Deep packet inspection
Configure Deep Packet Inspection (DPI) in clusters to get alerts on compromised resources.
Security teams need to run DPI quickly in response to unusual network traffic in clusters so they can identify potential threats. Also, it is critical to run DPI on select workloads (not all) to efficiently make use of cluster resources and minimize the impact of false positives. Calico Enterprise provides an easy way to perform DPI using Snort community rules. You can disable DPI at any time, selectively configure for namespaces and endpoints, and alerts are generated in the Alerts dashboard in Manager UI.
This how-to guide uses the following Calico Enterprise features:
- DeepPacketInspection resource
- IntrusionDetection to set resource requirements
For each deep packet inspection resource (DeepPacketInspection), Calico Enterprise creates a live network monitor that inspects the header and payload information of packets that match the Snort community rules. Whenever malicious activities are suspected, an alert is automatically added to the Alerts page in the Calico Enterprise Manager.
Calico Enterprise DPI uses AF_PACKET, a Linux socket that allows an application to receive and send raw packets. It is commonly used for troubleshooting (like tcpdump and Wireshark), but also for network intrusion detection. For details, see AF_Packet.
Before you begin
- Multi-nic setup
- Calico Enterprise nodes running Windows hosts
- Configure deep packet inspection
- Configure resource requirements
- Access alerts
- Verify deep packet inspection is running
Configure deep packet inspection
Create a YAML file containing one or more DeepPacketInspection resources and apply it to your cluster.
kubectl apply -f <your_deep_packet_inspection_filename>
To stop deep packet inspection, delete the DeepPacketInspection resource from your cluster.
kubectl delete -f <your_deep_packet_inspection_filename>
Examples of selecting workloads
Following is a basic example that selects a single workload that has the label
k8s-app with the value
selector: k8s-app == "nginx"
In the following example, we select all workload endpoints in the
Configure resource requirements
Adjust the CPU and RAM used for performing deep packet inspection by updating the component resource in IntrusionDetection.
For a data transfer rate of 1GB/sec on workload endpoints being monitored, we recommend a minimum of 1 CPU and 1GB RAM.
The following example configures deep packet inspection to use a maximum of 1 CPU and 1GB RAM.
- componentName: DeepPacketInspection
The alerts generated by deep packet inspection are available in the Manager UI in the Alerts page.
Verify deep packet inspection is running
Get the status of DeepPacketInspection resource to verify if live traffic is being monitored on selected workload endpoints.
kubectl get <deep_packet_inspection_resource_name> -n <deep_packet_inspection_namespace>