Identity Aware Threat Detection and Network Monitoring by using eBPF Natalia Reka Ivanko, Isovalent October 28, 2020 ● ● ○ ● ○ ○ ○ ○ ● ● ● ● ● ● ● ● ○ ● ○ ○ ○ ● ● ● ○ ● ○ ○ ● ●

instructions for installing, configuring, and troubleshooting Cilium in different deployment modes. Network Policy : Detailed walkthrough of the policy language structure and the supported formats. Monitoring Installation Observability Network Policy Security Tutorials Advanced Networking Cluster Mesh Operations Istio Concepts Component Overview Terminology Networking Network Security eBPF Datapath Observability pre-flight check (Required) Upgrading Cilium Version Specific Notes Advanced Configuration Core Agent Network Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples

instructions for installing, configuring, and troubleshooting Cilium in different deployment modes. Network Policy : Detailed walkthrough of the policy language structure and the supported formats. Monitoring Installation Observability Network Policy Security Tutorials Advanced Networking Cluster Mesh Operations Istio Concepts Component Overview Terminology Networking Network Security eBPF Datapath Observability pre-flight check (Required) Upgrading Cilium Version Specific Notes Advanced Configuration Core Agent Network Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples

instructions for installing, configuring, and troubleshooting Cilium in different deployment modes. Network Policy : Detailed walkthrough of the policy language structure and the supported formats. Monitoring Started Guides Installation Network Policy Security Tutorials Advanced Networking Operations Istio Other Orchestrators Concepts Component Overview Terminology Networking Network Security eBPF Datapath Kubernetes pre-flight check (Required) Upgrading Cilium Version Specific Notes Advanced Configuration Core Agent Network Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Host

instructions for installing, configuring, and troubleshooting Cilium in different deployment modes. Network Policy : Detailed walkthrough of the policy language structure and the supported formats. Monitoring Started Guides Installation Network Policy Security Tutorials Advanced Networking Operations Istio Other Orchestrators Concepts Component Overview Terminology Networking Network Security eBPF Datapath Observability pre-flight check (Required) Upgrading Cilium Version Specific Notes Advanced Configuration Core Agent Network Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples

Cilium What is Cilium? Why Cilium? Functionality Overview Getting Started Guides Installation Network Policy Security Tutorials Advanced Networking Operations Istio Other Orchestrators Concepts Component GitHub Security Bugs Integrations Kubernetes Introduction Concepts Requirements Configuration Network Policy Endpoint CRD Kubernetes Compatibility Cilium CRD schema validation Troubleshooting Istio (Required) Upgrading Cilium Step 3: Rolling Back Version Specific Notes Advanced Configuration Network Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Kubernetes

GitHub Security Bugs Integrations Kubernetes Introduction Concepts Requirements Configuration Network Policy Endpoint CRD Kubernetes Compatibility Troubleshooting Istio Getting Started Using Istio Versions Upgrading Minor Versions Step 3: Rolling Back Version Specific Notes Advanced Configuration Network Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Kubernetes Introduction to Cilium What is Cilium? Cilium is open source software for transparently securing the network connectivity between application services deployed using Linux container management platforms like

Slack GitHub Security Bugs Integra�ons Kubernetes Introduc�on Concepts Requirements Configura�on Network Policy Endpoint CRD Kubernetes Compa�bility Troubleshoo�ng Is�o Ge�ng Started Using Is�o Docker Cilium Micro Versions Upgrading Minor Versions Rolling Back Version Specific Notes Advanced Configura�on Network Policy Policy Enforcement Modes Rule Basics Layer 3 Examples Layer 4 Examples Layer 7 Examples Kubernetes Introduction to Cilium What is Cilium? Cilium is open source so�ware for transparently securing the network connec�vity between applica�on services deployed using Linux container management pla�orms like Docker

0:* users:(("nc",pid=1289,fd=3)) $ nc -4 127.0.0.1 7777 hello⏎ hello ^D Netcat + /bin/cat Test it! Check open ports on VM external IP vm $ ip -4 addr show eth0 2: eth0: Network Driver XDP TC ingress alloc_skb Ring Buffer forward Wikipedia - Packet flow in Netfilter and pointer to socket FD dup’ed socket FD socket cookie from ss output (sk:1) Attach echo_dispatch to network namespace # ./sk-lookup-attach Usage: ./sk-lookup-attach # ./sk-lookup-attach

connector (netns is in-use) ○ transparent proxy (mostly for TLS) ○ container firewall ○ network faults injection ○ network counters (rack, datacenter, region) ● but not only: ○ sysctl access control Let’s (bpftool cgroup tree ): cgroup-bpf 3 Task IP assignment (aka IP-per-task) ● Facebook DC network is IPv6 only ● Every server has /64 IPv6 prefix ● Convenient to have a unique IPv6 per twagent Container firewall (twfw) Network faults injection: ● Same per-packet firewall is used ● Attached to a task on-demand by API call ● Action can be applied with probability ● Used to test disaster recovery readiness