Deep packet inspection
Big picture​
Configure Deep Packet Inspection (DPI) in clusters to get alerts on compromised resources.
Value​
Security teams need to run DPI quickly in response to unusual network traffic in clusters so they can identify potential threats. Also, it is critical to run DPI on select workloads (not all) to efficiently make use of cluster resources and minimize the impact of false positives. Calico Cloud provides an easy way to perform DPI using Snort community rules. You can disable DPI at any time, selectively configure for namespaces and endpoints, and alerts are generated in the Security Events dashboard in Manager UI.
Concepts​
For each deep packet inspection resource (DeepPacketInspection), Calico Cloud creates a live network monitor that inspects the header and payload information of packets that match the Snort community rules. Whenever malicious activities are suspected, an alert is automatically added to the Security Events page in the Calico Cloud Manager.
Calico Cloud DPI uses AF_PACKET, a Linux socket that allows an application to receive and send raw packets. It is commonly used for troubleshooting (like tcpdump and Wireshark), but also for network intrusion detection. For details, see AF_Packet.
Before you begin​
Not supported:
- Multi-nic setup
- Calico Cloud nodes running Windows hosts
How To​
- Configure deep packet inspection
- Configure resource requirements
- Access alerts
- Verify deep packet inspection is running
Configure deep packet inspection​
Create a YAML file containing one or more DeepPacketInspection resources and apply it to your cluster.
kubectl apply -f <your_deep_packet_inspection_filename>
To stop deep packet inspection, delete the DeepPacketInspection resource from your cluster.
kubectl delete -f <your_deep_packet_inspection_filename>
Examples of selecting workloads
Following is a basic example that selects a single workload that has the label k8s-app with the value nginx.
apiVersion: projectcalico.org/v3
kind: DeepPacketInspection
metadata:
name: sample-dpi-nginx
namespace: sample
spec:
selector: k8s-app == "nginx"
In the following example, we select all workload endpoints in the sample namespace.
apiVersion: projectcalico.org/v3
kind: DeepPacketInspection
metadata:
name: sample-dpi-all
namespace: sample
spec:
selector: all()
Configure resource requirements​
Adjust the CPU and RAM used for performing deep packet inspection by updating the component resource in IntrusionDetection.
For a data transfer rate of 1GB/sec on workload endpoints being monitored, we recommend a minimum of 1 CPU and 1GB RAM.
The following example configures deep packet inspection to use a maximum of 1 CPU and 1GB RAM.
apiVersion: operator.tigera.io/v1
kind: IntrusionDetection
metadata:
name: tigera-secure
spec:
componentResources:
- componentName: DeepPacketInspection
resourceRequirements:
limits:
cpu: '1'
memory: 1Gi
requests:
cpu: 100m
memory: 100Mi
Access alerts​
The alerts generated by deep packet inspection are available in the Manager UI in the Security Events page.
Verify deep packet inspection is running​
Get the status of DeepPacketInspection resource to verify if live traffic is being monitored on selected workload endpoints.
kubectl get <deep_packet_inspection_resource_name> -n <deep_packet_inspection_namespace>