You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
At the moment, the VMs spawned by the CrownLabs service are characterized by no limitations in the connections that can be established towards the Internet (besides those introduced by the campus firewalls), possibly allowing malicious/inappropriate traffic (either on purpose or due to misbehaving software).
This feature request proposes to tackle the problem from two orthogonal points of view:
Prevention: set-up and configure a firewall on the physical nodes (VMs are considered completely untrusted as users may have root access) to limit the connections that can be established. For instance, limit connection only to certain well-known ports, as well as leverage publicly available blacklists to exclude malicious/inappropriate websites/IPs.
Auditing/Reaction: implement a solution to track the user-level connections that are established from/to the VMs. Hence, in case a security-relevant event is raised by the IT department, it would be possible to identify the originator of that traffic. In addition, this solution would also be useful for monitoring, analyzing when the VMs are actually used.
Describe the solution you'd like
It is proposed to leverage eBPF as a technology to perform low-overhead in-kernel traffic analysis. Specifically:
Prevention: the usage of polycube [1] and in particular the firewall service [2] to block undesired traffic.
Auditing/Reaction: the monitoring of the TCP sessions should be performed using eBPF, logging the identifiers of the sessions established at each instant. A user-space component (probably a kubernetes operator), should then be used to save the mappings between IPs and the actual service/owner.
Additional context
As kubernetes network providers/load balancers may perform natting, it is necessary to first analyze which IP addresses are visible and the ones that are masked, in order to identify the best "hook" points to implement these solutions.
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem? Please describe.
At the moment, the VMs spawned by the CrownLabs service are characterized by no limitations in the connections that can be established towards the Internet (besides those introduced by the campus firewalls), possibly allowing malicious/inappropriate traffic (either on purpose or due to misbehaving software).
This feature request proposes to tackle the problem from two orthogonal points of view:
Prevention: set-up and configure a firewall on the physical nodes (VMs are considered completely untrusted as users may have root access) to limit the connections that can be established. For instance, limit connection only to certain well-known ports, as well as leverage publicly available blacklists to exclude malicious/inappropriate websites/IPs.
Auditing/Reaction: implement a solution to track the user-level connections that are established from/to the VMs. Hence, in case a security-relevant event is raised by the IT department, it would be possible to identify the originator of that traffic. In addition, this solution would also be useful for monitoring, analyzing when the VMs are actually used.
Describe the solution you'd like
It is proposed to leverage eBPF as a technology to perform low-overhead in-kernel traffic analysis. Specifically:
Additional context
As kubernetes network providers/load balancers may perform natting, it is necessary to first analyze which IP addresses are visible and the ones that are masked, in order to identify the best "hook" points to implement these solutions.
The text was updated successfully, but these errors were encountered: