Protect Docker containers

The benefits of a Docker deployment are real, but so is the concern about the significant attack surface of the Docker host's operating system (OS) itself. Like any well-designed software deployment, OS hardening and the use of best practices for your deployment, such as the Center for Internet Security (CIS) Docker Benchmark, provide a solid foundation as a starting point. Once you have a secure foundation in place, adding Deep Security to your deployment gives you access to Trend Micro’s extensive experience protecting physical, virtual, and cloud workloads as well as to real-time threat information from the Trend Micro Smart Protection Network. Deep Security both protects your deployment as well as helps meet and maintain continuous compliance requirements. See Docker support for information on supported Docker editions and releases.

Deep Security protects your Docker hosts and containers running on Linux distributions. Deep Security can do the following:

Identify, find, and protect Docker hosts within your deployment through the use of badges and smart folders.
Protect Docker hosts and containers from vulnerabilities to guard them against known and zero-day exploits by virtually patching new found vulnerabilities.
Provide anti-malware detection in real time, as well as via manual and scheduled scans, for the file systems used on Docker hosts.
Provide real-time anti-malware detection for the file systems used within the containers.
Assert the integrity of the Docker host for continuous compliance and to protect your deployment using the following techniques:
- Prevent the unauthorized execution of applications on Docker hosts by helping you control which applications are allowed to run in addition to the Docker daemon.
- Monitor Docker hosts for unexpected changes to system files.
- Notify you of suspicious events in your OS logs.

Deep Security Docker protection works at the OS level. This means that Deep Security Agent must be installed on the Docker host's OS, not inside a container.

Note

Communication between containers in the pod is not supported.

Beginning with Deep Security 10.1, Deep Security supports Docker in swarm mode while using an overlay network.

Deep Security protection for Docker hosts

The following Deep Security modules can be used to protect the Docker host:

Intrusion Prevention (IPS)
Anti-Malware
Integrity Monitoring
Log Inspection
Application Control
Firewall
Web Reputation

Deep Security protection for Docker containers

The following Deep Security modules can be used to protect Docker containers:

Intrusion Prevention
Anti-Malware (real-time scans only; scheduled and manual scans are not supported)

Limitation on Intrusion Prevention recommendation scans

Although Deep Security Intrusion Prevention controls work at the host level, it also protects container traffic on the exposed container port numbers. Since Docker allows multiple applications to run on the same Docker host, a single Intrusion Prevention policy is applied to all Docker applications. This means that recommendation scans should not be relied upon for Docker deployments.