Enhancing OpenStack FWaaS for real world application
-
Upload
openstackindia -
Category
Technology
-
view
682 -
download
2
Transcript of Enhancing OpenStack FWaaS for real world application
![Page 1: Enhancing OpenStack FWaaS for real world application](https://reader033.fdocuments.us/reader033/viewer/2022052606/58f0ba091a28ab06148b45fb/html5/thumbnails/1.jpg)
Copyright © 2014 Juniper Networks, Inc. 1
Enhancing OpenStack FWaaS for real world applicationsPerformance, Logging & Scheduling
Sarath Chandra MekalaChandan Dutta Chowdhury
![Page 2: Enhancing OpenStack FWaaS for real world application](https://reader033.fdocuments.us/reader033/viewer/2022052606/58f0ba091a28ab06148b45fb/html5/thumbnails/2.jpg)
Copyright © 2014 Juniper Networks, Inc. 2
Sarath Chandra Mekala
• Tech Lead @ Juniper Networks• Works on Neutron Plugins• Over a decade+ of experience with J2EE/NMS• Contributed to Juniper’s FWaaS plugin• Blogs @ sarathblogs.blogspot.in• Likes Gadgets & Photography.
![Page 3: Enhancing OpenStack FWaaS for real world application](https://reader033.fdocuments.us/reader033/viewer/2022052606/58f0ba091a28ab06148b45fb/html5/thumbnails/3.jpg)
Copyright © 2014 Juniper Networks, Inc. 3
Chandan Dutta Chowdhury
• Tech Lead @ Juniper Networks• Works on Neutron Plugins• DevOPS & Opensource hacker • Contributed to Juniper’s L2, L3 & NSX plugins• Blogs @ chandanduttachowdhury.wordpress.com
![Page 4: Enhancing OpenStack FWaaS for real world application](https://reader033.fdocuments.us/reader033/viewer/2022052606/58f0ba091a28ab06148b45fb/html5/thumbnails/4.jpg)
Copyright © 2014 Juniper Networks, Inc. 4
Agenda
• Improve FWaaS Performance• Scheduling Firewall Policies• Logging Firewall Policies
Ideas to enable FWaaS cater to real world application needs
![Page 5: Enhancing OpenStack FWaaS for real world application](https://reader033.fdocuments.us/reader033/viewer/2022052606/58f0ba091a28ab06148b45fb/html5/thumbnails/5.jpg)
Copyright © 2014 Juniper Networks, Inc. 5
FWaaS Overview
Rule1
Rule2
Rule3
Router 1 Router 2 Router 3
![Page 6: Enhancing OpenStack FWaaS for real world application](https://reader033.fdocuments.us/reader033/viewer/2022052606/58f0ba091a28ab06148b45fb/html5/thumbnails/6.jpg)
Copyright © 2014 Juniper Networks, Inc. 6
FWaaS Performance
![Page 7: Enhancing OpenStack FWaaS for real world application](https://reader033.fdocuments.us/reader033/viewer/2022052606/58f0ba091a28ab06148b45fb/html5/thumbnails/7.jpg)
Copyright © 2014 Juniper Networks, Inc. 7
Reference Network Topology
![Page 8: Enhancing OpenStack FWaaS for real world application](https://reader033.fdocuments.us/reader033/viewer/2022052606/58f0ba091a28ab06148b45fb/html5/thumbnails/8.jpg)
Copyright © 2014 Juniper Networks, Inc. 8
Problem 1: Invalid Rules
![Page 9: Enhancing OpenStack FWaaS for real world application](https://reader033.fdocuments.us/reader033/viewer/2022052606/58f0ba091a28ab06148b45fb/html5/thumbnails/9.jpg)
Copyright © 2014 Juniper Networks, Inc. 9
Problem 2: Unnecessary Rule Deployment
Router 1 Router 2 Router 3
R1 R2 R3R1 R2 R3R1 R2 R3Firewall Policy
Firewall
![Page 10: Enhancing OpenStack FWaaS for real world application](https://reader033.fdocuments.us/reader033/viewer/2022052606/58f0ba091a28ab06148b45fb/html5/thumbnails/10.jpg)
Copyright © 2014 Juniper Networks, Inc. 10
Overview of FWaaS Performance Issues
• No rule validation• Allows invalid rules to be present
• All rules are pushed onto all routers• Unnecessary processing of rules on each router• Affects performance• Potential Security holes
![Page 11: Enhancing OpenStack FWaaS for real world application](https://reader033.fdocuments.us/reader033/viewer/2022052606/58f0ba091a28ab06148b45fb/html5/thumbnails/11.jpg)
Copyright © 2014 Juniper Networks, Inc. 11
Solution 1: Rule Validation
![Page 12: Enhancing OpenStack FWaaS for real world application](https://reader033.fdocuments.us/reader033/viewer/2022052606/58f0ba091a28ab06148b45fb/html5/thumbnails/12.jpg)
Copyright © 2014 Juniper Networks, Inc. 12
![Page 13: Enhancing OpenStack FWaaS for real world application](https://reader033.fdocuments.us/reader033/viewer/2022052606/58f0ba091a28ab06148b45fb/html5/thumbnails/13.jpg)
Copyright © 2014 Juniper Networks, Inc. 13
Solution 2: Rule Split & Distribution
![Page 14: Enhancing OpenStack FWaaS for real world application](https://reader033.fdocuments.us/reader033/viewer/2022052606/58f0ba091a28ab06148b45fb/html5/thumbnails/14.jpg)
Copyright © 2014 Juniper Networks, Inc. 14
Solution 2: Rule Split & Distribution
10 -> 20 30 -> 40
TCP-10-20-allow
Firewall Policy
Firewall
TCP-30-40-allow Any-AnyAny-Any
![Page 15: Enhancing OpenStack FWaaS for real world application](https://reader033.fdocuments.us/reader033/viewer/2022052606/58f0ba091a28ab06148b45fb/html5/thumbnails/15.jpg)
Copyright © 2014 Juniper Networks, Inc. 15
Proposed ImprovementsValidation (Invalid Rule Check)• Rule’s Source IP and/or Destination IP do not belong to any of tenant
networks (or)• Rule’s Source/Destination IP belong to an existing tenant’s network
but the network is yet to be assigned to any router.
Performance• All rules are segregated and grouped based on the networks they
belong to and allocated to their corresponding routers only.
![Page 16: Enhancing OpenStack FWaaS for real world application](https://reader033.fdocuments.us/reader033/viewer/2022052606/58f0ba091a28ab06148b45fb/html5/thumbnails/16.jpg)
Copyright © 2014 Juniper Networks, Inc. 16
Challenges
• Rule Ordering• Deletion of router
![Page 17: Enhancing OpenStack FWaaS for real world application](https://reader033.fdocuments.us/reader033/viewer/2022052606/58f0ba091a28ab06148b45fb/html5/thumbnails/17.jpg)
Copyright © 2014 Juniper Networks, Inc. 17
Scheduling
![Page 18: Enhancing OpenStack FWaaS for real world application](https://reader033.fdocuments.us/reader033/viewer/2022052606/58f0ba091a28ab06148b45fb/html5/thumbnails/18.jpg)
Copyright © 2014 Juniper Networks, Inc. 18
Scheduling Rules
• Restrict access to:• Web Sites• Web Servers/FTP servers/SSH/RDP e.t.c
• Improves productivity• Conserves Bandwidth • Increases ROI
![Page 19: Enhancing OpenStack FWaaS for real world application](https://reader033.fdocuments.us/reader033/viewer/2022052606/58f0ba091a28ab06148b45fb/html5/thumbnails/19.jpg)
Copyright © 2014 Juniper Networks, Inc. 19
Scheduling – IPTables Spec
• IPTables on Ubuntu & CentOS supports rule scheduling• Uses UTC for time zone by default
• iptables –A <chain> -m time --timestart 09:00 --timestop 17:00 -weekdays Mon,Tue,Wed,Thu,Fri -j <Action>
• -m time : match time• --timestart : Start time• --timestop : End time• --weekdays : Days of the week
![Page 20: Enhancing OpenStack FWaaS for real world application](https://reader033.fdocuments.us/reader033/viewer/2022052606/58f0ba091a28ab06148b45fb/html5/thumbnails/20.jpg)
Copyright © 2014 Juniper Networks, Inc. 20
Scheduling – IPTables Spec
• Periodicity:• datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]]• datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]]• timestart hh:mm[:ss]• timestop hh:mm[:ss]• monthdays day[,day...]• weekdays day[,day...]• contiguous• Kerneltz
![Page 21: Enhancing OpenStack FWaaS for real world application](https://reader033.fdocuments.us/reader033/viewer/2022052606/58f0ba091a28ab06148b45fb/html5/thumbnails/21.jpg)
Copyright © 2014 Juniper Networks, Inc. 21
Scheduling – IPTables Examples
• To match on weekends, use: -m time --weekdays SAT,SUN
• To match between a set of days with a specific time interval:-m time --datestart 2015-08-23 T09:00 --datestop 2007-01-01T15:00
• To match on a time interval:-m time --timestart 09:00 --timestop 17:00
![Page 22: Enhancing OpenStack FWaaS for real world application](https://reader033.fdocuments.us/reader033/viewer/2022052606/58f0ba091a28ab06148b45fb/html5/thumbnails/22.jpg)
Copyright © 2014 Juniper Networks, Inc. 22
Proposed Horizon Enhancement
![Page 23: Enhancing OpenStack FWaaS for real world application](https://reader033.fdocuments.us/reader033/viewer/2022052606/58f0ba091a28ab06148b45fb/html5/thumbnails/23.jpg)
Copyright © 2014 Juniper Networks, Inc. 23
Firewall Logs
![Page 24: Enhancing OpenStack FWaaS for real world application](https://reader033.fdocuments.us/reader033/viewer/2022052606/58f0ba091a28ab06148b45fb/html5/thumbnails/24.jpg)
Copyright © 2014 Juniper Networks, Inc. 24
Current Firewall implementation in OpenStack
• Doesn't provide packet logging• Tenant does not have any knowledge of dropped packets• While deploying new rules in the firewall, there is no way to
debug the rule• No way to determine the effectiveness of the firewall rules
![Page 25: Enhancing OpenStack FWaaS for real world application](https://reader033.fdocuments.us/reader033/viewer/2022052606/58f0ba091a28ab06148b45fb/html5/thumbnails/25.jpg)
Copyright © 2014 Juniper Networks, Inc. 25
Benefits of Enabling Firewall Logs
• Monitoring • Threat Alerting• Threat correlation • Report generation• Troubleshooting packet drops
• Fine tuning Rules• Detecting false positives• Detecting false negatives
![Page 26: Enhancing OpenStack FWaaS for real world application](https://reader033.fdocuments.us/reader033/viewer/2022052606/58f0ba091a28ab06148b45fb/html5/thumbnails/26.jpg)
Copyright © 2014 Juniper Networks, Inc. 26
Firewall Logging for OpenStack
COMPUTE/NETWORK NODE
ROUTER NAMESPACE
LOGGING RULE
LOG SERVER LOG ANALYSER
Firewall Agent
ENABLELOGGING
NEUTRON
FIREWALLLOGS
LOGS
ALERTS! REPORTS
OPENSTACKTENANT
FIREWALLRULES
FIREWALL RULES
![Page 27: Enhancing OpenStack FWaaS for real world application](https://reader033.fdocuments.us/reader033/viewer/2022052606/58f0ba091a28ab06148b45fb/html5/thumbnails/27.jpg)
Copyright © 2014 Juniper Networks, Inc. 27
Enable Firewall Logs with IPTables rules
iptables –A <chain> -m limit –limit <limit> -j LOG --log-prefix <prefix-string> --log-level <log-level>
-J LOG : processed by target LOG that logs packets with syslog--log-prefix : a string to identify the log message--log-level : log level to use with syslog message
iptables -A INPUT -j LOG --log-prefix "IPTABES LOG:" -m limit --limit 10/min --log-level 4
![Page 28: Enhancing OpenStack FWaaS for real world application](https://reader033.fdocuments.us/reader033/viewer/2022052606/58f0ba091a28ab06148b45fb/html5/thumbnails/28.jpg)
Copyright © 2014 Juniper Networks, Inc. 28
Example:
![Page 29: Enhancing OpenStack FWaaS for real world application](https://reader033.fdocuments.us/reader033/viewer/2022052606/58f0ba091a28ab06148b45fb/html5/thumbnails/29.jpg)
Copyright © 2014 Juniper Networks, Inc. 29
Proposed Horizon Enhancement for Firewall Logging
![Page 30: Enhancing OpenStack FWaaS for real world application](https://reader033.fdocuments.us/reader033/viewer/2022052606/58f0ba091a28ab06148b45fb/html5/thumbnails/30.jpg)
Copyright © 2014 Juniper Networks, Inc. 30
Horizon UI Enhancement -2
![Page 31: Enhancing OpenStack FWaaS for real world application](https://reader033.fdocuments.us/reader033/viewer/2022052606/58f0ba091a28ab06148b45fb/html5/thumbnails/31.jpg)
Copyright © 2014 Juniper Networks, Inc. 31
Summary of logging feature
• Firewall Logs • can help with debugging, threat analysis , Rule fine tuning
• Firewall Logging Can be integrated with FWaaS on OpenStack • IPTables provides options to enable packet logging
• A centralized server can be introduced to collect and analyze firewall logs
• Horizon UI extension can make logs accessible to the tenant
![Page 32: Enhancing OpenStack FWaaS for real world application](https://reader033.fdocuments.us/reader033/viewer/2022052606/58f0ba091a28ab06148b45fb/html5/thumbnails/32.jpg)
Q & A
![Page 33: Enhancing OpenStack FWaaS for real world application](https://reader033.fdocuments.us/reader033/viewer/2022052606/58f0ba091a28ab06148b45fb/html5/thumbnails/33.jpg)
Thank You