The NeuVector security module

The neuvector module provides comprehensive container security throughout the DevOps lifecycle.

Read more about the security platform on the official website NeuVector.

The neuvector module creates a web interface accessible at the address generated based on the publicDomainTemplate parameter in the Deckhouse Kubernetes Platform global configuration.

To get the interface address, replace the %s key in publicDomainTemplate with neuvector. For example, if publicDomainTemplate is set as %s.mycompany.my, the web interface will be available at neuvector.mycompany.my.

Features

The neuvector module solves critical security challenges for containerized applications:

• Runtime Protection:

  • Real-time threat detection and prevention during container execution.
  • Behavioral learning to establish baseline security profiles.
  • Zero-trust network segmentation between services.
  • Process and file integrity monitoring.
  • Detection of suspicious activities and anomalies.

• Vulnerability Management:

  • Continuous scanning of container images for known vulnerabilities.
  • Registry scanning integration with popular container registries.
  • CVE database updates and vulnerability prioritization.
  • Compliance reporting and risk assessment.

• Network Security:

  • Automatic discovery and visualization of application connectivity.
  • Microsegmentation with automated network policy generation.
  • East-west traffic inspection and monitoring.
  • DLP (Data Loss Prevention) for sensitive data protection.

• Compliance and Governance:

  • CIS benchmark compliance checking.
  • PCI DSS, HIPAA, and other regulatory compliance reporting.
  • Security event audit trails and forensics.
  • Risk scoring and security posture assessment.

• DevSecOps Integration:

  • CI/CD pipeline integration for security scanning.
  • Admission control to prevent vulnerable containers from running.
  • Security policy as code with version control.
  • Automated response and remediation capabilities.

Security Policy Modes

NeuVector supports three security policy management modes: Discover, Monitor and Protect. These modes define the system behavior regarding network connections, processes and files in containers. Each mode is applied at the group level (e.g. nv.web-app.production), and can be set separately for network, file and process rules.

The mode is set in the console, in the Groups, Network Activity or Dashboard sections.

Mode comparison

Discover — learning mode

Used by default. NeuVector studies the infrastructure and application behavior to automatically generate lists of acceptable network and process rules:

• Analyzes network connections between containers.
• Identifies applications and services.
• Creates policies that reflect normal behavior.
• Generates process profiles for each service.

To collect full behavior, it is recommended to run test traffic for several hours. If necessary, switch to Monitor mode, check for violations and add missing rules.

Monitor — observation mode

Used to analyze security policies:

• Does not create new rules automatically.
• Logs all deviations from the specified policies.

The user can manually add the necessary rules. To simplify the analysis, use filtering by groups and detailing connections in the network map.

Protect — protection mode

Applies security policies:

• Blocks any violations of network policies and the launch of unauthorized processes.
• Terminates unwanted network connections.
• Blocks access to prohibited files.
• Blocks network traffic when DLP sensors are triggered.

Violations are displayed in the interface on the network map and recorded in the security event logs.

Exporting a security policy in CRD format

NeuVector provides the ability to export automatically generated security policies in CRD (Custom Resource Definition) format after the training phase in Discover mode. For more information, visit the official website NeuVector.

Architecture

(Source: NeuVector documentation)

The NeuVector security platform consists of the following components:

• Controller — the central management component that manages security policies and coordinates work with the cluster, processes vulnerability database updates, and provides centralized logging and event management.
• Manager — a web console that provides a security dashboard, policy management, event and alert display, and threat investigation tools.
• Enforcer — deployed as a DaemonSet on each node to monitor container behavior, enforce security policies in real time, perform deep packet inspection, and collect data.
• Scanner - provides vulnerability assessment services by scanning container images and continuously monitoring running containers.

System Requirements

• Deckhouse Kubernetes Platform version 1.70+.
• Minimum resources: 4 CPU cores and at least 8 GB of RAM.

Data storage

NeuVector supports saving configurations and security policies in persistent storage. This allows you to:

• automatically restore data after a cluster failure;
• work in high availability (HA) mode;
• perform manual backups via the interface.

PersistentVolumeClaim (PVC) is used to store data, which is created automatically. In order for PVC to be created, you must specify the appropriate storageClass — with support for the ReadWriteMany (RWX) access mode. This can be done:

• in the global Deckhouse settings (see Deckhouse configuration).;
• in the neuvector module settings via ModuleConfig;
• via the default storage class in the cluster.

If storageClass is not specified in any of these configurations, temporary storage (emptyDir) will be used and data will not persist across restarts.

Persistent storage is used only in the Controller component - to store configuration backup files (policies, rules, user data, integrations, etc.).