Quantum -Firewall As A Service

Havana Design Summit, Portland, April 2013

Big Switch Networks (Sumit Naiksatam, Kanzhe Jiang, KC Wang, Mike Cohen)

Pay Pal (Vinay Bannai, Anand Palanisamy)

VMware (Serge Maskalik, Kai-Wei, Aaron Rosen, Sachin Thakkar, Salvatore Orlando)

Palo Alto Networks (Marc Benoit)

Checkpoint (Tamir Zegman, Bob Hinden)

Dell (Rajesh Mohan)

Red Hat (Gary Kotton) NTT (Nachi Ueno) Cisco (Sirdar Kandaswamy, Dan Florea)

Design doc: https://docs.google.com/document/d/1PJaKvsX2MzMRlLGfR0fBkrMraHYF0flvl0sqyZ704tA/editSession Etherpad: https://etherpad.openstack.org/Quantum_Firewall_As_A_Service

Goal and Guiding Principles

● Offer rich security features of Firewalls to Quantum users

● Tenant facing abstractions - users consume services through a logical Firewall instance

● Will hide implementation and device management details from the users

● No assumptions about virtual or physical Firewalls● Adhere to established audit workflows, avoid

reinventing accepted definitions/conventions● Model for a reasonable common denominator, allow

for extensions

Use Case

Web-Tier

Firewall and Load Balancer

Mid-Tier

Firewall and Load Balancer

Data-Tier

Firewall and Load Balancer

Storage

North-South Traffic

East – WestTraffic

Use Cases

- Multi-tier- Firewalls fronting load balancers- Perimeter Firewall- Security Groups- Need a unified way to define security- Auditing- Logging - Firewall state enforcement

Resource Model

Firewalls - A logical instance of a firewall embodying a Firewall Policy

Firewall Policies - An ordered collection of Firewall Rules

Firewall Rules - N-tuple that generically models firewall rules

Entity Relationship

One Firewall -> One Firewall PolicyOne Firewall Policy -> Many Firewall Rules

One Firewall Policy -> Many Firewalls (policies can be reused)One Firewall Rule -> Many Firewall Policies (rules can be reused)

1

Workflow

Firewall Rules are defined and Firewall Policy is composedFirewall Policy is audited (audit process in not modeled here)Tenant creates Firewall instance using Firewall Policy

Existing Firewalls

Resource Model

Firewall Rules - Attributes

Core attributes: id, name, description, source, destination, action, service, actionExtension candidates: user, firewall service profile, logging, zones

Source and destination can point to raw IP addresses or grouping/dynamic/placeholder objects

Firewall Policies - Attributes

Core attributes: id, name, description, firewall rules, audited, shared

Firewall rules: an ordered list of firewall rules

Firewall Instances - Attributes

Core attributes: id, name, description, firewall policy id, service type

Extension candidates: firewall rules blob

Dynamic and Grouping Objects

● Allow placeholders to be inserted into firewall rules

● Avoids having to audit firewall policies for dynamic tenant attributes

● Potentially avoids rules sprawl● Commonly used for source and destination

fields

Firewall Insertion Types

Q-Router + Q-

Firewall

Quantum Network

Quantum Network

Q-Router - Quantum Logical Router InstanceQ-Firewall - Quantum Logical Firewall Instance

Bump-in-the-wire insertion

Quantum Network

Quantum Network

Q-Firewall

L2 insertion

L3 insertion

Quantum Network

Quantum Network

Q-Firewall

Quantum Network

Firewall Service attachment

● Service has one or more interfaces(number of interfaces depend on the service type)● Each interface plugs into a Quantum port● Plugging operations is performed by an

interface driver(interface driver is specific to the Firewall technology)

Firewall Service Instances

Base Service Definition:- service type- ingress/egress ports

Firewall Service

Service Type:- one of [LB, FW, ...]- service insertion type [L2, L3, BITW, Tap]- vendor

Firewall Instances

1

*

Havana Roadmap

● API, Resource and DB model implementation: https://blueprints.launchpad.net/quantum/+spec/quantum-fwaas

● Plugin integration● Base firewall implementation/libraries● CLI Support● Horizon Support