Comment by crimsonnoodle58
17 hours ago
If you're running on kubernetes, a simple network policy and blocking the container from using DNS will stop any compromised image from performing a data exfill.
I do this for most containers.
If the container must have web access in some form, setup a squid proxy and only whitelist safe and trusted domains that can't be exfilled to.
> a simple network policy and blocking the container from using DNS
Can you please point to some resources that can help with how to do this?
Not sure about the DNS part, but NetworkPolicies should be familiar to anyone who takes Kubernetes seriously.
https://kubernetes.io/docs/concepts/services-networking/netw...
Edit: Did some research and found that Calico has a feature for some kind of DNS filtering
https://www.tigera.io/blog/how-to-secure-kubernetes-workload...
Why do you think that DNS is required? Anything malicious could (and likely should) hard-code an IP.
You ensure DNS is disabled to stop DNS exfil. You can google it, but basically they exfil data by looking up encoded subdomains.
Hardcoding an IP won't help if the network policy disallows all network access.
The web frontend could still send secrets to third parties.
For extra security, an intermediary can set Content Security Policy (CSP) headers that instruct browsers to only connect to certain domains. CSP headers aren't a total solution, but they're a good tool in the toolkit for redundancy against exfiltration.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/...
It could be a system without a web ui, like a database or database proxy. Or it could have multiple web and native UIs (that are open source), e.g. a matrix service.
I use Docker (in Unraid).