Source URL: https://www.docker.com/blog/docker-engine-28-hardening-container-networking-by-default/
Source: Docker
Title: Docker Engine v28: Hardening Container Networking by Default
Feedly Summary: Learn how Docker streamlines developer onboarding and helps organizations set up the right guardrails to give developers the flexibility to innovate within the boundaries of company policies.
AI Summary and Description: Yes
Summary: The text discusses significant security enhancements in Docker Engine v28, focusing on container access and default security behaviors. It addresses vulnerabilities related to unpublished container ports and presents best practices for upgrading and managing firewall settings effectively.
Detailed Description: This text details an important security update in Docker Engine v28 that addresses vulnerabilities associated with container accessibility, particularly in local network environments. Key takeaways include:
– **Security Hardening**: The update emphasizes security by ensuring that containers are not unintentionally accessible from local networks by implementing stricter default settings regarding published and unpublished ports.
– **NAT and Firewall Rules**: The previous default behavior allowed containers to be accessed if the host’s firewall settings were permissive. Docker now drops traffic to unpublished ports by default unless explicitly published.
– **Affected Users**:
– **Linux Users**: Primarily those running Docker versions earlier than 28.0.0 using iptables are affected.
– **Specific Conditions**: Users deliberately setting permissive rules on their firewalls might experience blocked access to containers that were once reachable directly via IP.
– **Potential Risks**:
– Malicious actors on the same local network could potentially reach unpublished container ports if they knew the container’s IP address, posing a security risk within multi-tenant environments.
– **Recommended Actions**:
1. **Upgrade**: Immediately update to Docker Engine 28.0 to benefit from the new security features.
2. **Assess Your Configuration**: Evaluate if your existing setup relies on the previous permissive behavior and decide whether to opt out of the new default behavior.
3. **Advanced Management**: Experienced users can manage iptables manually for customized traffic controls if necessary.
– **Mitigation Strategies in v28**:
– Explicitly drops unsolicited inbound traffic to container IPs unless those ports are defined as published.
– Allows users to opt-out of stricter policies if certain networking needs arise.
– **Conclusion**: Docker Engine v28 aims to minimize local network exposure of containers by implementing stronger defaults, thus supporting a secure environment for container-based applications. This change aligns with improved security practices that discourage unnecessary exposure of resources.
This information is crucial for security compliance professionals, DevSecOps teams, and any organization using Docker, as it ensures that they are aware of the new defaults and how to maintain container security in shared networking environments.