Deep Security Manager 10 has reached end of support. Use the version selector (above) to see more recent versions of the Help Center.
How do I use Deep Security to protect my Docker containers?
This is new in Deep Security 10.
The benefits of a Docker deployment are real but so is the concern about the significant attack surface of the Docker host operating system (OS) itself. Like any well-designed software deployment, OS hardening and the use of best practices for your deployment, such as the Center for Internet Security (CIS) Docker Benchmark, provide a solid foundation as a starting point. Once you have a secure foundation in place, adding Deep Security to your deployment gives you access to Trend Micro’s extensive experience protecting physical, virtual, and cloud workloads as well as to real-time threat information from the Trend Micro Smart Protection Network. Deep Security both protects your deployment as well as helps meet and maintain continuous compliance requirements. As you can see, Deep Security manages and protects both traditional and Docker workloads across physical, virtual, and cloud environments.
Deep Security protects your Docker hosts and containers running on Linux distributions:
- Identify, find, and protect Docker hosts within your deployment through the use of badges and smart folders
- Shield Docker hosts and containers from vulnerabilities to protect them against known and zero-day exploits by virtually patching new found vulnerabilities
- Provide real-time anti-malware detection for the file systems used on Docker hosts and within the containers
-
Assert the integrity of the Docker host for continuous compliance and to protect your deployment using the following techniques:
- Prevent the unauthorized execution of applications on Docker hosts by helping you control which applications are allowed to run in addition to the Docker daemon
- Monitor Docker hosts for unexpected changes to system files
- Notify you of suspicious events in your OS logs
Deep Security protection for the Docker host
- Virtual patching/ Intrusion prevention service (IPS)
- Anti-malware
- Integrity monitoring
- Log inspection
- Application control
- Firewall protection
- Web reputation
Deep Security protection for Docker containers
- Virtual patching/ Intrusion prevention service (IPS)
- Anti-malware
Deployment considerations and limitations
- Docker manages iptables rules as part of its normal operation. When the intrusion prevention or firewall modules are enabled Deep Security normally removes iptables rules, which would break Docker container networking capabilities. To avoid this conflict, before you install the Deep Security Agent on your Docker host you have to prevent the Deep Security Agent installation process from disabling iptables by creating an empty file with the following path on the Docker host: /etc/use_dsa_with_iptables
- Although Deep Security intrusion prevention controls work at the host level it will also protect container traffic on the exposed container port numbers. Since Docker allows multiple applications to run on the same Docker host, a single intrusion prevention policy will be applied to all Docker applications. This means that recommendation scans should not be relied upon for Docker deployments. This will be fixed in a future release when the ability to scan images in registries prior to runtime is introduced.