Quantum firewall as a service open stack havana design summit, portland 2013
-
Upload
sumit-naiksatam -
Category
Documents
-
view
2.552 -
download
0
description
Transcript of Quantum firewall as a service open stack havana design summit, portland 2013
Quantum -Firewall As A Service
Havana Design Summit, Portland, April 2013
Big Switch Networks (Sumit Naiksatam, Kanzhe Jiang, KC Wang, Mike Cohen)
Pay Pal (Vinay Bannai, Anand Palanisamy)
VMware (Serge Maskalik, Kai-Wei, Aaron Rosen, Sachin Thakkar, Salvatore Orlando)
Palo Alto Networks (Marc Benoit)
Checkpoint (Tamir Zegman, Bob Hinden)
Dell (Rajesh Mohan)
Red Hat (Gary Kotton) NTT (Nachi Ueno) Cisco (Sirdar Kandaswamy, Dan Florea)
Design doc: https://docs.google.com/document/d/1PJaKvsX2MzMRlLGfR0fBkrMraHYF0flvl0sqyZ704tA/editSession Etherpad: https://etherpad.openstack.org/Quantum_Firewall_As_A_Service
Goal and Guiding Principles
● Offer rich security features of Firewalls to Quantum users
● Tenant facing abstractions - users consume services through a logical Firewall instance
● Will hide implementation and device management details from the users
● No assumptions about virtual or physical Firewalls● Adhere to established audit workflows, avoid
reinventing accepted definitions/conventions● Model for a reasonable common denominator, allow
for extensions
Use Case
Web-Tier
Firewall and Load Balancer
Mid-Tier
Firewall and Load Balancer
Data-Tier
Firewall and Load Balancer
Storage
North-South Traffic
East – WestTraffic
Use Cases
- Multi-tier- Firewalls fronting load balancers- Perimeter Firewall- Security Groups- Need a unified way to define security- Auditing- Logging - Firewall state enforcement
Resource Model
Firewalls - A logical instance of a firewall embodying a Firewall Policy
Firewall Policies - An ordered collection of Firewall Rules
Firewall Rules - N-tuple that generically models firewall rules
Entity Relationship
One Firewall -> One Firewall PolicyOne Firewall Policy -> Many Firewall Rules
One Firewall Policy -> Many Firewalls (policies can be reused)One Firewall Rule -> Many Firewall Policies (rules can be reused)
1
Workflow
Firewall Rules are defined and Firewall Policy is composedFirewall Policy is audited (audit process in not modeled here)Tenant creates Firewall instance using Firewall Policy
Existing Firewalls
Resource Model
Firewall Rules - Attributes
Core attributes: id, name, description, source, destination, action, service, actionExtension candidates: user, firewall service profile, logging, zones
Source and destination can point to raw IP addresses or grouping/dynamic/placeholder objects
Firewall Policies - Attributes
Core attributes: id, name, description, firewall rules, audited, shared
Firewall rules: an ordered list of firewall rules
Firewall Instances - Attributes
Core attributes: id, name, description, firewall policy id, service type
Extension candidates: firewall rules blob
Dynamic and Grouping Objects
● Allow placeholders to be inserted into firewall rules
● Avoids having to audit firewall policies for dynamic tenant attributes
● Potentially avoids rules sprawl● Commonly used for source and destination
fields
Firewall Insertion Types
Q-Router + Q-
Firewall
Quantum Network
Quantum Network
Q-Router - Quantum Logical Router InstanceQ-Firewall - Quantum Logical Firewall Instance
Bump-in-the-wire insertion
Quantum Network
Quantum Network
Q-Firewall
L2 insertion
L3 insertion
Quantum Network
Quantum Network
Q-Firewall
Quantum Network
Firewall Service attachment
● Service has one or more interfaces(number of interfaces depend on the service type)● Each interface plugs into a Quantum port● Plugging operations is performed by an
interface driver(interface driver is specific to the Firewall technology)
Firewall Service Instances
Base Service Definition:- service type- ingress/egress ports
Firewall Service
Service Type:- one of [LB, FW, ...]- service insertion type [L2, L3, BITW, Tap]- vendor
Firewall Instances
1
*
Havana Roadmap
● API, Resource and DB model implementation: https://blueprints.launchpad.net/quantum/+spec/quantum-fwaas
● Plugin integration● Base firewall implementation/libraries● CLI Support● Horizon Support