What’s new in Calico Enterprise 3.15:  FIPS 140-2 compliance, new dashboards, egress gateway pod failover, and more!

Tigera provides the industry’s only active Cloud-Native Application Security Platform (CNAPP) for containers and Kubernetes. Available as a fully managed SaaS (Calico Cloud) or a self-managed service (Calico Enterprise), the platform prevents, detects, troubleshoots, and automatically mitigates exposure risks of security issues in build, deploy, and runtime stages across multi-cluster, multi-cloud, and hybrid deployments.

We are very excited to unveil Calico Enterprise 3.15 and its new capabilities that will further reduce your applications’ attack surface and improve threat detection capabilities. Read this blog to learn about some of the biggest highlights of this latest release.

FIPS-140-2 compliance for US federal regulation

US federal agencies require that any software they use be compliant with the Federal Information Processing Standard (140-2), also known as FIPS 140-2. FIPS 140-2 specifies security requirements that are satisfied by a cryptographic module of applications and environments. With the release of Calico Enterprise 3.15, you can now configure Calico Enterprise to run in a FIPS 140-2 level 1 compliant mode to pass compliance requirements when serving US federal regulatory agencies.

When installing Calico Enterprise, you now have the option to install the platform in FIPS-compliant mode. This will ensure that the Calico components that are Continue reading

What’s new in Calico Cloud: General availability of new container security features

Summer is almost over but we are bringing the heat back with the official release of Tigera’s new container security features. With this official launch, Calico leads the industry by offering a complete line of solutions across every stage of a cloud-native application CI/CD pipeline. From a new and improved approach to scanning container images for vulnerabilities to strengthening runtime security with improved performance, we’ve significantly improved and enhanced our Image Assurance and Runtime Threat Defense features for this exciting new phase of our Calico Cloud offering. Let’s take a look at the new container security features of this release.

Vulnerability management through Image Assurance

Scanning container images for vulnerabilities is a critical first step in stopping malicious software from being deployed. As business demands grow, development teams are pushed to churn out updates and new features faster. As a result, DevOps teams require assistance to help them quickly identify vulnerabilities in the registries where the container images are pulled from. Calico Cloud is now offering a CLI-based scanner for on-demand scanning, where customers can locally scan for vulnerabilities in their build stage. A lightweight downloadable binary is all it takes to perform these scans and integrate the process into Continue reading

Calico workload-centric web application firewall (WAF): A better way to secure cloud-native applications

Container-based web applications built on microservices architecture, whether public-facing or internal, are critical to businesses. This new class of applications is commonly referred to as cloud-native applications. Read on to find out why traditional WAFs are no longer enough to protect cloud-native applications and how Calico’s new workload-centric WAF solves this problem.

Background

HTTP is the lingua franca for modern, RESTful APIs and microservices communication. Traditionally, organizations have deployed WAF at the perimeter level to protect web applications against external attacks. A WAF provides visibility and enforces security controls on external traffic that passes through it. However, for cloud-native applications, where the concept of a perimeter does not exist, the same visibility and control need to be provided at the workload level inside the cluster.

In a survey conducted by information security research center Ponemon Institute to probe the state of the WAF market, more than 600 respondents noted the following:

• 86% of organizations experienced application-layer attacks that bypassed their WAF in the last 12 months.
• While 66% of respondents consider WAF to be an important security tool, over 40% use their WAFs only to generate alerts (not to block attacks).

Source: Ponemon Institute – “The State of Web Application Continue reading

What’s new in Calico Enterprise 3.14: WAF, Calico CNI on AKS, and support for RKE2

At Tigera, we strive to innovate at every opportunity thrown at us and deliver what you need! We have listened to what users ask and today we are excited to announce the early preview of Calico Enterprise 3.14. From new capabilities to product supportability and extending partnerships with our trusted partners, let’s take a look at some of the new features in this release.

Web application firewall (WAF)

Web applications are a critical aspect of any business, whether they are public facing or internal. There has been a fundamental shift in the way these applications are developed—as they have become more container-based and API-based, we refer to these as cloud-native applications.

To keep these modern web applications secure, we need to analyze all HTTP communication and block any malicious traffic traversing the web application. However, in a cloud-native environment, we can’t achieve this using simple network policies or by using perimeter network firewalls. Instead, a cloud-native web application firewall (WAF) would be necessary.

Fig. 1: Service annotation for workload-based WAF using Calico

This is why we have introduced a cloud-native WAF into Calico Enterprise that’s different from the traditional WAFs you may know. While most traditional WAFs are deployed Continue reading

Extending Panorama’s firewall address groups into your Kubernetes cluster using Calico NetworkSets

When deploying cloud-native applications to a hybrid and multi-cloud environment that is protected by traditional perimeter-based firewalls, such as Palo Alto Networks (PAN) Panorama, you need to work within the confines of your existing IT security architecture. For applications that communicate with external resources outside the Kubernetes cluster, a traditional firewall is typically going to be part of that communication.

A good practice is to enable enterprise security teams to leverage existing firewall platforms, processes, and architectures to protect access to Kubernetes workloads.

Calico Enterprise already extends Panorama’s firewall manager to Kubernetes. The firewall manager creates a zone-based architecture for your Kubernetes cluster, and Calico reads those firewall rules and translates them into Kubernetes security policies that control traffic between your applications.

With its 3.11 release, Calico Enterprise extends its integration with PAN firewalls to include Panorama address groups in sync with Calico NetworkSets. The new release provides granular application security for your cloud-native application and eliminates workflow complexity.

This integration helps users to:

• Eliminate complex workflows when using existing PAN firewalls with Kubernetes workloads
• Extend their Panorama firewall investment to cloud-native applications
• Provide granular application security for their cloud-native applications

Why Calico’s integration is important

Cloud-native workloads require Continue reading

Faster troubleshooting of microservices, containers, and Kubernetes with Dynamic Packet Capture

Troubleshooting container connectivity issues and performance hotspots in Kubernetes clusters can be a frustrating exercise in a dynamic environment where hundreds, possibly thousands of pods are continually being created and destroyed. If you are a DevOps or platform engineer and need to troubleshoot microservices and application connectivity issues, or figure out why a service or application is performing slowly, you might use traditional packet capture methods like executing tcpdump against a container in a pod. This might allow you to achieve your task in a siloed single-developer environment, but enterprise-level troubleshooting comes with its own set of mandatory requirements and scale. You don’t want to be slowed down by these requirements, but rather address them in order to shorten the time to resolution.

Dynamic Packet Capture is a Kubernetes-native way that helps you to troubleshoot your microservices and applications quickly and efficiently without granting extra permissions. Let’s look at a specific use case to see some challenges and best practices for live troubleshooting with packet capture in a Kubernetes environment.

Use case: CoreDNS service degradation

Let’s talk about this use case in the context of a hypothetical situation.

Scenario

Your organization’s DevOps and platform teams are trying to figure out Continue reading

Fast and simple troubleshooting with GUI-based Dynamic Packet Capture

With the Calico 3.10 release, Dynamic Packet Capture is available in Dynamic Service Graph.

This means users who require self-service, live troubleshooting for microservices and Kubernetes workloads can capture and evaluate traffic packets on endpoints without writing a single line of code or using any 3rd-party troubleshooting tools. Users don’t need to learn about or have knowledge of kubectl or YAML to troubleshoot their microservices and Kubernetes cluster. Calico helps enforce organizational security policies by only allowing users to access their assigned namespaces and endpoints for troubleshooting.

About Dynamic Packet Capture

In most situations when you need to do a packet capture, the problem doesn’t last long and usually happens randomly. But once you narrow down the issue to a particular time or activity, you will need to set the right action plan to tackle the problem. Packet capture is now much easier, simpler, and faster than before.

Dynamic Packet Capture facilitates fast troubleshooting and easy debugging of microservice connectivity issues and performance hotspots in Kubernetes clusters. It is a Kubernetes-native custom resource that runs as part of user code against specific workloads in the cluster, without the need to execute any programs inside the cluster. Dynamic Packet Capture Continue reading