Open in app

Sign in

Write

Sign in

Introduction to NeuVector

Solution for Container Security

Btech Engineering
btech-engineering
4 min readFeb 3, 2023

--

NeuVector

Intro

Neuvector is one of Kubernetes security container platforms like Sysdig but Neuvector is a cloud-native application.

What is NeuVector?

According to the NeuVector website:

NeuVector delivers the only cloud-native Kubernetes security platform with uncompromising end-to-end protection from DevOps vulnerability protection to automated run-time security, and featuring a true Layer 7 container firewall.

NeuVector is a company that provides a platform for full life cycle container security. This means that their platform offers a variety of security features and tools that can be used to secure containerized environments throughout the entire lifecycle of those environments, including during development, deployment, and operation. This can include features such as vulnerability scanning, runtime security, network segmentation, and incident response. The goal of NeuVector’s platform is to help organizations secure their containerized environments and reduce the risk of breaches or other security incidents.

Features

There are features of Neuvector

  1. CI/CD Vulnerability Management & Admission Control. Scan images with a Jenkins plug-in, scan registries and enforce admission control rules for deployments into production.
  2. Violation Protection. Discovers behavior and creates a whitelist based policy to detect violations of normal behavior.
  3. Threat Detection. Detects common application attacks such as DDoS and DNS attacks on containers.
  4. DLP and WAF Sensors. Inspect network traffic for Data Loss Prevention of sensitive data, and detect common OWASP Top10 WAF attacks.
  5. Run-time Vulnerability Scanning. Scans registries, images and running containers orchestration platforms and hosts for common (CVE) as well as application specific vulnerabilities.
  6. Compliance & Auditing. Runs Docker Bench tests and Kubernetes CIS Benchmarks automatically.
  7. Endpoint/Host Security. Detects privilege escalations, monitors processes and file activity on hosts and within containers, and monitors container file systems for suspicious activity.
  8. Multi-cluster Management. Monitor and manage multiple Kubernetes clusters from a single console.

Architecture

The NeuVector run-time container security solution contains four types of security containers: Controllers, Enforcers, Managers, and Scanners. A special container called the Allinone is also provided to combine the Controller, Enforcer, and Manager functions all in one container, primarily for docker native deployments. In Sysdig Secure (Enterprise) we just install sysdig agent as “Enforcer” and “Scanner” in Neuvector. But in deep architectural between Sysdig and Neuvector has few different.

  • Controller The Controller manages the NeuVector Enforcer container cluster. It also provides REST APIs for the management console. Although typical test deployments have one Controller, multiple Controllers in a high-availability configuration is recommended. 3 controllers is the default in the Kubernetes Production deployment sample yaml.
  • Enforcer The Enforcer is a lightweight container that enforces the security policies. One enforcer should be deployed on each node (host), e.g. as a Daemon set.

Note: For Docker native (non Kubernetes) deployments the Enforcer container and the Controller cannot be deployed on the same node (except in the All-in-One case below).

  • Manager The Manager is a stateless container that provides a web-UI (HTTPS only) console for users to manage the NeuVector security solution. More than one Manager container can be deployed as necessary.
  • All-in-One The All-in-One container includes a Controller, an Enforcer and a Manager in one package. It’s useful for easy installation in single-node or small-scale deployments.
  • Scanner The Scanner is a container that performs vulnerability and compliance scanning for images, containers and nodes. It is typically deployed as a replicaset and can be scaled up to as many parallel scanners as desired in order to increase the scanning performance. The Controller assigns scanning jobs to each available scanner in a round-robin fashion until all scans are completed. The scanner also contains the latest CVE database and is updated regularly by NeuVector.
NeuVector.com

Installation

For installation has few method and type, in this research I try to install Controller, Manager and Enforcer Containers using helm, on Kubernetes Native. If you want get simple installation can use RKE1 and install via store apps, but in RKE 2 must follow step using helm or kubernetes native.

Environment

  • Kubernetes Cluster v1.22
  • Helm 3

Steps

  • Get helm repo
helm repo add neuvectorcharts https://neuvector.github.io/neuvector-helm/
  • Pull values.yaml
helm pull neuvectorcharts/core --version 2.2.5 --untar
  • Edit values.yaml for disable crds and disable SSL
manager:
 enabled: true
 image:
   repository: neuvector/manager
   hash:
 priorityClassName:
 env:
   ssl: false

....
crdwebhook:
  enabled: true
  type: ClusterIP
  • Deploy crd
kubectl create ns neuvector
helm install neu-crd neuvectorcharts/crd --version 2.2.5 --namespace neuvector
  • Deploy NeuVector
helm install -f values.yaml neuvector neuvectorcharts/core --version 2.2.5 --namespace neuvector
  • Get NodePort Ip and Port then Login Using Default Password
NODE_PORT=$(kubectl get --namespace neuvector -o jsonpath="{.spec.ports[0].nodePort}" services neuvector-service-webui) && \
NODE_IP=$(kubectl get nodes --namespace neuvector -o jsonpath="{.items[0].status.addresses[0].address}") && \
echo https://$NODE_IP:$NODE_PORT
.......
u: admin
p: admin

Access

URL : http://172.16.10.101:31837
Username : admin
Password : MyP4SsW0rd1S4v3
NeuVector Dashboard

Summary

The article is an introduction to NeuVector, a company that provides a platform for full life cycle container security. The platform offers a variety of security features and tools that can be used to secure containerized environments throughout the entire lifecycle of those environments, including during development, deployment, and operation. This includes features such as vulnerability scanning, runtime security, network segmentation, and incident response. Next we will explain about action in NeuVector such as inspect network activity inside kubernetes cluster.

By Fauzan Rafi, Research Team Btech

Our Tagline

#ContinuousLearning

Security
Engineering
Kubernetes
Containers
Orchestration

--

--

Btech Engineering
btech-engineering

Written by Btech Engineering

175 Followers
Editor for

Our mission is continuous learning and remember together is better.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams