Network Security and Isolation
LEVEL 0
The Problem
You have multiple containers running:
- A public-facing web server
- An application server
- A database
- An admin panel
By default, they can all talk to each other. The web server can directly access the database. An attacker who compromises the web server can pivot to attack the database.
Network segmentation is critical.
LEVEL 1
The Concept — The Castle with Multiple Walls
The Concept
Imagine a medieval castle.
Poor design: Single wall
- Everything inside one wall
- If attackers breach the wall, they access everything
- Treasury, armory, living quarters all exposed
Good design: Concentric walls
- Outer wall protects the perimeter
- Middle wall protects important buildings
- Inner wall protects the keep (treasury, royalty)
- Each wall is a checkpoint
- Attackers must breach multiple walls
Network isolation is concentric walls for your containers.
LEVEL 2
The Mechanics — Network Segmentation
The Mechanics
Create separate networks:
version: '3.9'
services:
web:
image: nginx
networks:
- public
- backend
ports:
- "80:80"
app:
image: myapp
networks:
- backend
- database
db:
image: postgres
networks:
- database
admin:
image: admin-panel
networks:
- backend
networks:
public:
backend:
database:
Who can talk to whom:
web↔app(shared backend network)app↔db(shared database network)app↔admin(shared backend network)- ❌
web↔db(no shared network) - ❌
web↔admin(no shared network)
LEVEL 3
Firewalling with iptables
Host-level firewall:
# Allow only specific ports
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -j DROP
# Allow Docker networks
iptables -A FORWARD -i docker0 -j ACCEPT
Container-level (not recommended, use network isolation instead):
services:
app:
cap_add:
- NET_ADMIN
command: >
sh -c "
iptables -A INPUT -p tcp --dport 8000 -j ACCEPT;
iptables -A INPUT -j DROP;
/app/start.sh
"
LEVEL 4
Encrypted Communication
TLS between services:
services:
app:
image: myapp
environment:
DB_SSL: "true"
DB_SSL_CERT: /run/secrets/db-client-cert
secrets:
- db-client-cert
db:
image: postgres
environment:
POSTGRES_SSL_CERT_FILE: /run/secrets/db-server-cert
POSTGRES_SSL_KEY_FILE: /run/secrets/db-server-key
secrets:
- db-server-cert
- db-server-key
secrets:
db-client-cert:
file: ./certs/client.crt
db-server-cert:
file: ./certs/server.crt
db-server-key:
file: ./certs/server.key
Service mesh (advanced):
Istio, Linkerd automatically encrypt service-to-service traffic with mTLS.
LEVEL 5
Network Policies (Kubernetes)
In Kubernetes, Network Policies provide fine-grained control:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: db-policy
spec:
podSelector:
matchLabels:
app: database
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: backend
ports:
- protocol: TCP
port: 5432
This allows only pods with label app: backend to connect to the database on port 5432.