What is this?
This docker image contains the Barricade agent which monitors your traffic and relays it to the Barricade Platform for analysis and real-time discovery of intrusion attempts, data breach attempts and clear visibility into your traffic's behaviour.
Barricade is an early warning system against hackers. It is a SaaS product that performs intrusion detection, data breach detection, real-time behavioural analysis and provides you with security recommendations (mitigation). The whole point is that you don't need to be a security expert to use it... we're de-expertising security.
The Docker security ecosystem is very healthy thanks specifically to Diogo Mónica and Jessica Frazelle for their continued quality work! Barricade complements the existing products and solutions to give you complete visibility into the behaviour of your incoming and outgoing traffic.
This is currently in beta as we are constantly adapting to the state-of-docker.
- Make sure you have an account on Barricade
- Copy your automation key from Barricade's team page
- Run the container like such:
docker run --net=host --cap-add net_raw -v /var/run/docker.sock:/var/run/docker.sock -e BARRICADE_LICENSE_KEY=XXX barricadeio/agent
This will create a container alongside your other containers and start listening for traffic through the host's network interface.
How does the agent work?
The main job of the agent is listening for network traffic. We will never affect or shape your traffic. It is important to us to never affect your business.
The agent uses libpcap to inspect the network, queues the captured packets locally on a ZeroMQ queue and relays them to Barricade's platform for real-time analysis and detection. The data is encrypted using industry standard so that it doesn't leak information, and at all times you are in control of your data.
In the case of docker, we attach to the host's network interface and sit alongside all your other containers, not in your containers.
What can the agent see?
To get nerdy about it, the agent sees everything from the data layer of the OSI model all the way up to the application layer.
On our side we run different analysis based on the different layers. For instance a web application's information is presented in the application layer, so we can analyze HTTP headers, however a DNS request is slightly different and we analyze that layer independently.
The agent does not do packet re-sequencing, we do that on our side so that your servers do what they should be doing, which is staying up for your customers.
Agent Performance Implications
The agent is designed to have the lowest memory footprint possible. On average the agent will use approximately 20 to 30 Mb of memory and the CPU usage will be negligible.
In order to encourage the single-process container philosophy, Barricade runs in its own container alongside your other containers listening for all traffic using the host's network interface.
How does the platform work?
The platform is where all the intelligence happens and is hosted by us. We use a concept called the lambda architecture which is a data-processing design made to handle massive quantities of data and perform analysis both in real-time (stream) and in an ad-hoc manner (batch). This technique balances latency, throughput, and fault-tolerance by using batch processing to learn about past behaviour and the stream processing uses that knowledge to make decisions in real-time.
By joining the stream processing and batch processing, we address the shortcomings (latency) of the traditional MapReduce problems that were present with Hadoop M/R.
The actual technology is pretty complex but we use a mixture of the following:
Data Ingestion: Apache Kafka
Stream processing: Apache Storm, Redis, and Elasticsearch
Batch processing: Amazon EMR (Spark), Redis
Data Retention and Archival: We use Secor to write the data to Amazon S3 and encrypt it at rest using AWS KMS-Managed Keys (SSE-KMS).