Copyright 2016 FUJITSU LIMITED1

Network traffic logging(logging for security groups & firewalls)

Nguyen Phuong An (E-mail: annp@vn.fujitsu.com, IRC: annp)

Cao Xuan Hoang (E-mail: hoangcx@vn.fujitsu.com, IRC: hoangcx)

PODC, Fujitsu Vietnam Limited

OpenStack Summit AustinvBrownBag TechTalk April 25, 2016

Copyright 2016 FUJITSU LIMITED2

Why do we need network traffic logging? (1/2)

Internet

br-int

FW

br-ex

br-eth

ALLOW/DROP rule

br-intSG SG

br-eth

vmosdb

SG

Tenant A

vmos

web srv

vmos

app srvTenant B

iptablesiptables

o Traffic flow defines its relationship with end-user. Therefore, understanding what happened on traffic flow is really necessary.

o It is necessary for troubleshooting process while system has issue related to network such as “My web/app can't access from/to internet.”

DHCP

Compute Node Network NodeData LAN

ALLOW(Ingress/Egress)

iptables

Copyright 2016 FUJITSU LIMITED3

Network traffic logging help operators In the auditing process while system has issue related to network

communication. Early detect issues related to security by threat analysis.

While deploy security groups & firewalls, tenants want to a way make sure security rules work as expected.

Neutron doesn’t have any way to perform above task.

We’d like to bring logging for security groups & firewalls to neutron.

Why do we need network traffic logging? (2/2)

Copyright 2016 FUJITSU LIMITED4

Propose logging API model (1/2) Proposed change:

Logging API captures all events related to security group rules or firewall rules. Introduce layout the logging API model can extend to other resources more

easier.

Name End pointLogging-resources /v2.0/logging/logging-resources

Security-group-logs /v2.0/logging/security-group-logs

Firewall-logs /v2.0/logging/firewall-logs

Copyright 2016 FUJITSU LIMITED5

Propose logging API model (2/2)Logging-resources

Collect & process log-data for each tenant, save them to file on compute node or network node

/var/log/neutron/sg-tenant-<xxx>.log, /var/log/neutron/fw-tenant-<xxx>.log

Forward log-data to console log or central logging server.Security-group-logs & Firewall-logs

Specify what events related to security groups or firewalls want to log. security-group-logs example

Specific what kind of security-group-rules (ingress/egress or security-group-rule-uuid) applied to a specific neutron-port.…

Copyright 2016 FUJITSU LIMITED6

Overview Architecture

Central LoggingServer

forward

operator ortenant

LoggingAgentExtension

SecurityGroupLogExt

IptablesSGLogDriver

FirewallLogExt

IptablesFWLogDriver

syslog syslog

CollectorExt

/var/log/neutron/sg-tenant-uuid

forward

ELKAnalyze & Visualize 

alert report

Agent

rpc_callback1

2

Logging API extension Neutron sever

Logging API service plugin

logging_resource

security_group_log

Notification Driver

firewall_log Neutron Database

Req enable log

Rest API/CLI

Python-logstash?

Copyright 2016 FUJITSU LIMITED7

security_group_logging

sg_log_info_for_devices

SGLogAgentExt

update_port_logging

5

Deep dive into security group logging

Logging API extension

Logging API plugin

security_group_log

notification_driver

User CLI/Rest API

12

3

IptablesSGLogDriver

sg_log_info_for_devices

RPC callback

sg_log_info_for_ports

4

6

7

8

9

get security_group_log info

ports

10

registry.subscribe(security_group_update,

resources. SECURITY_GROUP, events.AFTER_UPDATE)

Neutron DB

Neutron sever Agent

registry.subscribe(security_group_logging,

resources.SG_LOG)

notification_api.push(context, sg_log, events.UPDATED)

Copyright 2016 FUJITSU LIMITED8

Support logging API for tenant (1/3)Tokyo summit, we introduced logging API for operator

https://goo.gl/6qKS8L https://www.youtube.com/watch?v=yBnyD0CPJIE

Bring logging API to tenant Support RBAC for logging API Support console log (same as nova console log)

Copyright 2016 FUJITSU LIMITED9

Support logging API for tenant (2/3) Support RBAC for logging API

Admin creates logging_resources neutron logging-create <logging_resource_name> Admin allows target tenant neutron rbac-create <logging_resource_uuid|name> --type logging_resources --target-tenant <tenant-uuid> --action access_as_shared Tenant can be attached security_group_logs & firewall_logs to the

logging_resources neutron logging-security-group-create --logging-resource-id <logging-resource-id> … neutron logging-firewall-create -–logging-resource-id <logging-resource-id> …

Copyright 2016 FUJITSU LIMITED10

Support logging API for tenant (3/3) Support console log

Change ownership of log file to “process user id” (tenant uuid) by command chown

Read log-data from file: /var/log/neutron/sg-tenant-xxx.log & /var/log/neutron/fw-tenant-xxx.log

Show log-data on horizon log tab or console output of neutron client API looks like

neutron get-security-group-logs --log-resource-id <logging-resource-uuid> neutron get-firewall-logs --log-resource-id <logging-resource-uuid>

Copyright 2016 FUJITSU LIMITED11

How to consume log-data Operator

Access directly to file on compute & network node /var/log/neutron/sg-tenant-<uuid>.log... /var/log/neutron/fw-tenant-<uuid>.log... Via console log neutron get-security-group-logs --log-resource-id <logging-resource-uuid>

Tenant Via console log neutron get-security-group-logs --log-resource-id <logging-resource-uuid>

Log-data can be forwarded to a central logging server to analyze or visualize (depends on collector driver implementation)

Copyright 2016 FUJITSU LIMITED12

Example of ICMP packet log record on security groups:Oct 21 13:10:51 8d4c70a21fed4aeba121a1a429ba0d04 security_groups e30abd17-fef9 IN f316e55d-51 SRC=10.164.176.134 DST=10.164.176.230 LEN=84 PROTO=ICMP

Example of TCP packet log record on firewalls:Mar 14 11:35:53 8d4c70a21fed4aeba121a1a429ba0d04 firewalls ebf52237-336b-4c58-a5a4-5992ab54b90e ALLOW v4313b867d SRC=10.0.0.3 DST=22.22.22.3 LEN=60 PROTO=TCP SPT=55919 DPT=12865

Logging data format timestamp tenant_uuid resource logging sg-rule-uuid[:13] or fw-rule-

uuid

action: DROP & ALLOW(ingress/egress)

neutron-port-id[:11] or router-port-id[:10]

src_ip, dst_ip, src_port, dst_port protocol type & length of packet

Copyright 2016 FUJITSU LIMITED13

Goal in newton

Newton

Operator only

RFE bug:https://bugs.launchpad.net/neutron/+bug/

1468366 Specification:

https://review.openstack.org/#/c/203509

Layout logging API model

Security group logs

Copyright 2016 FUJITSU LIMITED14

Future of work Support firewall logging Support RBAC & console log Support hit count feature to avoid DDOS attack Introduce central server to analyze, visualize