[vbrownbag presentation] network_traffic_logging
-
Upload
nguyen-phuong-an -
Category
Technology
-
view
83 -
download
0
Transcript of [vbrownbag presentation] network_traffic_logging
Copyright 2016 FUJITSU LIMITED1
Network traffic logging(logging for security groups & firewalls)
Nguyen Phuong An (E-mail: [email protected], IRC: annp)
Cao Xuan Hoang (E-mail: [email protected], IRC: hoangcx)
PODC, Fujitsu Vietnam Limited
OpenStack Summit AustinvBrownBag TechTalk April 25, 2016
Copyright 2016 FUJITSU LIMITED2
Why do we need network traffic logging? (1/2)
Internet
br-int
FW
br-ex
br-eth
ALLOW/DROP rule
br-intSG SG
br-eth
vmosdb
SG
Tenant A
vmos
web srv
vmos
app srvTenant B
iptablesiptables
o Traffic flow defines its relationship with end-user. Therefore, understanding what happened on traffic flow is really necessary.
o It is necessary for troubleshooting process while system has issue related to network such as “My web/app can't access from/to internet.”
DHCP
Compute Node Network NodeData LAN
ALLOW(Ingress/Egress)
iptables
Copyright 2016 FUJITSU LIMITED3
Network traffic logging help operators In the auditing process while system has issue related to network
communication. Early detect issues related to security by threat analysis.
While deploy security groups & firewalls, tenants want to a way make sure security rules work as expected.
Neutron doesn’t have any way to perform above task.
We’d like to bring logging for security groups & firewalls to neutron.
Why do we need network traffic logging? (2/2)
Copyright 2016 FUJITSU LIMITED4
Propose logging API model (1/2) Proposed change:
Logging API captures all events related to security group rules or firewall rules. Introduce layout the logging API model can extend to other resources more
easier.
Name End pointLogging-resources /v2.0/logging/logging-resources
Security-group-logs /v2.0/logging/security-group-logs
Firewall-logs /v2.0/logging/firewall-logs
Copyright 2016 FUJITSU LIMITED5
Propose logging API model (2/2)Logging-resources
Collect & process log-data for each tenant, save them to file on compute node or network node
/var/log/neutron/sg-tenant-<xxx>.log, /var/log/neutron/fw-tenant-<xxx>.log
Forward log-data to console log or central logging server.Security-group-logs & Firewall-logs
Specify what events related to security groups or firewalls want to log. security-group-logs example
Specific what kind of security-group-rules (ingress/egress or security-group-rule-uuid) applied to a specific neutron-port.…
Copyright 2016 FUJITSU LIMITED6
Overview Architecture
Central LoggingServer
forward
operator ortenant
LoggingAgentExtension
SecurityGroupLogExt
IptablesSGLogDriver
FirewallLogExt
IptablesFWLogDriver
syslog syslog
CollectorExt
/var/log/neutron/sg-tenant-uuid
forward
ELKAnalyze & Visualize
alert report
Agent
rpc_callback1
2
Logging API extension Neutron sever
Logging API service plugin
logging_resource
security_group_log
Notification Driver
firewall_log Neutron Database
Req enable log
Rest API/CLI
Python-logstash?
Copyright 2016 FUJITSU LIMITED7
security_group_logging
sg_log_info_for_devices
SGLogAgentExt
update_port_logging
5
Deep dive into security group logging
Logging API extension
Logging API plugin
security_group_log
notification_driver
User CLI/Rest API
12
3
IptablesSGLogDriver
sg_log_info_for_devices
RPC callback
sg_log_info_for_ports
4
6
7
8
9
get security_group_log info
ports
10
registry.subscribe(security_group_update,
resources. SECURITY_GROUP, events.AFTER_UPDATE)
Neutron DB
Neutron sever Agent
registry.subscribe(security_group_logging,
resources.SG_LOG)
notification_api.push(context, sg_log, events.UPDATED)
Copyright 2016 FUJITSU LIMITED8
Support logging API for tenant (1/3)Tokyo summit, we introduced logging API for operator
https://goo.gl/6qKS8L https://www.youtube.com/watch?v=yBnyD0CPJIE
Bring logging API to tenant Support RBAC for logging API Support console log (same as nova console log)
Copyright 2016 FUJITSU LIMITED9
Support logging API for tenant (2/3) Support RBAC for logging API
Admin creates logging_resources neutron logging-create <logging_resource_name> Admin allows target tenant neutron rbac-create <logging_resource_uuid|name> --type logging_resources --target-tenant <tenant-uuid> --action access_as_shared Tenant can be attached security_group_logs & firewall_logs to the
logging_resources neutron logging-security-group-create --logging-resource-id <logging-resource-id> … neutron logging-firewall-create -–logging-resource-id <logging-resource-id> …
Copyright 2016 FUJITSU LIMITED10
Support logging API for tenant (3/3) Support console log
Change ownership of log file to “process user id” (tenant uuid) by command chown
Read log-data from file: /var/log/neutron/sg-tenant-xxx.log & /var/log/neutron/fw-tenant-xxx.log
Show log-data on horizon log tab or console output of neutron client API looks like
neutron get-security-group-logs --log-resource-id <logging-resource-uuid> neutron get-firewall-logs --log-resource-id <logging-resource-uuid>
Copyright 2016 FUJITSU LIMITED11
How to consume log-data Operator
Access directly to file on compute & network node /var/log/neutron/sg-tenant-<uuid>.log... /var/log/neutron/fw-tenant-<uuid>.log... Via console log neutron get-security-group-logs --log-resource-id <logging-resource-uuid>
Tenant Via console log neutron get-security-group-logs --log-resource-id <logging-resource-uuid>
Log-data can be forwarded to a central logging server to analyze or visualize (depends on collector driver implementation)
Copyright 2016 FUJITSU LIMITED12
Example of ICMP packet log record on security groups:Oct 21 13:10:51 8d4c70a21fed4aeba121a1a429ba0d04 security_groups e30abd17-fef9 IN f316e55d-51 SRC=10.164.176.134 DST=10.164.176.230 LEN=84 PROTO=ICMP
Example of TCP packet log record on firewalls:Mar 14 11:35:53 8d4c70a21fed4aeba121a1a429ba0d04 firewalls ebf52237-336b-4c58-a5a4-5992ab54b90e ALLOW v4313b867d SRC=10.0.0.3 DST=22.22.22.3 LEN=60 PROTO=TCP SPT=55919 DPT=12865
Logging data format timestamp tenant_uuid resource logging sg-rule-uuid[:13] or fw-rule-
uuid
action: DROP & ALLOW(ingress/egress)
neutron-port-id[:11] or router-port-id[:10]
src_ip, dst_ip, src_port, dst_port protocol type & length of packet
Copyright 2016 FUJITSU LIMITED13
Goal in newton
Newton
Operator only
RFE bug:https://bugs.launchpad.net/neutron/+bug/
1468366 Specification:
https://review.openstack.org/#/c/203509
Layout logging API model
Security group logs
Copyright 2016 FUJITSU LIMITED14
Future of work Support firewall logging Support RBAC & console log Support hit count feature to avoid DDOS attack Introduce central server to analyze, visualize