Over the past several years, we’ve seen growing momentum around enterprises leveraging Windows containers as part of their application modernization strategy. While containers are most commonly looked at from a Linux perspective, support and implementations continue to increase for Windows.
Windows containers were introduced in the middle of 2016 during Microsoft Ignite, focused around Windows Server 2016. With >100 years of Microsoft tenure working at Twistlock, we knew support for Windows would be part of our roadmap.
A key part of our roadmap
Twistlock officially begun supporting Windows containers with Twistlock 1.7 in January 2017, providing vulnerability management for Windows images. This support also meant that users could integrate protection of Windows and Linux seamlessly into the same environment.
We expanded capabilities in each subsequent release, all the way through Twistlock 2.4. In 2.4, we added support for running our VM Defender on Windows Server (‘classic’ VMs not running containers) and extended our autonomous layer 3 Cloud Native Network Firewall (CNNF) to Windows containers (including heterogenous microservices with mixed Windows and Linux containers). With all of these features added to the Twistlock platform, now seemed like a good time to highlight some of these capabilities in action. The demo environment this post features Windows containers running on Microsoft Azure.
Security for the lifecycle of your images
Twistlock scans images for vulnerabilities and compliance settings throughout its lifecycle. Twistlock identifies and scans images that are local to the Docker host and within registries.
Integrate Twistlock scanning within your build process
Twistlock ships with a native Jenkins plugin and with a standalone Windows executable image scanner called twistcli.exe. You can incorporate twistcli.exe into your DevOps workflow tools to identify vulnerability and compliance issues before they make their way into your images.
This scan information above is also displayed within the Twistlock Console.
Deploying Twistlock within your Windows environment
Twistlock uses Windows Powershell for the deployment and maintenance of the Twistlock Defender as a Windows Service. Twistlock scales up with the growth of your Windows microservices to ensure your environment is always secure.
Continuously monitor your environment for vulnerabilities
Twistlock Vulnerability Explorer offers a single view of your environment to provide vulnerability data on any images and underlying hosts that are part of your environment.
Powered by Microsoft-specific CVE data as part of the Twistlock Intelligence Stream, Vulnerability Explorer stack ranks all the vulnerabilities in your environment with a proprietary Risk Score based on the impact to your specific environment (e.g. is the container(s) connected to the internet, are there known exploits, is there a fix, etc.). You can search to see if your environment is vulnerable to a specific CVE or view detailed information about the top CVEs in the environment.
In the above example of a high risk CVE, Twistlock isolates the specific host and container where the vulnerability is present, identifies that there is a vendor fix available, and includes related risk factors and vulnerability data.
A single view into your compliance state
Just like Vulnerability Explorer, Twistlock Compliance Explorer provides a single dashboard that shows the current compliance state of your environment across containers, hosts and images.
You have the ability to leverage pre-built compliance templates for HIPAA, GDPR, PCI and NIST SP 800-190 along with built-in checks for the Docker and Kubernetes CIS Benchmarks. In the screenshot above, Twistlock highlights all non-compliant images, containers and hosts that you can investigate further.
Powerful runtime protection
Once you begin to run your Windows containers and Windows servers, Twistlock automatically builds a runtime model across several dimensions and whitelists the application’s behavior. This whitelist model serves as a powerful layer of defense. If any anomalous activity occurs outside of the model, Twistlock will alert of block on the activity based on the users criteria. For example, you can block the execution of powershell.exe:
The Twistlock Runtime Radar will highlight the containers involved in an incident in a red circle, as shown in the screenshot below.
Twistlock Incident Explorer analyzes audit events and assembles them into chains so that you can more quickly identify and address unfolding attacks.
CNNF for Windows
Twistlock 2.4 offers beta Windows support for an often-requested feature: our Cloud Native Network Firewall. CNNF is a layer 3 firewall that compartmentalizes containers and applies a least privilege networking model to inter-container traffic. For example, if your front end microservice is compromised, it shouldn’t be able to port scan the environment nor connect directly to the container running your data persistence microservice; it should only be able to talk specifically to the other front end microservices it normally communicates with. CNNF ensures that only these specific ports and destinations are allowed, limiting lateral traversal.
Similar to the Twistlock Cloud Native Network Firewall for Linux based containers, CNNF provides the same level of network protection for your Windows containers. Twistlock automatically learns the container-to-container network traffic, and you can apply explicit whitelist rules when needed.
CNNF supports heterogeneous environments and models and enforces traffic between Linux and Windows containers automatically. In the following example the WindowsServerCore:ltsc2016 container is allowed to communicate on the Linux based private:console_2_4_61 container on TCP ports 8081-8083. All other traffic will be alerted.
Any network traffic (e.g. TCP 8084) that occurs outside of the explicit whitelist rules (TCP 8081-8083) will be flagged and acted upon based upon the rules you define. The events will appear within the logs and the Firewall Radar.
Visibility and protection across hybrid environments
As enterprises leverage both Linux and Windows containers and servers, Twistlock provides unmatched visibility and protection across the application lifecycle. We hope this post serves as a framework for better understanding our Windows container support.
To learn more about how Twistlock can help you secure your Windows environments, check out Securing Containers on Microsoft Azure with Twistlock.
Follow us on Twitter
Keep up to date with the latest news from TwistlockLabs and TwistlockTeam.
Twistlock Releases Serverless Runtime Defense
A few months ago, we wrote a piece on “The Continuum of Cloud Native...
Why DevSecOps is No Longer Optional
DevSecOps has been a hot topic within tech conversations for a few yea...
Better Together: Announcing The Twistlock Advantage Program
It’s been about three years since we exited stealth with the first g...
My Security Toolset Today Vs 10 Years Ago
It can be easy to forget how sophisticated IT security tools are today...
How to crash the Linux Kernel with a CDROM interaction – CVE-2018-11506
I’ve recently discovered and reported a buffer overflow vulnerabilit...