Explore a conference talk from USENIX ATC '20 that introduces BASTION, a high-performance security enforcement network stack for container networks. Delve into the security analysis of container networks, identifying concerns arising from unnecessary network operations exposure by containerized applications. Learn about BASTION's intelligent container-aware communication sandbox, which extends the container hosting platform with a network visibility service for fine-grained control over visible network topology and a traffic visibility service for secure isolation and forwarding of inter-container traffic. Discover how BASTION effectively mitigates adversarial attacks while improving overall performance in single-host and cross-host container communications. Examine the talk's comprehensive syllabus, covering topics such as the state of container security, current container networks, security challenges, BASTION's architecture, security evaluation, and performance analysis.
BASTION - A Security Enforcement Network Stack for Container Networks
Overview
Syllabus
Intro
The state of Container Security
Current Container Networks (1/2) . Conceptual microservice architecture
Security Challenges in Container Networks 1
Bastion: Security Enforcement Network Stad
Manager - Container Collection
Security Stack - Network Visibility Service 121
Security Stack - Traffic Visibility Service (1/2)
Security Evaluation
Security: Attack Scenario Verification
Security: Passive Packet Monitoring
Security: Active Packet Injection
Performance: Inter-container Throughputs
Performance: Bastion on Various Networks
Summary
Taught by
USENIX
