BASTION: A Security Enforcement Network Stack for Container Networks


Jaehyun Nam, Seungsoo Lee, and Hyunmin Seo, KAIST; Phil Porras and Vinod Yegneswaran, SRI International; Seungwon Shin, KAIST


In this work, we conduct a security analysis of container networks, identifying a number of concerns that arise from the exposure of unnecessary network operations by containerized applications and discuss their implications. We then present a new high-performance security enforcement network stack, called BASTION, which extends the container hosting platform with an intelligent container-aware communication sandbox. BASTION introduces (i) a network visibility service that provides fine-grained control over the visible network topology per container application, and (ii) a traffic visibility service, which securely isolates and forwards inter-container traffic in a point-to-point manner, preventing the exposure of this traffic to other peer containers. Our evaluation demonstrates how BASTION can effectively mitigate several adversarial attacks in container networks while improving the overall performance up to 25.4% within single-host containers, and 17.7% for cross-host container communications.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {254412,
author = {Jaehyun Nam and Seungsoo Lee and Hyunmin Seo and Phil Porras and Vinod Yegneswaran and Seungwon Shin},
title = {{BASTION}: A Security Enforcement Network Stack for Container Networks},
booktitle = {2020 USENIX Annual Technical Conference (USENIX ATC 20)},
year = {2020},
isbn = {978-1-939133-14-4},
pages = {81--95},
url = {},
publisher = {USENIX Association},
month = jul

Presentation Video