Do VPNs Have a Place in Container Security?
Containers give people the ability to change between development, testing and production environments rapidly. They also help people load any software stack on almost any system in a flash. But, when someone is deploying containers, security should be top-of-mind.
People often forget about container security. Instead, we often fall back on overarching security in the hopes that it captures container security in its scope. But, that’s not always the best idea. In fact, baking container security directly into application pipelines should be on everyone’s to-do list.
And, believe it or not, a VPN can play a crucial role in container security—whether that’s a Linux VPN for LXC/Kubernetes or a multi-operating system VPN for Docker.
To illustrate, let’s say John owns a record label. Every time an order comes in, he has to ship out a record via a package that fits that record well and protects it. That’s great! But, what if he had to ship the record, a record player, speakers, an amp and a phono preamp to every single customer? That would be a massive pain for both him and his customers, right? It would be especially bad for John if he only made money off of the record itself.
Well, that’s what makes containers great. Instead of shipping an operating system loaded with software, containers allow people to simply ship out containers, which houses code and all of that code’s dependencies in one small package.
Containers are small, don’t require a spin-up like a virtual machine and are a core component of the modern IT infrastructure. From JVM and Redis to PostgreSQL and Apache, we’re all running a ton of apps in containers.
Understanding Container Security
Security is obviously a crucial component of maintaining containers. No one wants malicious code penetrating the container itself, and no one wants to use a malicious container accidentally and subject their systems to potential threat activity.
And, when the industry talks about container security, it’s almost always infrastructure-based. Red Hat has a post detailing the role of security with containers. And, most of it is about account-based access, infrastructure security and all of the other common elements (e.g., firewall, server security, etc.) that go into a maintaining a robust security posture.
That’s all great! And those are all important elements of an overall security architecture. But, what about IP addresses? What if someone wanted to deploy a container, but were worried about their IP address? This could be because of country-specific restrictions (i.e., censorship, region-locks, etc.) Or, they may not want threat actors having any visibility into their network.
If someone wants to keep their IP address masked and give their container the freedom to communicate with their servers privately, they need a virtual private server (VPN).
Here’s why everyone should think about a VPN for securing containers.
The Role of Virtual Private Networks
VPNs create secure connections between computers and servers. Here’s a simple example: Let’s say that John wants to visit google.com, but he doesn’t want Google to know his IP address or where he is located. A VPN would encrypt and route his traffic to one of its servers. And, next time he went to google.com, Google would see that his computer was coming from that VPN’s server, not his computer.
VPNs have a lot of versatility. They can help people disable region-locks by jumping to a server in another country; they can anonymize someone’s entire online existence; and they can help people bypass censorship blocks and firewalls.
They also play a big role in keeping containers anonymized. For example, if someone wanted to deploy a Docker image securely, they could run the entire image through a VPN to anonymize the conversation the container was having with the server itself.
Here’s what that would look like:
- Set up a client container with OpenVPN. This is relatively simple to do, and this container will be used to secure the connection of all of the other containers being utilized.
- Find a suitable Docker image that supports the VPN that’s being used.
- Run all Docker containers through that client container to anonymize them.
Of course, all of that involves running containers through a VPN. It’s important to note that it’s equally important to run the standard network through a VPN as well.
Ideally, the entire setup (e.g., home network, containers, server networks, etc.) should run through a VPN to secure and anonymize the communication between all of them, reducing potential security gaps and masking all activity.
So, do virtual private networks have a place in container security? Absolutely. But, it’s about so much more than simply securing containers. VPNs help secure communication, and there’s tangible security value in that. Containers can operate outside of government censorship, and every container deployment is completely private with traffic that’s being encrypted and routed through the VPN’s servers.