# Agile Network Access Control in the Container Age

**Authors:** Cornelius Diekmann, Johannes Naab, Andreas Korsten, and Georg Carle

arXiv: 1903.00720 · 2019-03-06

## TL;DR

This paper addresses the lack of fine-grained, application-specific network access control in containerized environments, proposing a tool-supported, formally verified solution to improve security management for DevOps workflows.

## Contribution

It introduces a formal, tool-supported approach for fine-grained network access control in Docker containers, bridging the gap between high-level policies and low-level enforcement.

## Key findings

- Identifies shortcomings in current network access control for containers
- Proposes a formally verified toolset for better policy enforcement
- Provides open-source tools to enhance container security

## Abstract

Linux Containers, such as those managed by Docker, are an increasingly popular way to package and deploy complex applications. However, the fundamental security primitive of network access control for a distributed microservice deployment is often ignored or left to the network operations team. High-level application-specific security requirements are not appropriately enforced by low-level network access control lists. Apart from coarse-grained separation of virtual networks, Docker neither supports the application developer to specify nor the network operators to enforce fine-grained network access control between containers.   In a fictional story, we follow DevOp engineer Alice through the lifecycle of a web application. From the initial design and software engineering through network operations and automation, we show the task expected of Alice and propose tool-support to help. As a full-stack DevOp, Alice is involved in high-level design decisions as well as low-level network troubleshooting. Focusing on network access control, we demonstrate shortcomings in today's policy management and sketch a tool-supported solution. We survey related academic work and show that many existing tools fail to bridge between the different levels of abstractions a full-stack engineer is operating on.   Our toolset is formally verified using Isabell/HOL and is available as Open Source.

---
Source: https://tomesphere.com/paper/1903.00720