Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • Networking

    Cilium 1.0 Advances Container Networking With Improved Security

    By
    Sean Michael Kerner
    -
    April 24, 2018
    Share
    Facebook
    Twitter
    Linkedin
      Cilium

      For last two decades, the IPtables technology has been the cornerstone of Linux networking implementations, including new container models. On April 24, the open-source Cilium 1.0 release was launched, providing a new alternative to IPtables by using BPF (Berkeley Packet Filter), which improves both networking and security.

      The Cilium project’s GitHub code repository defines the effort as Linux Native, HTTP Aware Network Security for Containers. Cilium development has been driven to date by stealth startup Covalent, which is led by CEO Dan Wendlandt, who well-known in the networking community for his work at VMware on software-defined networking, and CTO Thomas Graf, who is a core Linux kernel networking developer.

      “I actually helped to develop a lot of the legacy networking tooling like IPtables and routing, and at some point I realized that all of that doesn’t really fit into this new world of microservices,” Graf said. “At the same time, the new technology that is BPF has been coming up, and I connected the dots and that’s where Cilium started two years ago.”

      BPF provides a low-level interface to enable data packet transmission and control and is already used in Linux to enable security with the SECCOMP policy controls. For container deployments, there are already two core networking elements that have been used by organizations. For Docker environments, Docker includes the libnetwork stack, while Kubernetes has the Container Networking Interface (CNI), which provides an abstraction for networking protocols. Graf said that Cilium can plug into either libnetwork or CNI.

      “All the other libnetwork plugins are built on relatively old Linux components like Linux-bridge and IPtables, while Cilium is using BPF which is next-generation networking technology,” Graf said.

      Graf added that among the advantages that BPF provides is more scalability, performance and layer 7 application security. Security policies in Cilium can be defined in a Kubernetes YAML (Yet Another Markup Language) file.

      “So instead of defining what IPs and ports can talk to each other, the user would specify which pods can talk to each other based on labels,” he said. “Then on top of that, the user can specify which ports the pods can talk to and even what API calls are allowed.”

      Sockmap

      Among the capabilities that Cilium 1.0 includes is a feature known as sockmap. Graf explained that there has long been an assumption that networking has to be done at the data packet level.

      “At some point we realized that as long as you’re staying on one node or server, there’s not really a point to any TCP/IP or anything like that because everything is in the same node,” he said. “So basically what sockmap does is it brings networking all the way up to the socket level.”

      By doing networking at the socket level, rather than at the data packet level, Graf said that sockmap enables a short data path and improved performance.

      Security by Default

      Graf explained that the default mode for Cilium is for everything to be locked down. He added that each individual connection needs to expressly be whitelisted. Cilium is also compatible with the IPsec VPN technology to help organizations create a secure mesh of container nodes. As part of a technology preview in Cilium 1.0, Graf said that there is also support for mutually authenticated Transport Layer Security (TLS), to further improve authentication security. 

      There is also a growing movement within the broader container and cloud-native computing industry to help define identity for workloads. Among the open-source efforts is the Secure Production Identity Framework for Everyone (SPIFFE) project, which officially became a Cloud Native Computing Foundation (CNCF) project on March 29.

      “Cilium doesn’t care where the identity comes from right now, but we aware of the efforts at the CNCF and working to make sure we are compatible,” Graf said.

      Cilium Microscope

      Another core element of the Cilium 1.0 release is a feature called Microscope, which provides visibility. Standard approaches to networking visibility tend to rely on IP addresses, which Graf noted isn’t useful in a microservices world, where many workloads are stateless.

      “What we have done with microscope is bring visibility up to the level that where it makes sense for a user that is running containers,” Graf said. “So instead of showing packets, with source and destination IPs, we’re showing container labels, we’re showing service names, and we’re showing layer seven connectivity.”

      Covalent 

      Cilium development has been led by Covalent, which is a venture-backed startup. Covalent CEO Dan Wendlandt told eWEEK that currently there isn’t a publicly available enterprise edition of Cilium, but the company is already working with enterprises.

      “What we’re committed to is that core functionality is fully open-source,” Wendlandt said. “Looking to the future there are organizational challenges around securing microservices environments, and that’s where we’ll look for our commercial offering to help companies manage security policies over time.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

      MOST POPULAR ARTICLES

      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×