Time to read: 6 minutes.
Time to implement: 15 minutes.
This is the second in a series of blogs explaining how to use BlastShield™ for securing and connecting remote access to endpoints in the Cloud and on-premises. In this blog, I will describe how to set up secure remote access to Docker workloads using a BlastShield Agent. I'll be using Docker running on a Raspberry Pi for this example.
Docker is now widely used by software engineers and DevOps teams because it speeds up software development and simplifies the packaging and distribution of applications. It's rapidly becoming the standard for organizations to deploy services in their environment. Still, it is up to you to take the appropriate steps to secure access to the docker server. I will run Docker on a Raspberry Pi for this blog and secure it with a BlastShield™ Agent. The Raspberry Pi is a low-cost, credit card-sized, single-board computer that runs Linux and uses an ARM processor. Docker is available to run on the Pi, making it a low-cost platform for development work.
To securely share access to containers running on the Pi with other remote users, you can install a BlastShield™ Agent. Once installed on the Raspberry Pi, the Agent will encrypt connections between the Raspberry Pi and authorized remote users. It acts like a micro-firewall to block unauthorized access. Access authorization is done by zero-trust with a default drop policy. Authorized connections are then whitelisted by creating access policies. To connect, a user must first authenticate via the BlastShield™ mobile authenticator app, which uses passwordless multi-factor authentication. This will reduce the time it takes to set up remote access, reduce the risk of credential theft, and make it easy to share access with a defined group of remote users. I'm going to show you how to set this up.
Setting up with BlastShield is very quick, and you should be able to get connectivity working in about 5 minutes. Before you start, your connection to the container should look like the figure below.
To create and set up the BlastShield™ Agent, use the following steps:
This will allow on-demand encrypted connections between the Agent on the Raspberry Pi and the Client on your computer as shown here. This can be used either across a LAN or across the WAN or internet.
Step 1: Add a new Agent in the Orchestrator
You can watch a 2 minute video on how to add a new Agent here:
Step 2: Install the Agent on the Raspberry Pi.
Open a terminal session on the Raspberry Pi and paste the command you just copied to the terminal and hit enter. This will start the software download.
Step 3: The Agent will auto-start and register with the Orchestrator
The software will automatically install and run. The Agent will then automatically register with the Orchestrator. When the process has completed you will see the following message in the terminal window:
Installation successful, the agent IP address is <Agent IP address>.
You can also verify the Agent status using systemctl.
On the Orchestrator, the Agent status will show as online.
Step 4: Configure policy to allow access to the Agent
BlastShield™ is a zero-trust access solution, so you must provision a policy to authorise access to the Agent on the Raspberry Pi before you can connect to it. You can do this from the Orchestrator. The process is as follows:
Here's a video showing how to do this:
Step 5: Remotely connect to Docker on the Raspberry Pi and start a container
Now you can reconnect to the Agent using the BlastShield™ secure access, using the BlastShield™ Mobile Authenticator app to authenticate. Here's a video showing how authentication works:
Once authenticated, you can connect to the Raspberry Pi using your preferred connection method. Use the Agent IP address or Agent hostname you assigned in Step 1 when you connect to the Pi.
Also, you can use the BlastShield Agent to access the container directly. For this example, I ran a simple Nginx container on the Raspberry Pi and published it on port 8080.
docker run -it --rm -d -p 8080:80 --name web -v ~/site-content:/usr/share/nginx/html nginx
You can then use either the Agent IP address or the Agent hostname to access the container, where “raspberry” is the hostname and “blastshield.io” is the DNS suffix provisioned on the Orchestrator.
You could also create a service in the Orchestrator to define the port on which you publish a container and then add that service to your access policy. This has the effect of filtering the access policy to allow only packets going to that port number. This means that you can assign policies to containers based on the published port number, allowing remote access only to the port on that container.
For example, the following shows a policy in the Orchestrator, which allows only port 8080, the published port on my Nginx container in the previous example.
The ‘port 8080’ service is configured by configuring the protocol and port(s) in the Orchestrator, as shown below.
Step 6: Secure the host firewall to block lateral movement on the LAN (optional)
You can optionally lock down the network interface of the Raspberry Pi so that only the BlastShield interface is used to receive inbound connections. This means that only authenticated and authorized connections are allowed on the Pi, and lateral movement within the LAN is blocked. An example of how to do this using iptables to modify the input and forward chains is shown here. Make sure these rules appear above any Docker rules, and always have a means to locally access your Raspberry Pi when making changes to iptables in case you make a mistake and lock yourself out. The input chain default policy is set to drop with input chain rules to allow connections on the BlastShield™ interface and to allow the related and established connection state. The forward chain has a rule to drop any new connections, not on the BlastShield™ interface.
$ sudo iptables -A INPUT -i blastshield -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
$ sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$ sudo iptables -I FORWARD 1 ! -i blastshield -m conntrack --ctstate NEW -j DROP
$ sudo iptables --policy INPUT DROP
With these steps, you can now securely access your Docker containers. You can add more agents and users as suits your needs and then create policies to authorize access. You can even create policies to allow access between different Docker servers. This method works equally well on cloud server infrastructure to combine cloud instances on the same network as the Raspberry Pi.
We will talk about securely connecting IoT devices and connecting to workloads on the Cloud in future posts.