Prophaze WAF Blog

Docker Containers - Cloud WAF

Written by Maneesha Mariam | Apr 21, 2021 10:52:36 AM

Nowadays enterprises are looking to transform software development practices to be agile to deliver more software faster. Container technology is emerging as the preferred means of packaging and deploying applications. To granularly customize policies down to the exact syscall allowed on a host, docker brings a whole set of isolation capabilities to containerized applications with strong defaults out of the box to the ability for IT admins.

Docker allows you to:
• Isolate applications from one other
• Isolate applications from the host
• Enhance the security of your application by limiting its capabilities
• Stimulate adoption of the principle of least privilege

Without considering the kind of application you intend to deploy in your infrastructure (off the shelf, legacy monolith or micro-services), containers can provide greater isolation at runtime and application integrity as it travels throughout the software development life-cycle. Dockers can run on the physical, cloud, or virtual infrastructure permitting applications to be secured by container technology regardless of deployment.

Containers give an extra layer of security by isolating applications from their host and each other while reducing the use of resources of the underlying infrastructure and reducing the surface area of the host itself.

• Containers and Virtual Machines (VMs) can be implemented together to provide extra layers of isolation and protection for selected services.
• Docker gives the most complete set of security capabilities and ships with strong defaults in container technology.
• Applications packaged in containers are more secure by default.

By adopting Docker, enterprises can improve agility, portability, and control for each application with a modern application platform. To enhance the overall resilience of a system, best practices for application security have long recommended a strategy that creates layers of protection. Limiting vulnerable surface area with a common OS is one such important layer.

Docker Overview

Docker - a platform used to build, ship, and run any applications anywhere.

Organizations are looking into Docker to simplify and accelerate their application development and deployment process. Dockers can provide an easily composable and lightweight container that can change dynamically without interfering with the application as a whole. Docker containers are frictionlessly portable across any environments (development, test, and production) that runs either locally on physical or VMs, in various cloud service providers or data centers.

Docker Engine (lightweight runtime application)
It has built-in features for orchestration, scheduling, networking, and security features to develop and deploy single or multi-container applications. This can be installed either on a physical or virtual host running a Linux OS in a cloud or private datacenter.

Docker containers
Docker containers are deployed to run across the cluster of Docker Engines. Containers permit the developers to package small or large amounts of code and their dependencies together into an isolated package. This model permits different isolated containers to run on the same host. This results in better usage of hardware resources and reducing the impact of misbehaving applications on each other and their host system. Docker containers are made from container images with layered file systems. This ensures that the container itself contains only the elements needed to run the application. Images are controlled and allocated from registries like Docker Cloud and Docker Trusted Registry with teams building and deploying applications. At runtime, the application containers are arranged, scheduled, and controlled from Docker Universal Control Plane. These technologies are accessible as an integrated platform. Docker Datacenter to power a modern application environment based on container technology.

Docker Engine Architecture

 

It uses a client-server architecture. Docker client communicates to the Engine’s daemon, which does the heavy lifting of building, shipping, and running the Docker containers for a specific application service. The Docker client can be run locally using Docker for Windows or Mac desktop app. Both the client and daemon can run on the same host but clients can also access Docker Engines remotely. All communications between the daemon and client occur through a RESTful API and can be secured with TLS. Docker is coded in Go, and the daemon uses various libraries and kernel features to deliver its functionality.