Systems and methods for secure containerization
First Claim
1. A method for provisioning a secure container for running an application, comprising:
- routing traffic between the application and a secure container service over a virtual private network;
using network filter rules to restrict network traffic to or from the application other than traffic to or from the secure container service;
using a customized domain name system service to provide name resolution to domain name system requests from the application within the secure container, the name resolution limited to server names allowed by a security policy;
examining the secure container for known vulnerabilities and preventing the secure container from launching when a known vulnerability is detected, the examining including at least one of checking configuration settings to identify combinations of settings that create known vulnerabilities, checking versions of libraries or applications within the secure container to identify unpatched known vulnerabilities, performing a port scan to identify known vulnerabilities, and any combination thereof;
establishing an inbound network proxy to filter and route approved inbound traffic to the application; and
establishing an outbound network proxy to filter and route approved outbound traffic from the application.
5 Assignments
0 Petitions
Accused Products
Abstract
A method for provisioning a secure container for running an application includes routing traffic between the application and a secure container service over a virtual private network, and restricting the flow of traffic to or from the application other than traffic to or from the secure container service. The method further includes providing limited name resolution for the secure container with a customized domain name system server, establishing network proxy services to filter and route approved inbound traffic to the application, and establishing outbound network proxy services to filter and route approved outbound traffic from the application.
-
Citations
15 Claims
-
1. A method for provisioning a secure container for running an application, comprising:
-
routing traffic between the application and a secure container service over a virtual private network; using network filter rules to restrict network traffic to or from the application other than traffic to or from the secure container service; using a customized domain name system service to provide name resolution to domain name system requests from the application within the secure container, the name resolution limited to server names allowed by a security policy; examining the secure container for known vulnerabilities and preventing the secure container from launching when a known vulnerability is detected, the examining including at least one of checking configuration settings to identify combinations of settings that create known vulnerabilities, checking versions of libraries or applications within the secure container to identify unpatched known vulnerabilities, performing a port scan to identify known vulnerabilities, and any combination thereof; establishing an inbound network proxy to filter and route approved inbound traffic to the application; and establishing an outbound network proxy to filter and route approved outbound traffic from the application. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for providing name resolution for an application within a secure container, the method comprising:
-
receiving a request for name resolution from the application; forwarding the request for name resolution to an upstream domain name server if a requested name is allowed by a security policy; receiving a response from the upstream domain name server, the response including a network address and a time-to-live; modifying a network filter to allow traffic to the network address; forwarding the response to the application; and modifying the network filter to disallow traffic to the network address after the time-to-live has expired. - View Dependent Claims (8, 9, 10)
-
-
11. An information handling system comprising:
a processor configured to; route traffic between an application and a secure container service over a virtual private network; use network filter rules to restrict network traffic to or from the application other than traffic to or from the secure container service; provide name resolution to domain name system requests from the application within the secure container using a customized domain name system server, the name resolution limited to server names allowed by a security policy; examine the secure container for known vulnerabilities, including at least one of check configuration settings to identify combinations of settings that create known vulnerabilities, check versions of libraries or applications within the secure container to identify unpatched known vulnerabilities, perform a port scan to identify known vulnerabilities, and any combination thereof, prevent the secure container from launching when a known vulnerability is detected; establish an inbound network proxy to filter and route approved inbound traffic to the application; and establish an outbound network proxy to filter and route approved outbound traffic from the application. - View Dependent Claims (12, 13, 14, 15)
Specification