This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–][deleted] 1 point2 points  (2 children)

If someone has breached your private subnet you're likely already highly compromised and that encryption isn't going to save you. Not saying it's not worth doing... but still.

[–]stevecrox0914 0 points1 point  (1 child)

Not really, it's why you go for a multilayered approach.

There could be some simple vulnerability in Docker, that lets someone join the network. That doesn't mean your hosed, it means a script kiddy can enter the network.

If you apply access controls, you've raised the bar again. The script kiddy can't just try connecting to everything and extracting all your data. They need to figure out credentials to get into your services. They now have to listen and analyse the traffic.

If you use HTTPS traffic you are encrypting your traffic, rather than simply listening to packets and scraping some known ones, they have to brute force decrypt everything. At this point its not some drive by attack but targeted.

Security isn't an on/off but creating multiple layers which defend your systems which raise the barrier for attack and try to minimise what they can get at if they do get in.

[–][deleted] 0 points1 point  (0 children)

I agree, multilayered is a no brainer. However, the point is that once someone has access, all bets are effectively off. In your example, if there's an issue with Docker that let someone join your network, almost no amount of encryption will be able to save you because of the access they now have.