Agile Network Access Control in the Container Age
Cornelius Diekmann, Johannes Naab, Andreas Korsten, and Georg Carle

TL;DR
This paper addresses the lack of fine-grained, application-specific network access control in containerized environments, proposing a tool-supported, formally verified solution to improve security management for DevOps workflows.
Contribution
It introduces a formal, tool-supported approach for fine-grained network access control in Docker containers, bridging the gap between high-level policies and low-level enforcement.
Findings
Identifies shortcomings in current network access control for containers
Proposes a formally verified toolset for better policy enforcement
Provides open-source tools to enhance container security
Abstract
Linux Containers, such as those managed by Docker, are an increasingly popular way to package and deploy complex applications. However, the fundamental security primitive of network access control for a distributed microservice deployment is often ignored or left to the network operations team. High-level application-specific security requirements are not appropriately enforced by low-level network access control lists. Apart from coarse-grained separation of virtual networks, Docker neither supports the application developer to specify nor the network operators to enforce fine-grained network access control between containers. In a fictional story, we follow DevOp engineer Alice through the lifecycle of a web application. From the initial design and software engineering through network operations and automation, we show the task expected of Alice and propose tool-support to help. As…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
