April 1, 2018

Cilium Enterprise Edition 4.0: Repelling Attacks with Emojis, Rickrolling, and More!

The Cilium open source project provides API-aware network security for microservices running on Linux container orchestration platforms like Kubernetes, Mesos, and Docker. Learn more at www.cilium.io.

Using Cilium for HTTP-Aware Network Security

easter egg hunt with 403

Let’s look at a simple example of an Cilium HTTP-aware security policy to secure an Easter egg hunt service which exposes a REST API to both kids and their parents.

Let's focus on just two of the API calls on the service:

  • GET /hints : called by kids who need help.
  • POST /counts : called by parents to tally results.

Critically, kids should not be able to call "POST /counts", otherwise they could cheat and undermine the results of the egg hunt.

Cilium can enforce a least privilege HTTP-aware security policy to limit the API calls kids can make to the service. The following policy ensures that any Kubernetes pod with label "role=kid" can only call "GET /hints" on the easter-egg-hunt service:

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
spec:
  endpointSelector:
    matchLabels:
      service: egg-hunt
  ingress:
  - fromEndpoints:
    - matchLabels:
        role=kid
    toPorts:
    - ports:
      - port: '80'
        protocol: TCP
      rules:
        HTTP:
        - method: GET
          path: "/hints$"

With the above policy loaded, any kid in the family attempting to cheat and call "POST /egg-count" will be blocked:

$ curl -XPOST http://egg-hunt/counts -d "{'count' : 1000 }"
Access Denied

The full policy can be viewed here and further details can be found in the Cilium Network Policy Documentation.

Cilium Enterprise Edition (CEE) 4.0

Standard TCP/UDP port-aware security policies, as well as HTTP, gRPC, and Kafka-aware security policies are supported in open source Cilium. Today, with the announcement of CEE 4.0, we are innovating beyond the standard HTTP 403 "Access Denied" message to provide enterprises with a wide variety of ways to inform malicious parties that their attacks have been blocked.

Localized 403 Error Messages

With the CEE Gold Edition, all HTTP access denied messages will be localized into one of more than 120 languages, ensuring that the attacker immediately understands that they are blocked by API-aware security from Cilium. For example, a Finnish attacker might see:

$ curl -XPOST http://egg-hunt/counts -d "{'count' : 1000 }"
Pääsy kielletty!

Emojis in Access Denied Messages

Nothing connects better with the millennial generation than the use of emojis. Using the CEE Platinum Edition, you are able to tell your millenial attackers that you are rolling on the floor laughing (ROFL) at their futile attempts to compromise your microservices.

$ curl -XPOST http://egg-hunt/counts -d "{'count' : 1000 }"
✋✋✋👮🤣🤣🤪

Rickrolling Capability

For attackers truly deserving the most severe punishment, we’re introducing a Rickrolling capability. The attacker receives a HTTP 302 redirect to the infamous music video:

$ curl -XPOST http://egg-hunt/counts -d "{'count' : 1000 }"
HTTP/1.1 302 Found
Location: https://goo.gl/5w9Aef

Such a massive embarrassement is guaranteed to send the attacker packing and is available in CEE Diamond Edition only.

Cilium Enterprise Enterprise (CEE) Feature Details

The following table provides an overview of the different Cilium Enterprise Edition (CEE) levels:

features

Cilium Enterprise Customized Edition

Is your agile microservices development team regularly going beyond expectations? The Cilium Enterprise Customized Editions may be what you are looking for. We offer customized HTTP error messages tailored specifically for your team! A representative will visit your team, explore the team's customs, and create a boutique HTTP Access Denied message tailored to your needs.

For example, unauthorized access to the Millennium Falcon's computer system yields:

$ curl http://milenium-falcon/hyper-drive-secrets

                           /~\   Access Denied
                          (O O) _/
                          _\=/_
          ___            /  _  \
         / ()\          //|/.\|\\
       _|_____|_       ||  \_/  ||
      | | === | |      || |\ /| ||
      |_|  O  |_|       # \_ _/ #
       ||  O  ||          | | |
       ||__*__||          | | |
      |~ \___/ ~|         []|[]
      /=\ /=\ /=\         | | |
______[_]_[_]_[_]________/_]_[_\_____

ASCII Art Credit

Praise for Cilium Enterprise Edition

People cannot say enough positive things about CEE:

“Don't worry about the cost of Cilium Enterprise Edition, as the ability to Rickroll people attacking my microservices is priceless”
-- R. Astley - Platform Security Architect at a Fortune 100 bank.

“I believe that the use of emojis in my deny messages will really helps me connect with attackers from the millennial generation in a way text-only deny messages just can’t achieve 👏👏💯💯”
-- T. S. - Security Architect at 1989 Enterprises, Inc.

“Using Linux BPF to localize the HTTP Access Denied messages to my native Swiss German makes me realize that CEE 4.0 is truly amazing technology"
-- Thomas Graf - Founder, Cilium Project

Get Started Today!

We hope you are as excited about Cilium and Cilium Enterprise Edition as we are. Check out these links to learn more about Cilium, and we'd love to hear about your ideas for other customized Access Denied messages on Slack!

Update: We have been informed that our developers have open sourced the customizable access denied messages feature by accident in the following GitHub PR.