Least Privilege Container Orchestration

The Docker platform and the container has become the standard for packaging, deploying, and managing applications. In order to coordinate running containers across multiple nodes in a cluster, a key capability is required: a container orchestrator.

container orchestrator

Orchestrators are responsible for critical clustering and scheduling tasks, such as:

  • Managing container scheduling and resource allocation.
  • Support service discovery and hitless application deploys.
  • Distribute the necessary resources that applications need to run.

Unfortunately, the distributed nature of orchestrators and the ephemeral nature of resources in this environment makes securing orchestrators a challenging task. In this post, we will describe in detail the less-considered—yet vital—aspect of the security model of container orchestrators, and how Docker Enterprise Edition with its built-in orchestration capability, Swarm mode, overcomes these difficulties.

Motivation and threat model

One of the primary objectives of Docker EE with swarm mode is to provide an orchestrator with security built-in. To achieve this goal, we developed the first container orchestrator designed with the principle of least privilege in mind.

In computer science,the principle of least privilege in a distributed system requires that each participant of the system must only have access to  the information and resources that are necessary for its legitimate purpose. No Continue reading

What is a firewall?

Network-based firewalls have become almost ubiquitous across US enterprises for their proven defense against an ever-increasing array of threats.A recent study by network testing firm NSS Labs found that up to 80% of US large businesses run a next-generation firewall. Research firm IDC estimates the firewall and related unified threat management market was a $7.6 billion industry in 2015 and expected to reach $12.7 billion by 2020.What is a firewall? Firewalls act as a perimeter defense tool that monitor traffic and either allow it or block it. Over the years functionality of firewalls has increased, and now most firewalls can not only block a set of known threats and enforce advanced access control list policies, but they can also deeply inspect individual packets of traffic and test packets to determine if they’re safe. Most firewalls are deployed as network hardware that processes traffic and software that allow end users to configure and manage the system. Increasingly, software-only versions of firewalls are being deployed in highly virtualized environments to enforce policies on segmented networks or in the IaaS public cloud.To read this article in full or to leave a comment, please click here

What is a firewall?

Network-based firewalls have become almost ubiquitous across US enterprises for their proven defense against an ever-increasing array of threats.A recent study by network testing firm NSS Labs found that up to 80% of US large businesses run a next-generation firewall. Research firm IDC estimates the firewall and related unified threat management market was a $7.6 billion industry in 2015 and expected to reach $12.7 billion by 2020.What is a firewall? Firewalls act as a perimeter defense tool that monitor traffic and either allow it or block it. Over the years functionality of firewalls has increased, and now most firewalls can not only block a set of known threats and enforce advanced access control list policies, but they can also deeply inspect individual packets of traffic and test packets to determine if they’re safe. Most firewalls are deployed as network hardware that processes traffic and software that allow end users to configure and manage the system. Increasingly, software-only versions of firewalls are being deployed in highly virtualized environments to enforce policies on segmented networks or in the IaaS public cloud.To read this article in full or to leave a comment, please click here

What is a firewall?

Network-based firewalls have become almost ubiquitous across US enterprises for their proven defense against an ever-increasing array of threats.A recent study by network testing firm NSS Labs found that up to 80% of US large businesses run a next-generation firewall. Research firm IDC estimates the firewall and related unified threat management market was a $7.6 billion industry in 2015 and expected to reach $12.7 billion by 2020.What is a firewall? Firewalls act as a perimeter defense tool that monitor traffic and either allow it or block it. Over the years functionality of firewalls has increased, and now most firewalls can not only block a set of known threats and enforce advanced access control list policies, but they can also deeply inspect individual packets of traffic and test packets to determine if they’re safe. Most firewalls are deployed as network hardware that processes traffic and software that allow end users to configure and manage the system. Increasingly, software-only versions of firewalls are being deployed in highly virtualized environments to enforce policies on segmented networks or in the IaaS public cloud.To read this article in full or to leave a comment, please click here

New Paper on Online Privacy in the Wake of Pervasive Surveillance Revelations

In 2015, I was lucky enough to give an invited keynote at the 20th anniversary of the Ethicomp conference. I found that many of the issues up for discussion were ones in which the Internet Society also has a keen interest: for example — responsible innovation, the ethics of autonomous systems, and what do in the wake of Edward Snowden’s revelations about pervasive state monitoring of the Internet. The conference has now produced a special edition of the Journal of Information, Communication and Ethics in Society (JICES), specifically to report on a global set of surveys on the responses to Snowden. I was invited to write a paper for this special edition, to accompany the more traditional academic analyses of the surveys. My full article, “After Snowden – the evolving landscape of privacy and technology” is now available.

Writing the paper gave me a chance to step back and look at how the privacy advocacy community’s work has changed since Snowden – one of those rare moments in which the frog gets to hop out of the rapidly warming water and contemplate the saucepan. Here are a few of the trends I noted.

First, there has been Continue reading

Zodiac WX – Northbound Networks

A WiFi Base station using OpenFlow for $250. The Zodiac WX is the world’s first fully integrated OpenFlow® Wireless Access Point. It is a high powered ceiling / wall mountable Dual-Band AC1200 AP that includes 2 Gigabit Ethernet ports and support for PoE. We have integrated our Zodiac OpenFlow® engine directly into the wireless drivers so […]

“Responsible encryption” fallacies

Deputy Attorney General Rod Rosenstein gave a speech recently calling for "Responsible Encryption" (aka. "Crypto Backdoors"). It's full of dangerous ideas that need to be debunked.

The importance of law enforcement

The first third of the speech talks about the importance of law enforcement, as if it's the only thing standing between us and chaos. It cites the 2016 Mirai attacks as an example of the chaos that will only get worse without stricter law enforcement.

But the Mira case demonstrated the opposite, how law enforcement is not needed. They made no arrests in the case. A year later, they still haven't a clue who did it.

Conversely, we technologists have fixed the major infrastructure issues. Specifically, those affected by the DNS outage have moved to multiple DNS providers, including a high-capacity DNS provider like Google and Amazon who can handle such large attacks easily.

In other words, we the people fixed the major Mirai problem, and law-enforcement didn't.

Moreover, instead being a solution to cyber threats, law enforcement has become a threat itself. The DNC didn't have the FBI investigate the attacks from Russia likely because they didn't want the FBI reading all their files, finding wrongdoing by the Continue reading

Baidu Sheds Precision Without Paying Deep Learning Accuracy Cost

One of the reasons we have written so much about Chinese search and social web giant, Baidu, in the last few years is because they have openly described both the hardware and software steps to making deep learning efficient and high performance at scale.

In addition to providing several benchmarking efforts and GPU use cases, researchers at the company’s Silicon Valley AI Lab (SVAIL) have been at the forefront of eking power efficiency and performance out of new hardware by lowering precision. This is a trend that has kickstarted similar thinking in hardware usage in other areas, including supercomputing

Baidu Sheds Precision Without Paying Deep Learning Accuracy Cost was written by Nicole Hemsoth at The Next Platform.

Intel Takes First Steps To Universal Quantum Computing

Someone is going to commercialize a general purpose, universal quantum computer first, and Intel wants to be the first. So does Google. So does IBM. And D-Wave is pretty sure it already has done this, even if many academics and a slew of upstart competitors don’t agree. What we can all agree on is that there is a very long road ahead in the development of quantum computing, and it will be a costly endeavor that could nonetheless help solve some intractable problems.

This week, Intel showed off the handiwork its engineers and those of partner QuTech, a

Intel Takes First Steps To Universal Quantum Computing was written by Timothy Prickett Morgan at The Next Platform.

iTerm2 Tip: Repeating Commands Using a Coprocess

iTerm2 is a great terminal for MacOS; far better than Apple’s built-in Terminal app, and it’s my #1 recommendation for Mac-based network engineers. One of the many reasons I like it is that it has a feature that solves a really annoying problem.

Iterm Repeat Title

It’s tedious having to issue a command repeatedly so that you can see when and if the output changes. I’ve had to do this in the past, repeating commands like show ip arp so that I can spot when an entry times out and when it it refreshes. The repeated sequence of up arrow, Enter, up arrow, Enter, up arrow, Enter drives me mad.

Some vendors offer assistance; A10 Networks for example has a repeat command in the CLI specifically to help with show commands:

a10-vMaster[2/2]#repeat 5 show arp
Total arp entries: 25       Age time: 300 secs
IP Address         MAC Address          Type         Age   Interface    Vlan
---------------------------------------------------------------------------
10.1.1.65      0000.5e00.01a1       Dynamic      17    Management   1
10.1.1.67      ac4b.c821.57d1       Dynamic      255   Management   1
10.1.1.97      001f.a0f8.d901       Dynamic      22    Management   1
Refreshing command every 5 seconds. (press ^C to quit) Elapsed Time: 00:00:00
Total arp entries: 25       Age time:  Continue reading

Worth Reading: The Importance of Setting Goals

As Tom Garriga, president of Tang Wei Martial Arts Institute, tells us, “A goal is an enemy to be conquered with a battle strategy and the commitment of a warrior. The leadership process is founded on resolve and commitment.” With this in mind, there are several components to the proper setting of goals that every leader should embody. —Chris Brady

The post Worth Reading: The Importance of Setting Goals appeared first on rule 11 reader.

Register for DockerCon Europe 2017 Livestream

For those of you who can’t make it to DockerCon Europe 2017 in Copenhagen, we are thrilled to announce that the General Sessions on both Day 1 and Day 2 of DockerCon will be livestreamed!

Find out about the latest Docker announcements live from Steve Singh (CEO) and Solomon Hykes (Founder and CTO) and enjoy the highly technical demos the Docker team has prepared for you!

Livestream schedule:

  • General Session Day 1 on 10/17 from 9am UTC +2
  • General Session Day 2 on 10/18 from 9am UTC+2

DockerCon Livestream

The livestream player will be embedded on the DockerCon site a few hours prior to the event. Be sure to sign up here to receive an email with the link to the livestream before the general session starts!

Sign up for the DockerCon EU Livestream

 

We invite you to follow the official Twitter account: @DockerCon and hashtag #DockerCon in order to get the latest updates.

Learn More about DockerCon

Watch the live stream of keynotes at #DockerCon Europe | Oct 17 – 18, 9-11am UTC +2
Click To Tweet

The post Register for DockerCon Europe 2017 Livestream appeared first on Docker Blog.

1 1,861 1,862 1,863 1,864 1,865 3,833