Deep packet inspection
Big picture
Configure Deep Packet Inspection (DPI) in clusters to get alerts on compromised resources.
Value
Security teams need to run DPI quickly in response to unusual network traffic in clusters so they can identify potential threats. Also, it is critical to run DPI on select workloads (not all) to efficiently make use of cluster resources and minimize the impact of false positives. Calico Enterprise provides an easy way to perform DPI using Snort community rules. You can disable DPI at any time, selectively configure for namespaces and endpoints, and alerts are generated in the Alerts dashboard in Manager UI.
Concepts
For each deep packet inspection resource (DeepPacketInspection), Calico Enterprise creates a live network monitor that inspects the header and payload information of packets that match the Snort community rules. Whenever malicious activities are suspected, an alert is automatically added to the Alerts page in the Calico Enterprise Manager.
Calico Enterprise DPI uses AF_PACKET, a Linux socket that allows an application to receive and send raw packets. It is commonly used for troubleshooting (like tcpdump and Wireshark), but also for network intrusion detection. For details, see AF_Packet.
Before you begin
Not supported:
- Multi-nic setup
- Calico Enterprise nodes running Windows hosts
How To
- Configure deep packet inspection
- Configure resource requirements
- Access alerts
- Verify deep packet inspection is running
Configure deep packet inspection
Create a YAML file containing one or more DeepPacketInspection resources and apply it to your cluster.
kubectl apply -f <your_deep_packet_inspection_filename>
To stop deep packet inspection, delete the DeepPacketInspection resource from your cluster.
kubectl delete -f <your_deep_packet_inspection_filename>
Examples of selecting workloads
Following is a basic example that selects a single workload that has the label k8s-app with the value nginx.
apiVersion: projectcalico.org/v3
kind: DeepPacketInspection
metadata:
name: sample-dpi-nginx
namespace: sample
spec:
selector: k8s-app == "nginx"
In the following example, we select all workload endpoints in the sample namespace.
apiVersion: projectcalico.org/v3
kind: DeepPacketInspection
metadata:
name: sample-dpi-all
namespace: sample
spec:
selector: all()
Configure resource requirements
Adjust the CPU and RAM used for performing deep packet inspection by updating the component resource in IntrusionDetection.
For a data transfer rate of 1GB/sec on workload endpoints being monitored, we recommend a minimum of 1 CPU and 1GB RAM.
The following example configures deep packet inspection to use a maximum of 1 CPU and 1GB RAM.
apiVersion: operator.tigera.io/v1
kind: IntrusionDetection
metadata:
name: tigera-secure
spec:
componentResources:
- componentName: DeepPacketInspection
resourceRequirements:
limits:
cpu: '1'
memory: 1Gi
requests:
cpu: 100m
memory: 100Mi
Access alerts
The alerts generated by deep packet inspection are available in the Manager UI in the Alerts page.
Verify deep packet inspection is running
Get the status of DeepPacketInspection resource to verify if live traffic is being monitored on selected workload endpoints.
kubectl get <deep_packet_inspection_resource_name> -n <deep_packet_inspection_namespace>