Summary

Security policies in Weave Net allow fine-grained firewalling of containers and services, protecting services from each other and protecting the orchestrator itself.

What it Does

  • Turns high level security policy definitions into a set of firewall rules for each container.
  • Automatically applies, verifies, and maintains the firewall rules for each container.
  • Automatically manages and coordinates all firewall rule changes as containers start, stop, and security policies are updated.
  • Provides link-by-link (host-to-host) encryption

Why should I care?

When building microservices, it is essential to implement fine-grained firewall policies at the container and service level. Typically, this is because:

  • There are untrusted tenants. In a multi-tenant environment, the containers may be operated by untrusted parties (such as customers) and it is a requirement to protect tenants from each other as well as the service provider itself.
  • Production environments require it.
    • To reduce security risk, services should only have the permissions they need to function. This makes it harder for attackers, whether internal or external (i.e. is part of a “defense in depth” approach).
    • Typically, production-based microservices and apps must comply with a security controls directive that is derived from an external legal requirement (e.g., GLBA), industry policy (e.g., PCI), or internal security policy (defined by your organization’s security team).
  • Because the security team said so. Security threats are a key concern for IT professionals. Without this form of functionality, they can veto production deployment.

Firewall policies need to be adjusted every time containers are started, a service (a single or coordinated group of containers) is re-configured, and every time security policies are changed. Unfortunately, adjusting policies per-container and per-service is impossible to do manually, complex, and time-consuming via traditional configuration management tools.

In addition, you need to be able to protect the orchestrator itself (e.g. Kubernetes) from untrusted services and containers.

Weave Net provides the required firewalling and traffic isolation easily without the need for complex configuration. When combined with Weave Scope, you have a full view of your microservice environment and associated segmentation.

Try Weave Cloud 14 days for free

Get up and running in minutes – no credit card required.

Sign Up Now