Architecture
en

Architecture

Immutable Service Containers

Immutable Service Containers are an architectural deployment pattern used to describe a platform for highly secure service delivery. Building upon concepts and functionality enabled by operating systems, hypervisors, virtualization, and networking, ISCs provide a security-reinforced container into which a service or set of services is deployed.  By expressing core design principles, such as those embodied in the Sun Systemic Security strategy, along with functional and non-functional requirements, ISCs are not constrained to a particular product or technology, but rather can be implemented using a variety of ways.  As part of a more holistic view, it is expected that Immutable Service Containers will form the most basic architectural building block for more complex, highly adaptive and autonomic security architectures. The goal of this project is is to more fully describe the architecture and attributes of ISCs, their inherent benefits, their construction as well as to document practical examples using various web-scale software applications. 

Design Goals

  • Limit Exposure
    • Only required network services are active and exposed.
    • Service is executed in a resource controlled context.
  • Limit Change
    • Service (binaries, libraries, configuration, etc.) is read-only [1]
    • Critical operating environment configuration is read-only [1]
  • Limit Rights
    • Service is executed with unique credentials, least privilege
    • Operating environment is run with reduced privileges
  • Improve Integrity
    • Service is isolated from security monitoring and enforcement.

[1] Where supported by the underlying product or function.

Operating Principles

Immutable Service Containers strive to implement the following key security principles: 

  • Self-Preservation
  • Defense in Depth
  • Compartmentalization
  • Least Privilege
  • Proportionality

For a discussion of these principles, see the Sun BluePrints article titled Toward Systemically Secure IT Architectures.  In addition, Immutable Service Containers design borrows from Cloud Computing principles including:

  • Abstraction
  • (Micro-)Virtualization
  • Automation
  • Fail in Place

Architectural Patterns

Secure Execution Container

Name (Title) Secure Execution Container
Description A container that is able to provide a safe environment where applications, jobs, or services can be run.  Specifically, a Secure Execution Container should be capable of providing security enforcement and monitoring functions such that it can protect a running services from unauthorized external influence (originating outside of the container).  Further it must also be capable of protecting the IT environment from the service in the event of an accidental or malicious change that causes the service to behave badly.  The degree to which protection is afforded will vary based upon the actual implementation choices made, but as a rule, it is expected that the security configuration of the Secure Execution Container will be tuned based upon the services it supports.  It will likely involve the integration of one or more technologies or products in support of its security objectives. 
Alias SEC 
Intent The intent is to construct a safe environment for the execution of services capable of:
  • Protecting itself from unauthorized access or use by the services running within it.
  • Protecting any service running within the container from unauthorized external influence.
  • Protecting the IT environment and other services outside of the container (should a running service be mis-configured or compromised).
  • Providing an audit trail of events occurring within the container for monitoring and analysis.
Motivation Services running in an unsecured container are often susceptible to attacks from the outside that can damage the service or container.  Likewise the environment beyond the container could be adversely affected by malicious code from within the container.  It is thus imperative for a container that runs applications or services to protect itself from compromised or malicious external services and similarly to protect the outside environment should anything unexpected happen to services it is hosting.  This pattern includes three logical boundary elements:
  • Outside - This is beyond the boundary of the container and is where all requests to interact with the container's service originate.
  • Inside - This is inside of the boundary where the container's service and all of its constituent parts are located.
  • Boundary - This is a correct, verifiable, boundary "container" that cannot be bypassed and only exposes permitted interfaces to the _outside_ while enforcing allowed policy on components running on the _inside_.
Applicability The Secure Execution Container pattern can be used in most IT environments and with virtually any service. It is especially important for those environments seeking stronger security protections for the purposes of risk reduction and attack mitigation. By providing a controlled boundary through which services can be accessed, the Secure Execution Container is able to provide enhanced security protections for the service and the environment in which the service is hosted.  This pattern is most useful when there are clear, well-defined interfaces for interacting with the service or when there is no direct need for service interaction (such as in the case of batch processing). 
Structure sec-general-v0.2.png
Participants 
  • Service.  A Service is the object that is installed and executed within the Secure Execution Container.  It could be a composite application, a single service or a batch job.  There are no restrictions on the type of service that can be used within an ISC although those with well-defined communication and processing interfaces are more suited to this type of environment.  The actual service used will determine what security protections are needed in terms of the service itself.
  • Secure Execution Container.  The Secure Execution Container provides a security boundary around the Service.  External clients can interact with the Service through published interfaces and the Service can also initiate messages to outside services through this interface.  All communications and access methods are arbitrated by the Secure Execution Container's security boundary.
  • Security Hardened Service Container. This is a operational quality of the Secure Execution Container.  This element is used to depict the need to properly implement security hardening and configuration tuning of the container in which the Service is delivered.  The actual steps taken to secure this container will vary based upon the implementation chosen.
  • Service Container Security Functions.  This is a functional element of the Secure Execution Container.  This element is used to depict the need for security enforcement and monitoring functions that exist in the Secure Execution Container and are used to implement the protections described in the Intent section above.  The actual security controls available and used will vary based upon the implementation chosen.
Collaboration See the Participants section above to understand the relationships between the various elements of this pattern. 
Consequences The primary benefits of the Secure Execution Container pattern are related to the isolation of a service running inside a security boundary that helps to protect both the service and the environment within which it runs from unauthorized access and influence.  Certainly, it is expected that all products used in the implementation of this pattern will be configured to use recommended security practices and as such it is expected that the overall attack surface of the SEC and its Service will be minimized.  As the actual techniques used to implement the security configuration will vary by implementation, it is expected that specific products will be chosen based upon operational and security policy and requirements.  While the notion of Secure Execution Containers is a general one that can accommodate most services, it must be noted that services with variable or ill-defined access methods or interfaces may not be suited for this particular pattern. 
Implementation Immutable Service Container Node
Known uses OpenSolaris and Solaris 10 Zones, J2EE Containers, Java Sandbox
Related patterns Immutable Service Container Node, Immutable Service Container Dock
Author Rafat Alvi, Glenn Brunette, Joel Weise 
Reviewer Ed Clay, Joel Weise 

Immutable Service Container Dock

Name (Title) Immutable Service Container Dock
Description An Immutable Service Container Dock (ISC Dock) is a specialized type of a Secure Execution Container (SEC) that has been constructed to house one or more Immutable Service Container Nodes (ISC Nodes).  In this way, the ISC Dock functions as a hypervisor controlling access to (virtual or physical) resources that are granted to individual ISC Nodes.  Examples of resources include compute, memory, and storage capacity as well as network bandwidth.  ISC Nodes are fully dependent upon an ISC Dock, and the ISC Dock has sufficient privilege to provision, enable, disable, and destroy ISC Nodes under its control.  ISC Docks will often also provide additional security enforcement and monitoring capabilities beyond that provided by the ISC Nodes themselves.  This is done to help ensure that misconfigured or rogue ISC Nodes do not negatively impact the IT environment or other ISC Nodes under the ISC Dock's control.  Additional security controls may include resource constraints, packet filtering, network address translation, auditing, integrity checking and other capabilities as supported by the actual implementation. 
Alias ISC Dock 
Intent The intent is to provide a well-defined enclosure capable of securely hosting and managing one or more Immutable Service Containers.  The ISC Dock is the primary gateway through which ISC Nodes have access to virtual or physical resources as well as external connectivity.  The ISC Dock also is responsible for performing actions that operate on ISC Nodes themselves such as provisioning, quarantine, snapshot, destruction, and similar functions. 
Motivation The ISC Dock provide a flexible and extensible way to aggregate ISC Nodes in a way that supports strong security containment, enforcement and monitoring requirements.  Serving both as a hypervisor and gateway, the ISC Dock has a unique position relative to the ISC Nodes it manages.  The ISC Dock will ensure that ISC Nodes have the only resources they need and that they interact with external systems and services as well as one another only as appropriate (defined by a pre-defined policy).  Lastly, the ISC Dock provides an essential abstraction allowing ISC Node-level operations to be completed without knowledge of or access to the internals of individual ISC Nodes. 
Applicability The Immutable Service Container Dock is tethered to the use of one or more ISC Nodes.  An ISC Dock must exist before an ISC Node can be provisioned into it, and it must remain in place until all of the ISC Nodes have been destroyed.  That said, this pattern can be used in any environment and with any ISC Node (assuming implementation compatibility).
Structure 
  • Single Immutable Service Container Node
    isc-arch-single-v1.3.png
  • Multiple Immutable Service Container Nodes
    isc-arch-multi-shared-v1.3.png
Participants 
  • Immutable Service Container Node.  The Immutable Service Container Node is an execution environment installed within an ISC Dock used to execute a given Service.
  • Immutable Service Container Dock.  The Immutable Service Container Node is managed by an ISC Dock.  An ISC Dock offers a way of aggregating one or more ISC Nodes (on a single logical system).  The ISC Dock also provides additional security protections such as centralized log and audit collection, resource control (e.g., compute, storage, and memory capacity, network bandwidth, etc.), and also network-level protections to ensure that ISC Nodes only communicate in accordance with a defined policy.
  • External Networking Boundary.  This is actually a component of the ISC Dock.  Only for the sake of clarity was it shown to be a separate entity in the above diagrams.  It should be considered to be a functional element of the ISC Dock.
  • Security Controls.  There are a variety of security controls that can be implemented by the ISC Node and ISC Dock.  The nature of these controls will vary based upon the implementation model chosen.  In the representative diagram above, several representative examples have been shown.  Additional security controls should be selected as appropriate.
Collaboration As noted above. 
Consequences This use of this pattern is required when using Immutable Service Container Nodes.  It provides the necessary architectural container into which Immutable Service Container Nodes are deployed, security policy is enforced, and resource access is controlled.  While the ISC Dock is intended to be platform and vendor agnostic, depending upon the implementation chosen, the type of ISC Nodes that can be deployed may be limited to a particular vendor or platform. 
Implementation OpenSolaris Immutable Service Containers
Known uses OpenSolaris and Solaris 10 Global Zone, VirtualBox
Related patterns Secure Execution Container, Immutable Service Container Node
Author Rafat Alvi, Glenn Brunette, Joel Weise 
Reviewer Joel Weise 

Immutable Service Container Node

Name (Title) Immutable Service Container Node
Description An Immutable Service Container (ISC) Node is a specialized type of Secure Execution Container (SEC) that provides a security-reinforced environment within which a single application, job, or service can be run.  Immutable Service Container Nodes extend upon the core principles of the Secure Execution Container pattern in the following ways.  The operating environment used to construct the ISC Dock and Node and the service running within the ISC Node must:
  • implement the principles of a Secure Component.
  • ensure that only a single logical application or service is implemented per ISC Node.
  • activate and expose only those network services required for operation.
  • restrict the initiation of outbound communication to those required for operation.
  • use immutable files and directories for critical (read-only) items (where supported).
  • use encrypted storage for critical (sensitive) items (where supported).
  • operate with unique credentials (where appropriate) and least privilege for all of its operations
  • monitor and audit all security relevant operations.
  • operate within a resource-controlled environment (where supported).
Alias ISC Node
Intent The intent is to develop a set of well-defined and verifyable security metrics that can be used in the creation and validation of security-reinforced service containers.  By providing a set of core guiding principles, implementors will be more easily able to develop security-reinforced containers within which a single application, job, or service can be run. 
Motivation It is desirable in a distributed system to compartmentalize services because of the propensity for threats to manifest and spread themselves across different services.  Further, it is important to ensure that the environment into which services are deployed is sufficiently protected using industry accepted, recommended security practices.  By customizing an SEC to a single service, an ISC Node provides a more focused security configuration environment that reduces the attack surface and exposure to external threats. 
Applicability The Immutable Service Container Node pattern can be used in any environment and with any service.  It is especially important for those environments seeking stronger security protections for the purposes of risk reduction and attack mitigation.  By compartmentalizing service delivery, ISC Nodes can also be used in environments seeking to automate the (repeated) provisioning of their services (perhaps for horizontal scale), improve operational efficiciencies (through change control and other IT service management techiniques), and employ dynamic and/or autonomic computing architectural models. 
Structure 
  • Single Immutable Service Container Node
    isc-arch-single-v1.3.png
  • Multiple Immutable Service Container Nodes
    isc-arch-multi-shared-v1.3.png
Participants 
  • Service.  A Service is the object that is installed and executed within the Immutable Service Container Node.  It could be a composite application, a single service or a scheduled job.  There are no restrictions on the type of service that can be used within an ISC Node.  The actual service used will determine what security protections are needed in terms of the service itself, the ISC Node and the ISC Dock which all work on concert to provide a strong security boundary.
  • Immutable Service Container Node.  The Immutable Service Container Node is an execution environment installed within an ISC Dock used to execute a given Service.
  • Immutable Service Container Dock.  The Immutable Service Container is managed by an ISC Dock.  An ISC Dock offers a way of aggregating one or more ISC Nodes (on a single logical system).  The ISC Dock also provides additional security protections such as centralized log and audit collection, resource control (e.g., compute, storage, and memory capacity, network bandwidth, etc.), and also network-level protections to ensure that ISC Nodes only communicate in accordance with a defined policy.
  • External Networking Boundary.  This is actually a component of the ISC Dock.  Only for the sake of clarity was it shown to be a separate entity in the above diagrams.  It should be considered to be a functional element of the ISC Dock.
  • Security Controls.  There are a variety of security controls that can be implemented by the ISC Node and ISC Dock.  The nature of these controls will vary based upon the implementation model chosen.  In the representative diagram above, several representative examples have been shown.  Additional security controls should be selected as appropriate.
Collaboration As noted above. 
Consequences The primary benefits of the ISC Node pattern is the reduction of ones attack surface through service isolation, privilege management and underlying resource constraints.  Essentially, the use of this pattern will provide a secure foundation upon which the Service can be deployed.  Unfortunately, while a generic ISC Node template can easily be created and used, the actual ISC Node implementation will by its very nature be specific to the service that it is running.  New services may not be easily added to an existing ISC configuration without additional installation and configuration of the Service, ISC Nodes and perhaps the ISC Dock.  Also, creating an IT ecosystem with a large number of (service-specific) ISC Nodes requires a level of operational maturity due to the need for strong configuration and change management, automated construction and provisioning, etc.  That said, those organizations possessing this level of operational maturity may also be able to use ISCs as an architecture building block for more advanced autonomic security operations. 
Implementation OpenSolaris Immutable Service Containers
Known uses  OpenSolaris and Solaris 10 Zones, VirtualBox VMIs 
Related patterns Secure Execution Container, Immutable Service Container Dock
Author Rafat Alvi, Glenn Brunette, Joel Weise 
Reviewer  Joel Weise 

Architectural Diagrams

Single Service Container

isc-arch-single-v1.3.png

Elastic Service Containers

isc-arch-multi-shared-v1.3.png

Additional designs that leverage alternative private virtual networking models are discussed on the Networking page.

Use Cases

Created by Glenn Brunette on 2010/02/03 14:11
Last modified by Glenn Brunette on 2010/02/03 20:08

Collectives

Project isc Pages

XWiki Enterprise 2.7.1.34853 - Documentation