? SOURCE CODE [C] </> BYTE CODE [BPF] VERIFIER + JIT USER SPACE KERNEL </> SANDBOX BPF Process SANDBOX BPF write() Process
What is BPF? SOURCE CODE [C] </> BYTE CODE [BPF] VERIFIER + JIT USER SPACE KERNEL </> SANDBOX BPF Process SANDBOX BPF write() Process EACCESS
How does BPF relate to HTTP? Process GET /foo
SANDBOX BPF Process GET /foo How does BPF relate to HTTP?
SANDBOX BPF Process Proxy rules GET /foo redirect How does BPF relate to HTTP?
SANDBOX BPF Process Proxy rules GET /foo redirect reinject How does BPF relate to HTTP?
SANDBOX BPF Process Proxy rules GET /foo redirect 403 Access Denied How does BPF relate to HTTP?
Cilium Architecture Cilium Kernel ProcessBPF ProcessBPF BPF Cilium Agent CLI Monitor Policy Plugins
• Generate networking code at Container Startup + Tailored to each container + Include Minimal Code Required Faster Smaller Attack Surface • Constant Config (IP, MAC, Ports, …), Compiler Optimization • Regeneration at Runtime Without Breaking Connections BPF CODE GENERATION AT CONTAINER STARTUP
75 140 205 240 325 365 370 365 410 412 425 445 450 460 460 490 495 505 515 525 545 565 0 100 200 300 400 500 600 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 BPF redirect() performance [GBit per core] Intel Xeon 3.5Ghz Sandy Bridge, 24 Cores, 1 TCP GSO flow per core, netperf -t TCP_SENDFILE, 10K Cilium policies
Thank You Learn More: cilium.io Code: github.com/cilium/cilium Follow us: @ciliumproject KubeCon booth: S19

More Related Content

PDF
Cilium - Network security for microservices
byThomas Graf
 
PDF
Cilium - API-aware Networking and Security for Containers based on BPF
byThomas Graf
 
PDF
Accelerating Envoy and Istio with Cilium and the Linux Kernel
byThomas Graf
 
PDF
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
byThomas Graf
 
PDF
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
byThomas Graf
 
PDF
Kubernetes Networking with Cilium - Deep Dive
byMichal Rostecki
 
PDF
Replacing iptables with eBPF in Kubernetes with Cilium
byMichal Rostecki
 
PDF
Cilium - BPF & XDP for containers
byDocker, Inc.
 
Cilium - Network security for microservices
byThomas Graf
 
Cilium - API-aware Networking and Security for Containers based on BPF
byThomas Graf
 
Accelerating Envoy and Istio with Cilium and the Linux Kernel
byThomas Graf
 
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
byThomas Graf
 
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
byThomas Graf
 
Kubernetes Networking with Cilium - Deep Dive
byMichal Rostecki
 
Replacing iptables with eBPF in Kubernetes with Cilium
byMichal Rostecki
 
Cilium - BPF & XDP for containers
byDocker, Inc.
 

What's hot

PDF
Cilium - overview and recent updates
byMichal Rostecki
 
PDF
LinuxCon 2015 Stateful NAT with OVS
byThomas Graf
 
PDF
eBPF - Rethinking the Linux Kernel
byThomas Graf
 
PDF
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
byThomas Graf
 
PDF
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
byThomas Graf
 
PDF
Cilium - Fast IPv6 Container Networking with BPF and XDP
byThomas Graf
 
PDF
Kernel advantages for Istio realized with Cilium
byCynthia Thomas
 
PDF
Cilium – Kernel Native Security & DDOS Mitigation for Microservices with BPF
byCynthia Thomas
 
PDF
LinuxCon 2015 Linux Kernel Networking Walkthrough
byThomas Graf
 
PDF
Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Sum...
byIO Visor Project
 
PDF
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
byThomas Graf
 
PDF
Kernel Recipes 2017 - EBPF and XDP - Eric Leblond
byAnne Nicolas
 
PDF
LF_DPDK_Mellanox bifurcated driver model
byLF_DPDK
 
PDF
Ebpf ovsconf-2016
byCheng-Chun William Tu
 
PDF
Open vSwitch - Stateful Connection Tracking & Stateful NAT
byThomas Graf
 
PDF
Linux Kernel Cryptographic API and Use Cases
byKernel TLV
 
PDF
DPDK Summit 2015 - HP - Al Sanders
byJim St. Leger
 
PDF
LF_DPDK17_DPDK support for new hardware offloads
byLF_DPDK
 
PDF
LF_OVS_17_OVS Performance on Steroids - Hardware Acceleration Methodologies
byLF_OpenvSwitch
 
PDF
DPDK Support for New HW Offloads
byNetronome
 
Cilium - overview and recent updates
byMichal Rostecki
 
LinuxCon 2015 Stateful NAT with OVS
byThomas Graf
 
eBPF - Rethinking the Linux Kernel
byThomas Graf
 
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
byThomas Graf
 
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
byThomas Graf
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
byThomas Graf
 
Kernel advantages for Istio realized with Cilium
byCynthia Thomas
 
Cilium – Kernel Native Security & DDOS Mitigation for Microservices with BPF
byCynthia Thomas
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
byThomas Graf
 
Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Sum...
byIO Visor Project
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
byThomas Graf
 
Kernel Recipes 2017 - EBPF and XDP - Eric Leblond
byAnne Nicolas
 
LF_DPDK_Mellanox bifurcated driver model
byLF_DPDK
 
Ebpf ovsconf-2016
byCheng-Chun William Tu
 
Open vSwitch - Stateful Connection Tracking & Stateful NAT
byThomas Graf
 
Linux Kernel Cryptographic API and Use Cases
byKernel TLV
 
DPDK Summit 2015 - HP - Al Sanders
byJim St. Leger
 
LF_DPDK17_DPDK support for new hardware offloads
byLF_DPDK
 
LF_OVS_17_OVS Performance on Steroids - Hardware Acceleration Methodologies
byLF_OpenvSwitch
 
DPDK Support for New HW Offloads
byNetronome
 

Viewers also liked

PDF
BPF: Next Generation of Programmable Datapath
byThomas Graf
 
PDF
Linux Networking Explained
byThomas Graf
 
PDF
IBM Bluemix OpenWhisk: IBM InterConnect 2017, Las Vegas, USA: Technical Strategy
byOpenWhisk
 
PDF
Protocole d'accord de l'assurance chômage du 28 mars 2017
bySamuel Chalom
 
PPTX
Presentation: Avoiding Nonprofit Disasters Through Decision-Making Science
byGleb Tsipursky
 
PPTX
Walking the talk of open research and open innovation in practice
bySimon Tanner
 
PPTX
Brussels Briefing 48: Nono Dimakatso Sekhoto "Opportunities for young entrepr...
byBrussels Briefings (brusselsbriefings.net)
 
PPTX
Pesquisa - Torcedoras do Sport Club do Recife
byAndreza Salgueiro
 
PDF
Juomatavat Euroopassa - RARHA-hankkeen tuloksia
byTHL
 
PPTX
Substitution des cmr support de présentation de la conférence du 23 mars 2017
byPierre-Olivier Leurent
 
PDF
Pharos - Face of the KMC
byRajarshi Guha
 
PPTX
Presentation: How Women Leaders Can Avoid Disasters Through Science-Based Dec...
byGleb Tsipursky
 
KEY
Economics Essential Diagrams
byevangelxoxo
 
BPF: Next Generation of Programmable Datapath
byThomas Graf
 
Linux Networking Explained
byThomas Graf
 
IBM Bluemix OpenWhisk: IBM InterConnect 2017, Las Vegas, USA: Technical Strategy
byOpenWhisk
 
Protocole d'accord de l'assurance chômage du 28 mars 2017
bySamuel Chalom
 
Presentation: Avoiding Nonprofit Disasters Through Decision-Making Science
byGleb Tsipursky
 
Walking the talk of open research and open innovation in practice
bySimon Tanner
 
Brussels Briefing 48: Nono Dimakatso Sekhoto "Opportunities for young entrepr...
byBrussels Briefings (brusselsbriefings.net)
 
Pesquisa - Torcedoras do Sport Club do Recife
byAndreza Salgueiro
 
Juomatavat Euroopassa - RARHA-hankkeen tuloksia
byTHL
 
Substitution des cmr support de présentation de la conférence du 23 mars 2017
byPierre-Olivier Leurent
 
Pharos - Face of the KMC
byRajarshi Guha
 
Presentation: How Women Leaders Can Avoid Disasters Through Science-Based Dec...
byGleb Tsipursky
 
Economics Essential Diagrams
byevangelxoxo
 

Similar to Linux Native, HTTP Aware Network Security

PDF
Cilium - Network and Application Security with BPF and XDP Thomas Graf, Cova...
byDocker, Inc.
 
PDF
Cilium:: Application-Aware Microservices via BPF
byCynthia Thomas
 
PPTX
Cfgmgmtcamp 2023 — eBPF Superpowers
byRaphaël PINSON
 
PDF
Cilium: Kernel Native Security & DDOS Mitigation for Microservices with BPF
byDocker, Inc.
 
PDF
Cilium: Seattle Kubernetes MeetUp Dec 2017
byCynthia Thomas
 
PDF
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
byDevSecCon
 
PPTX
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
byoholiab
 
PDF
Cloud Monitors Cloud
byRaymond Burkholder
 
PDF
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
byContainerDay Security 2023
 
PDF
Introduction to eBPF and XDP
bylcplcp1
 
PPTX
Dataplane programming with eBPF: architecture and tools
byStefano Salsano
 
PDF
ContainerDays Hamburg 2023 — Cilium Workshop.pdf
byRaphaël PINSON
 
PPTX
Wo defensive trickery_13mar2017
byDan Kaminsky
 
PDF
story_of_bpf-1.pdf
byhegikip775
 
PDF
XDP in Practice: DDoS Mitigation @Cloudflare
byC4Media
 
PDF
CNTUG x SDN Meetup #33 Talk 1: 從 Cilium 認識 cgroup ebpf - Ruian
byHanLing Shen
 
PDF
SDN/OpenFlow #lspe
byChris Westin
 
PDF
SRE NL MeetUp - eBPF.pdf
bySiteReliabilityEngin
 
PDF
eBPF — Divulging The Hidden Super Power.pdf
bySGBSeo
 
PDF
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
byDefconRussia
 
Cilium - Network and Application Security with BPF and XDP Thomas Graf, Cova...
byDocker, Inc.
 
Cilium:: Application-Aware Microservices via BPF
byCynthia Thomas
 
Cfgmgmtcamp 2023 — eBPF Superpowers
byRaphaël PINSON
 
Cilium: Kernel Native Security & DDOS Mitigation for Microservices with BPF
byDocker, Inc.
 
Cilium: Seattle Kubernetes MeetUp Dec 2017
byCynthia Thomas
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
byDevSecCon
 
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
byoholiab
 
Cloud Monitors Cloud
byRaymond Burkholder
 
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
byContainerDay Security 2023
 
Introduction to eBPF and XDP
bylcplcp1
 
Dataplane programming with eBPF: architecture and tools
byStefano Salsano
 
ContainerDays Hamburg 2023 — Cilium Workshop.pdf
byRaphaël PINSON
 
Wo defensive trickery_13mar2017
byDan Kaminsky
 
story_of_bpf-1.pdf
byhegikip775
 
XDP in Practice: DDoS Mitigation @Cloudflare
byC4Media
 
CNTUG x SDN Meetup #33 Talk 1: 從 Cilium 認識 cgroup ebpf - Ruian
byHanLing Shen
 
SDN/OpenFlow #lspe
byChris Westin
 
SRE NL MeetUp - eBPF.pdf
bySiteReliabilityEngin
 
eBPF — Divulging The Hidden Super Power.pdf
bySGBSeo
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
byDefconRussia
 

Recently uploaded

PDF
The 50+ First-Timer: My OpenTelemetry Contribution and How Your CNCF Journey...
byImma Valls Bernaus
 
PPT
Lexical and Syntax Analysis top down parsers
bymjmansoori54
 
PPT
preliminaries, concepts of programming languages
bymjmansoori54
 
PPTX
Standardization of open-source software ISO/IEC 5230:2020 and ISO/IEC 18974:2...
byShane Coughlan
 
PDF
Dreamforce 2025: Welcome to the Agentic Enterprise
byDele Amefo
 
PDF
How QuickHR Helps SMEs Control Expense Claims
byParker adam
 
DOCX
Best Tableau Alternatives for Data Analytics and Reporting.docx
byVarsha Nayak
 
PPTX
Systems Programming Lecture Compute.pptx
byAdekunle25
 
PPTX
Validation testing in software engineering
bytanzeelamohsin01
 
DOCX
Comprehensive Guide to SharePoint Consulting Services – Benefits, Process, an...
bySharepoint Designs
 
PDF
The 50+ First-Timer: It’s never too late for Open Source!
byImma Valls Bernaus
 
PPT
SAP ERP Training For Senior Managers.ppt
byBalanathanVirupasan
 
PDF
VADY Data Analytics Solutions – Effortless AI-Powered Decision-Making for Eve...
byNewFangledVision
 
PDF
Ensuring Regulatory Excellence with Insurance Compliance Software
byInsurance Tech Services
 
PDF
Shift Left for Inclusion: Scalable Accessibility Testing with Cypress - Cypre...
byLudovico Besana
 
PPTX
Java Modern Puzzlers, a guide to new programming features
bySimon Ritter
 
PDF
Zoho Vani AI-Powered Collaboration Platform to Rival Google Workspace & Micro...
byEvoluz Global Solutions
 
PDF
SAP & CTRM Testing Like Never Before
byZoe Gilbert
 
PPTX
Safe Confined Space Entry Monitoring_ Singapore Experts.pptx
byprasadexiga0
 
PPTX
Oracle_AWS_Azure_GCP_Comparison_ModernTech.pptx
byVITS184D1
 
The 50+ First-Timer: My OpenTelemetry Contribution and How Your CNCF Journey...
byImma Valls Bernaus
 
Lexical and Syntax Analysis top down parsers
bymjmansoori54
 
preliminaries, concepts of programming languages
bymjmansoori54
 
Standardization of open-source software ISO/IEC 5230:2020 and ISO/IEC 18974:2...
byShane Coughlan
 
Dreamforce 2025: Welcome to the Agentic Enterprise
byDele Amefo
 
How QuickHR Helps SMEs Control Expense Claims
byParker adam
 
Best Tableau Alternatives for Data Analytics and Reporting.docx
byVarsha Nayak
 
Systems Programming Lecture Compute.pptx
byAdekunle25
 
Validation testing in software engineering
bytanzeelamohsin01
 
Comprehensive Guide to SharePoint Consulting Services – Benefits, Process, an...
bySharepoint Designs
 
The 50+ First-Timer: It’s never too late for Open Source!
byImma Valls Bernaus
 
SAP ERP Training For Senior Managers.ppt
byBalanathanVirupasan
 
VADY Data Analytics Solutions – Effortless AI-Powered Decision-Making for Eve...
byNewFangledVision
 
Ensuring Regulatory Excellence with Insurance Compliance Software
byInsurance Tech Services
 
Shift Left for Inclusion: Scalable Accessibility Testing with Cypress - Cypre...
byLudovico Besana
 
Java Modern Puzzlers, a guide to new programming features
bySimon Ritter
 
Zoho Vani AI-Powered Collaboration Platform to Rival Google Workspace & Micro...
byEvoluz Global Solutions
 
SAP & CTRM Testing Like Never Before
byZoe Gilbert
 
Safe Confined Space Entry Monitoring_ Singapore Experts.pptx
byprasadexiga0
 
Oracle_AWS_Azure_GCP_Comparison_ModernTech.pptx
byVITS184D1
 
In this document
Powered by AI

Presentation titled by Thomas Graf, focusing on Linux-native and HTTP-aware network security.

Describes different application architectures: Single Server App, 3-Tier App, and Distributed Microservices App. Highlights frequency and operational complexity.

Discusses traditional network security using iptables which matches IPs and ports, indicating stagnation in network security evolution.

Illustrates L3/L4 network security for microservices architecture. Highlights API interactions and access control rules.

Claims that L4 security has become meaningless in the context of evolving microservices.

Explains BPF (Berkeley Packet Filter) functionality and its structure, including source code, bytecode, verification process, and sandboxing.

Explores how BPF can be applied to HTTP processes and the implications of using proxy rules in data management.

Details the architecture of Cilium using BPF for efficient container networking and policy enforcement with performance metrics.

Presents performance statistics of BPF redirect function on Intel Xeon hardware, illustrating throughput capabilities.

Thanks the audience, provides links for more information about Cilium, and mentions KubeCon presence.

Linux Native, HTTP Aware Network Security