Will NeuVector be the next big cloud-native security artifact?

Recently, an article "SUSE Releases NeuVector: The Industry's First Open Source Container Security Platform" was reprinted on major IT news sites. As a newcomer to the SUSE family, it's amazing to deliver on the open source commitment after 3 months. So what are the advantages of NeuVector that can be favored by SUSE? What are the breakthroughs in comparing the open source security products of various security vendors? Next, I will briefly analyze NeuVector from a SecDevOps perspective.

The State of Open Source Cloud-Native Security Products

What NeuVector open sourced this time is not a component or security tool, but a complete container security platform. This is very different from the open source strategies of other major cloud-native security vendors. At present, active open source vendors in the cloud native field include: Aqua Security, Falco(sysdig), Anchore, Fairwinds, Portshift, etc., as well as Stackrox acquired by Red Hat, in addition to security tools from major manufacturers like Clair. Although traditional security vendors have products for native security, few software are open source. Cloud-native security products have become an important track for innovative security vendors to break through the siege of traditional vendors. Open source, on the other hand, is more of a touchstone for them to test their products.

In the table above, we list the main open source projects from various security vendors. From the table above, we can see that open source security software is currently concentrated in four categories:

1. Mirror Vulnerability Scan
2. Compliance, Baseline Scan
3. Kubernetes security policy, configuration management
4. Threat detection

In addition to the above four types of tools, network security is also an important part of cloud-native security, but currently it is mainly supported by CNI network plug-ins, and no related products have been found in other security vendors. These tools are currently in a relatively fragmented state. Except for the starboard project, which is a simple security platform that integrates Aqua's open source security product line, other vendors do not open source platform-level projects like NeuVector. And starboard can only automatically perform basic functions such as vulnerability scanning, configuration auditing, and CIS baseline. Only by using the above tools, it is difficult for operation and maintenance developers to integrate them to form a complete set of security solutions. From the number of Stars in each project, it can be seen that various scanning tools such as Trivy and TerraScan are more popular with community users than the runtime security tool Falco. This may be closely related to the fact that scanning tools are easier to implement and can be quickly integrated with CI/CD pipelines. The runtime security tools need to be integrated or re-developed with other IT systems in order to play the role of security protection. The increase in the difficulty of learning, use, and implementation has greatly hindered its popularity. The open source of NeuVector is likely to break this status quo, allowing community users to easily deploy a complete security platform and use functions that were only available on paid commercial platforms in the past.

Cloud-native container security platform

Next, let's take a look at the unique open source capabilities of NeuVector as a cloud-native container security platform.

Unified platform

First of all, as a platform, it should have unified installation and deployment capabilities, without requiring users to think about how to integrate various security components to meet the corresponding security requirements. Currently, NeuVector can be easily deployed on an existing Kubernetes cluster through the official Helm installation package or yaml file. NeuVector consists of 5 main services:

• Manager, NeuVector's web console, provides a unified management UI for users to view security events, manage security solutions, rules, and more.
• Controller, Backend server and controller, manage other components such as Enforcer and Scanner, distribute security policies and schedule scanning tasks.
• Scanner, users perform tasks such as vulnerability scans, baseline scans, etc.
• Enforcer, a lightweight container for intercepting system events, enforcing security policies, etc. Usually run as a Daemon set on each node in the cluster.
• Updater, used to update the CVE database.

Second, a unified management plane. Ability to manage various assets in the Kubernetes platform, such as containers, images, hosts, processes, etc. Configure rules, policies for various components. Perform scheduled tasks such as compliance scans, mirror scans, and more. At present, NeuVector has relatively complete functions, which are similar to the main functions of commercial platforms such as Sysdig and Aqua. After successful installation of NeuVector, users can open the console of NeuVector through a browser. The navigation bar of the console includes five core functions, including asset management, policy management, security risk, notification, platform settings, and federated clustering. You can get a glimpse of its powerful functions after expanding it in turn.

Again, the linkage ability between components. NeuVector automatically discovers the behavior of applications, containers and services. Through the conversion of learning mode, monitoring mode and protection mode, the efficiency is effectively improved. After modeling known container behavior, any violation of the rules will trigger a security event. These security events will be aggregated into the Security Events module, and through the configuration of the event response rules in Response Rules , response actions such as notification of alarms and automatic blocking are performed.

Visual Security Threat Analysis Panel

NeuVector's visualization panel can effectively help administrators analyze the risks existing in the current system. The summary shows security events in the system, host/container vulnerabilities, Ingress/Egress traffic, etc. It also supports pdf and csv export functions, which is convenient for users to generate reports and analysis.

asset Management

Asset management displays information about nodes, containers, image repositories, and NeuVector's own components. View the security risks of related assets from different perspectives, and perform scanning tasks for different assets.

event notification

NeuVector's notification module includes security events, risk (compliance and vulnerability) events and system events.

Whitelist violations or matching blacklist events are logged in security events. For example, we can set a whitelist in network rules, all network connections not allowed in the whitelist will be blocked and a security event will be logged. In security events, you can also view various events such as network, process, and file events. And modify the event rules to add false positives to trust events.

User rights management and authentication system integration

NeuVector console has user management function to limit user rights. And it can be integrated with third-party user management systems, such as LDAP, SAML, OIDC, etc., and can simplify the user authorization process by matching with the user group permissions in the user management system. The method user integrates with the existing user authorization infrastructure.

Federated Cluster Management

NeuVector supports multi-cluster management function. After the main cluster is created, federation rules can be configured in the main cluster. These rules can be automatically distributed to other clusters. Through the federated cluster, the security policies and rules of each cluster can be uniformly deployed and managed, simplifying the management process. The managed cluster has no right to change these federal rules, which ensures that the managed cluster will not violate the security rules and improves the security of the managed cluster.

Feature comparison

Next, let's take a look at the comparison of NeuVector's built-in security toolbox with the current mainstream open source security tools.

Mirror Vulnerability Scan

Among the image vulnerability scanning tools, Clair, Trivy, and Anchore-engine monopolize most of the open source market, and there are commercial products like Snyk. As a rising star in these projects, Trivy has surpassed Clair to become the most popular tool in just 3 years, which is inseparable from the powerful functions of Trivy. Trivy not only supports vulnerability scanning of system packages such as Alpine, RHEL, CentOS, Ubuntu, etc. It also supports vulnerability scanning of dependency packages based on development languages, such as Go, Python, PHP, Node.js Java, .Net, etc. Based on the GitHub Action automation task, the latest vulnerability information will be pulled from the official CVE vulnerability library of major manufacturers, and the Trivy vulnerability library will be updated in time.

It can be seen from the code base of NeuVector that the current vulnerability scanning can support detection based on apk, dpkg, rpm distribution packages, and the core code is very concise. However, since it has not released a vulnerability library, it is difficult to judge the accuracy and comprehensiveness of its vulnerability scanning. It is also necessary to wait for NeuVector to release the next open source plan to fully understand its related development plans. I believe that NeuVector's vulnerability scanning should be difficult to shake Trivy's position in the short term.

Compliance Check

NeuVector's built-in compliance detection support includes CIS Kubernetes/docker Benchmarks, as well as industry standard compliance detection templates such as PCI, NIST, GDPR and HIPAA. For CIS Kubernetes Benchmarks, automatic detection of OpenShift and GKE can be supported, but because the CIS Kubernetes Benchmarks detection script cannot yet support custom rules, it is currently limited for private cloud or cluster environments deployed with third-party installation tools. In addition, since the detection code of NeuVector is developed by bash script, its extensibility and configuration are not as flexible as kube-bench.

At present, other compliance detection tools only target a certain standard, and it is difficult to take into account others, while NeuVector is more comprehensive and general. Users can customize compliance detection scripts, and can customize compliance for hosts or containers or third-party components. Sex detection. Not limited to CIS or other standard rules. On the other hand, it is recommended to use custom compliance detection scripts with caution in the official documentation, because custom scripts have root execution permissions on the host and container, and have no command restrictions, which may have potential security risks.

network topology

The network topology map uses a visual way to display the network communication relationship between container-container and container-host, which helps us analyze potential security risks and improves the observability of the network. Weave Scope, Cilium Hubble all support network topology function. Weave Scope is more widely used, not limited to Kubernetes, but can also be deployed on platforms such as Docker and Mesosphere. Although Hubble relies on Cilium, Cilium not only has superior performance, but also regards observability and security as the primary functional characteristics, so Hubble is also widely used as its core component. And Cilium, as the hottest network plug-in in the community, has the potential to surpass Calico in the future.

From a functional point of view, Weave Scope focuses more on network performance analysis and debugging, and supports plug-ins to customize UI functions. Hubble is more inclined to microservice governance, which can display the dependencies of microservices and has better support for application layer protocols. Through Hubble, you can also observe which services initiate external network access or domain name resolution, as well as network connections blocked by network policies.

NeuVector's Network Activity feature focuses on network security. Helps network administrators identify abnormal traffic. Manage network security policies, execute quarantine commands, and more. Although their view functions are similar and the principles are the same, due to their different functional focuses, the significance of horizontal comparison is limited.

kernel event audit

Analyzing system and application behavior through kernel events is an important part of runtime security detection. The events in the system monitored by the Linux kernel are extremely fast, and the efficiency of the core module is extremely high. Therefore, the current mainstream solution will use eBPF, for example, Tracee uses the combination of eBPF + Golang as the event collection engine. Kernel modules are also another option. Falco currently supports both eBPF and kernel modules, with high flexibility and better support for low-version kernels. NeuVector also lacks design documentation for event collection, and due to the lack of time, there is no in-depth understanding of NeuVector event collection patterns through code. From the perspective of code structure alone, the code is relatively complex, lacks comments, and the relationship between components is difficult to determine just by naming. It is hoped that the official can improve the relevant documents as soon as possible to facilitate further understanding and analysis.

Install trial

Next, we install and try NeuVector through KubeSphere.

Enter kubectl terminal

First log in to the KubeSphere Console, enter "Platform Management", and select "Cluster Management".

Enter "ks-installer", select "App Load", select "Workload", set the project to "kubesphere-system", and select "ks-installer".

Go to the pod terminal of ks-installer.

Install NeuVector using helm

• create namespace

kubectl create namespace neuvector

• Create serviceaccount

kubectl create serviceaccount neuvector -n neuvector

• Add neuvector's helm repository

helm repo add neuvector https://neuvector.github.io/neuvector-helm/

• install neuvector

helm install my-neuvector --namespace neuvector neuvector/core

• replace image

  Since the neuvector image requires permission to obtain, here the image is replaced with the preview version
  For more installation information, please refer to: https://github.com/neuvector/neuvector-helm/tree/master/charts/core

kubectl set image deployment.apps/neuvector-controller-pod *=neuvector/controller.preview:5.0.0-preview.1 -n neuvector
kubectl set image deployment.apps/neuvector-manager-pod *=neuvector/manager.preview:5.0.0-preview.1 -n neuvector
kubectl set image deployment.apps/neuvector-scanner-pod *=neuvector/scanner.preview:latest -n neuvector
kubectl set image daemonset.apps/neuvector-enforcer-pod *=neuvector/enforcer.preview:5.0.0-preview.1 -n neuvector
kubectl get cronjob/neuvector-updater-pod -n neuvector -o yaml | sed 's#image: registry.neuvector.com/updater:latest#image: neuvector/updater.preview:latest#' | kubectl replace -f -

• View neuvector service status

  

  

  

  

Access neuvector UI

• Use kubernetes node ip and node port to access neuvector UI, eg http://1.2.3.4:34567
• Default user password: admin/admin
  
• Terms of Use Click "I accept"
  
• Change the default password
  Click the user to select "my profile", click "EDIT PROFILE"
  
• View Dashboard
  

open source community

From the information in the Github repository, NeuVector open source is still in its infancy. Only the code has been released, there is no clear RoadMap, Release Plan, and the governance method of the community is not yet clear. These problems need to be solved urgently. Considering the maturity of the Rancher community, this should only be a matter of time, and I believe NeuVector will soon be on the right track.

Summarize

NeuVector fills a gap in security products. Although each functional module is not the strongest in the industry, its security governance capability for the whole life cycle is beyond the reach of other open source tools. If NeuVector can be built into an open platform in the future and integrates excellent tools in the industry to learn from each other's strengths and weaknesses, it will surely play a greater role and occupy a place in the open source security market.

This article