Skip to main content

Deep packet inspection

Big picture

Configure Deep Packet Inspection (DPI) in clusters to get alerts on compromised resources.

Value

Security teams need to run DPI quickly in response to unusual network traffic in clusters so they can identify potential threats. Also, it is critical to run DPI on select workloads (not all) to efficiently make use of cluster resources and minimize the impact of false positives. Calico Cloud provides an easy way to perform DPI using Snort community rules. You can disable DPI at any time, selectively configure for namespaces and endpoints, and alerts are generated in the Alerts dashboard in Manager UI.

Features

This how-to guide uses the following Calico Cloud features:

  • DeepPacketInspection resource
  • IntrusionDetection to set resource requirements

Concepts

For each deep packet inspection resource (DeepPacketInspection), Calico Cloud creates a live network monitor that inspects the header and payload information of packets that match the Snort community rules. Whenever malicious activities are suspected, an alert is automatically added to the Alerts page in the Calico Cloud Manager.

Calico Cloud DPI uses AF_PACKET, a Linux socket that allows an application to receive and send raw packets. It is commonly used for troubleshooting (like tcpdump and Wireshark), but also for network intrusion detection. For details, see AF_Packet.

Before you begin

Not supported:

  • Multi-nic setup
  • Calico Cloud nodes running Windows hosts

How To

Configure deep packet inspection

Create a YAML file containing one or more DeepPacketInspection resources and apply it to your cluster.

kubectl apply -f <your_deep_packet_inspection_filename>

In order to stop deep packet inspection, delete the DeepPacketInspection resource from your cluster.

kubectl delete -f <your_deep_packet_inspection_filename>

Examples of selecting workloads

Following is a basic example that selects a single workload that has the label k8s-app with the value nginx.

apiVersion: projectcalico.org/v3
kind: DeepPacketInspection
metadata:
name: sample-dpi-nginx
namespace: sample
spec:
selector: k8s-app == "nginx"

In the following example, we select all workload endpoints in the sample namespace.

apiVersion: projectcalico.org/v3
kind: DeepPacketInspection
metadata:
name: sample-dpi-all
namespace: sample
spec:
selector: all()

Configure resource requirements

Adjust the CPU and RAM used for performing deep packet inspection by updating the component resource in IntrusionDetection.

For a data transfer rate of 1GB/sec on workload endpoints being monitored, we recommend a minimum of 1 CPU and 1GB RAM.

The following example configures deep packet inspection to use a maximum of 1 CPU and 1GB RAM.

apiVersion: operator.tigera.io/v1
kind: IntrusionDetection
metadata:
name: tigera-secure
spec:
componentResources:
- componentName: DeepPacketInspection
resourceRequirements:
limits:
cpu: '1'
memory: 1Gi
requests:
cpu: 100m
memory: 100Mi

Access alerts

The alerts generated by deep packet inspection are available in the Manager UI in the Alerts page.

Verify deep packet inspection is running

Get the status of DeepPacketInspection resource to verify if live traffic is being monitored on selected workload endpoints.

kubectl get <deep_packet_inspection_resource_name> -n <deep_packet_inspection_namespace>

Additional resources