Protect Docker containers

The benefits of a Docker deployment are real but so is the concern about the significant attack surface of the Docker host operating system (OS) itself. Like any well-designed software deployment, OS hardening and the use of best practices for your deployment, such as the Center for Internet Security (CIS) Docker Benchmark, provide a solid foundation as a starting point. Once you have a secure foundation in place, adding Deep Security to your deployment gives you access to Trend Micro’s extensive experience protecting physical, virtual, and cloud workloads as well as to real-time threat information from the Trend Micro Smart Protection Network. Deep Security is supported for use in a wide range of container deployments that include, but is not restricted to, Amazon ECS, Docker Datacenter, Kubernetes, Docker Swarm, Rancher and more. Deep Security both protects your deployment as well as helps meet and maintain continuous compliance requirements. As you can see, Deep Security manages and protects both traditional and Docker workloads across physical, virtual, and cloud environments.

Deep Security protects your Docker hosts and containers running on Linux distributions:

Deep Security Docker protection controls work at the host system level and this means that the Deep Security Agent has to be installed on the Docker host system and not in the containers.

Beginning with Deep Security 10.1, Deep Security supports Docker in swarm mode while using an overlay network.

Deep Security protection for the Docker host

  • Virtual patching/ Intrusion prevention service (IPS)
  • Anti-malware
  • Integrity monitoring
  • Log inspection
  • Application control
  • Firewall protection
  • Web reputation

Deep Security protection for Docker containers

  • Virtual patching via the intrusion prevention module
  • Anti-malware

Limitation on intrusion prevention recommendation scans

Although Deep Security intrusion prevention controls work at the host level it will also protect container traffic on the exposed container port numbers. Since Docker allows multiple applications to run on the same Docker host, a single intrusion prevention policy will be applied to all Docker applications. This means that recommendation scans should not be relied upon for Docker deployments.