NeuVector Full Lifecycle Container Security

Neuvector is a container itself which deploys using your tools like Kubernetes and runs, one per host, "next to" other containers/pods. Once deployed, NeuVector is able to inspect all network traffic between pods/containers and also the host/container processes. NeuVector is not an agent and does not require any changes to applications or host operating systems.

• Performance impact is not an issue except for services which are running in the Protect (inline network firewall) mode
  and have high transaction processing requirements.
• Throughput & Latency: Monitor Mode (Tap/Mirror): Line speed (no degradation). Protect Mode (Inline): Minimum 1.3 gb/s per host throughput with shared CPU. If additional performance is required, dedicated CPU resources (e.g. 1 core) and memory
  can be assigned to the Enforcer container. Latency has been benchmarked at 2 - 10% using the open source Redis benchmark tool at https://redis.io/topics/benchmarks
• Memory: We recommend allocating 1GB but the minimum is 512MB
• Disk space: The Enforcer takes less than 100MB
• Image scanning performance: NeuVector is the fastest registry scanner available today, with customers scanning hundreds of thousands of images in hours where other solutions failed

• Scanning images and implementing host security is good basic security, but does not protect against most run-time exploits. You have seen how new zero-day attacks exploits unknown vulnerabilities, and attackers can spread once in a network.
• NeuVector provides the most complete run-time security which includes the only Layer 7 container firewall available for protecting pod and containers from known attacks and unauthorized connections. NeuVector adds advanced network security, endpoint (host and container process inspection) security, and compliance auditing to your run-time environment.

• NeuVector is the first and only true Layer 7 container firewall which provides cloud-native inspection of all network traffic between containers and for ingress/egress control.
• Customers turn to NeuVector when they realize that all the scanning and host security precautions still leave them vulnerable to zero-day attacks while in production.

• Enforcer: the Enforcer container is minimized (removing all unnecessary packages and libraries) to reduce the attack surface. Enforcer status and availability is monitored by the Controller. We recommend using orchestration tools to re quire an Enforcer on every host and restart the container if it stops.
• Controller: The Controller is a highly available distributed cluster controller. Multiple controllers are supported for HA and scalability.
• Manager: the Manager uses the REST API like a client. Communication to the Controller is SSL encrypted and authentication is by username/password. Use of strong passwords is recommended.

• No, we inspect network packets in real-time to determine normal and abnormal traffic. IP Tables inspection is not a reliable, scalable way to enforce behavior at an application protocol layer.
• NeuVector has developed its own core technology to provide real-time packet filtering with deep packet inspection.

• The Enforcer container is slightly less than 80MB
• The Allinone container is about 300MB
  The Controller container is less than 100 MB

• The Controller is a distributed system where multiple Controllers can run on separate hosts. If one Controller is not available, another one automatically takes over, similar to how a docker swarm master node functions (based on etcd). We recommend running multiple controllers in odd numbers such as 3, 5, 7 etc. We recommend that you periodically backup the controller using the Export function in Settings > Configuration or using the CLI. The CLI supports both export and import of the configuration file. In the case of Kubernetes, it will automatically bring up another controller to form the cluster again if a controller fails.
• For all NeuVector containers we have a health monitoring process. If the working process goes down, the health monitor brings it back up. If the container itself is stopped, then your orchestration tools such as Kubernetes and Swarm are designed to restart the container or launch a new one. If the Enforcer should fail and not be able to be brought back up, it will ‘fail open,’ so the connections are not inadvertently blocked. Please contact support@neuvector.com if you wish the Enforcer to ‘fail closed,’ where all connections are blocked during failure.

Yes. You set apps in different modes. In NeuVector, these apps are called Services. Each service is one or more containers of the same type (image).

Even custom application behavior can be learned by NeuVector and
automatically protected. Whitelist rules will be created based on learned behavior, taking into account the application protocol (e.g. http), container image meta-data, and connection details. Whitelist and Blacklist rules can be added and customized for additional protection, but are not required.

• Typically, new application behavior or new apps are tested in a staging (or blue-green) environment, where NeuVector can learn the new behavior and update its policy automatically. The policy can then be imported into a production environment.
• Alternatively, the policy can be manually updated by creating new whitelist or blacklist rules, or using the CLI or REST API.

• We charge annual subscriptions which include support. Subscriptions are based on the number of hosts (e.g. worker nodes) which NeuVector protects in production.
• Requests for a trial license and quote can be generated through the NeuVector console in Settings.

• NeuVector scan the libraries and packages on the container as well as on the host.
• On the host, all packages and libraries of the OS and applications are scanned for vulnerabilities.
• For container images in registries, we perform a multi-layer scan for in depth vulnerability analysis.

NeuVector inspect the application protocol (L7) plus container/image meta-data and other behavioral identifiers to determine if the connection should be allowed

NeuVector have tested 100’s of enforcers but have not reached a maximum number. We support distributed, multiple controllers to achieve greater scalability for enforcers.

NeuVector have tested up to 2,000 containers, but we have not reached a maximum number. It is more limited by the network traffic between containers on a host.

NeuVector support event/log output through a SYSLOG server, and have a demo video for how to set this up for Splunk. We also support webhook notifications through custom Response Rules.

• Yes, we work fine on Red Hat OpenShift, AWS ECS/EKS, Azure AKS, IBM cloud and Kubernetes, and can work with their overlay networking plug-ins and even customize the visual display for them.
• NeuVector is the first/only security solutions certified by Red Hat and Docker and listed in the container catalogs.

Yes, we support all major linux distributions.

We’re currently investigating Windows Server 2016 and Hyper-V. If you are running a linux VM on Azure then we can secure docker containers on Azure.

• Yes, NeuVector support scanning of all popular registries such as docker, Red Hat / OpenShift, JFrog Artifactory, AWS ECR, Azure ACR, GCR, Nexus etc.
• NeuVector also provide a Jenkins plug-in for scanning during your build process.

NeuVector access all the common CVE databases as well as application specific vulnerability databases. For example nodejs, nginx, cassandra, mongodb and others. We also scan popular languages such as java, python, and ruby.

• NeuVector detects root privilege escalations on hosts and containers.
• NeuVector can run the Docker CIS benchmark on every host.
• We can scan the host OS for vulnerabilities such as the recently discovered Dirty Cow and alert you.
• We can provide a guide for securing the host OS and system for
  containers, such as recommended SELinux, AppArmor and Seccomp
  profiles.

• NeuVector can detect privilege escalations in containers.
• We are not a tool to build hardened containers, by helping to reduce libraries. We believe during run-time, a security product should not be able to alter the image, but monitor and protect it without affecting it.

• First, contact support@neuvector.com to have us add your Docker Hub ID to our private Docker registry.
• Review the getting started at http://neuvector.com/getting-started. - Pull the NeuVector containers for Docs, Allinone, and Enforcer
• Run the Docs container and download the Test plan from the Docs. - Deploy the containers using docker native, compose, swarm, or an
  orchestration tool like Kubernetes, OpenShift, or Rancher.