SlideShare a Scribd company logo

Quantum firewall as a service open stack havana design summit, portland 2013

S
Sumit Naiksatam

This document discusses the goal of offering firewall services within the Quantum project. It proposes a resource model that includes firewall policies consisting of ordered firewall rules, and firewall instances that embody a firewall policy. It outlines use cases like multi-tier firewalls and security groups. The workflow involves defining firewall rules and policies, auditing policies, and tenants creating firewall instances. Integration with existing Quantum routers and networks is described through different insertion types. The roadmap includes implementing the API, models, plugins, and interfaces along with CLI and dashboard support.

1 of 18
Downloaded 74 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Quantum - Firewall As A Service Havana Design Summit, Portland, April 2013 Big Switch Networks (Sumit Naiksatam, Kanzhe Jiang, KC Wang, Mike Cohen) Pay Pal (Vinay Bannai, Anand Palanisamy) VMware (Serge Maskalik, Kai-Wei, Aaron Rosen, Sachin Thakkar, Salvatore Orlando) Palo Alto Networks (Marc Benoit) Checkpoint (Tamir Zegman, Bob Hinden) Dell (Rajesh Mohan) Red Hat (Gary Kotton) NTT (Nachi Ueno) Cisco (Sirdar Kandaswamy, Dan Florea) Design doc: https://docs.google.com/document/d/1PJaKvsX2MzMRlLGfR0fBkrMraHYF0flvl0sqyZ704tA/edit Session Etherpad: https://etherpad.openstack.org/Quantum_Firewall_As_A_Service
Goal and Guiding Principles ● Offer rich security features of Firewalls to Quantum users ● Tenant facing abstractions - users consume services through a logical Firewall instance ● Will hide implementation and device management details from the users ● No assumptions about virtual or physical Firewalls ● Adhere to established audit workflows, avoid reinventing accepted definitions/conventions ● Model for a reasonable common denominator, allow for extensions
Use Case
Web-Tier Firewall and Load Balancer Mid-Tier Firewall and Load Balancer Data-Tier Firewall and Load Balancer Storage North-South Traffic East – West Traffic
Use Cases - Multi-tier - Firewalls fronting load balancers - Perimeter Firewall - Security Groups - Need a unified way to define security - Auditing - Logging - Firewall state enforcement
Resource Model Firewalls - A logical instance of a firewall embodying a Firewall Policy Firewall Policies - An ordered collection of Firewall Rules Firewall Rules - N-tuple that generically models firewall rules
Entity Relationship One Firewall -> One Firewall Policy One Firewall Policy -> Many Firewall Rules One Firewall Policy -> Many Firewalls (policies can be reused) One Firewall Rule -> Many Firewall Policies (rules can be reused) 1
Workflow Firewall Rules are defined and Firewall Policy is composed Firewall Policy is audited (audit process in not modeled here) Tenant creates Firewall instance using Firewall Policy
Existing Firewalls
Resource Model
Firewall Rules - Attributes Core attributes: id, name, description, source, destination, action, service, action Extension candidates: user, firewall service profile, logging, zones Source and destination can point to raw IP addresses or grouping/dynamic/placeholder objects
Firewall Policies - Attributes Core attributes: id, name, description, firewall rules, audited, shared Firewall rules: an ordered list of firewall rules
Firewall Instances - Attributes Core attributes: id, name, description, firewall policy id, service type Extension candidates: firewall rules blob
Dynamic and Grouping Objects ● Allow placeholders to be inserted into firewall rules ● Avoids having to audit firewall policies for dynamic tenant attributes ● Potentially avoids rules sprawl ● Commonly used for source and destination fields
Firewall Insertion Types Q-Router + Q- Firewall Quantum Network Quantum Network Q-Router - Quantum Logical Router Instance Q-Firewall - Quantum Logical Firewall Instance Bump-in-the-wire insertion Quantum Network Quantum Network Q-Firewall L2 insertion L3 insertion Quantum Network Quantum Network Q-Firewall Quantum Network
Firewall Service attachment ● Service has one or more interfaces (number of interfaces depend on the service type) ● Each interface plugs into a Quantum port ● Plugging operations is performed by an interface driver (interface driver is specific to the Firewall technology)
Firewall Service Instances Base Service Definition: - service type - ingress/egress ports Firewall Service Service Type: - one of [LB, FW, ...] - service insertion type [L2, L3, BITW, Tap] - vendor Firewall Instances 1 *
Havana Roadmap ● API, Resource and DB model implementation: https://blueprints.launchpad. net/quantum/+spec/quantum-fwaas ● Plugin integration ● Base firewall implementation/libraries ● CLI Support ● Horizon Support

More Related Content

PPTX
Cisco Multi-Service FAN Solution
Cisco DevNet
 
PPTX
DEVNET-1163 Data in Motion APIs
Cisco DevNet
 
PDF
Time Sensitive Networks: How changes to standard Ethernet enable convergence ...
Erik van Hilten
 
PPTX
Advanced Cryptography for Cloud Security
Neel Chakraborty
 
PDF
SDDC Strategy 1.3
Woo Hyung Choi
 
PPTX
New Threats, New Approaches in Modern Data Centers
Iben Rodriguez
 
PPTX
6° Sessione VMware NSX: la piattaforma di virtualizzazione della rete per il ...
Jürgen Ambrosi
 
PDF
IoT Seminar (Oct. 2016) Jong Young Lee - MDS Technology
Open Mobile Alliance
 
Cisco Multi-Service FAN Solution
Cisco DevNet
 
DEVNET-1163 Data in Motion APIs
Cisco DevNet
 
Time Sensitive Networks: How changes to standard Ethernet enable convergence ...
Erik van Hilten
 
Advanced Cryptography for Cloud Security
Neel Chakraborty
 
SDDC Strategy 1.3
Woo Hyung Choi
 
New Threats, New Approaches in Modern Data Centers
Iben Rodriguez
 
6° Sessione VMware NSX: la piattaforma di virtualizzazione della rete per il ...
Jürgen Ambrosi
 
IoT Seminar (Oct. 2016) Jong Young Lee - MDS Technology
Open Mobile Alliance
 

What's hot (11)

PPTX
Lightweight M2M 1.1 - LwM2M 1.1 Protocol Overview & New Features
AVSystem
 
PPTX
Modeling self-adaptative IoT architectures
Iván Alfonso
 
PPT
OMA Lightweight M2M Tutorial
zdshelby
 
PPTX
Architecting Azure IoT Solutions
GlobalLogic Ukraine
 
PPTX
Zoura Subscribed 2013 LinkBermuda Metered Cloud Services
Winston Morton
 
PPTX
Cloud, SDN, NFV
Igor D.C.
 
PPTX
Gluing the IoT world with Java and LoRaWAN (Jfokus 2018)
Pance Cavkovski
 
PPTX
Optimising nfv service chains on open stack using docker
Ananth Padmanabhan
 
PDF
Artificial Intelligence in the Network
Michelle Holley
 
PPTX
Machine learning in optical
Vishal Waghmare
 
PDF
Network Function Virtualization - Security Best Practices AtlSecCon 2015
Winston Morton
 
Lightweight M2M 1.1 - LwM2M 1.1 Protocol Overview & New Features
AVSystem
 
Modeling self-adaptative IoT architectures
Iván Alfonso
 
OMA Lightweight M2M Tutorial
zdshelby
 
Architecting Azure IoT Solutions
GlobalLogic Ukraine
 
Zoura Subscribed 2013 LinkBermuda Metered Cloud Services
Winston Morton
 
Cloud, SDN, NFV
Igor D.C.
 
Gluing the IoT world with Java and LoRaWAN (Jfokus 2018)
Pance Cavkovski
 
Optimising nfv service chains on open stack using docker
Ananth Padmanabhan
 
Artificial Intelligence in the Network
Michelle Holley
 
Machine learning in optical
Vishal Waghmare
 
Network Function Virtualization - Security Best Practices AtlSecCon 2015
Winston Morton
 
Ad

Similar to Quantum firewall as a service open stack havana design summit, portland 2013 (20)

PDF
Firewall fundamentals
Thang Man
 
ODP
Firewalld : A New Interface to Your Netfilter Stack
Mahmoud Shiri Varamini
 
PPTX
Lecture-13-Firewall_information_Security.pptx
homecooking511
 
PDF
BAIT1103 Chapter 8
limsh
 
PPTX
Firewalls
Shashwat Shriparv
 
PPTX
firrewall and intrusion prevention system.pptx
fatimagull32
 
PDF
Cr32585591
IJERA Editor
 
PPTX
firewall filtering and communication domain
MohammedAli580048
 
PPTX
Stupid iptables tricks
Jim MacLeod
 
PPTX
Firewall basics - types,architecture ,defination
Sucheta70
 
PPTX
Firewalls and packet filters
MOHIT AGARWAL
 
PDF
Firewalld
Sagar Gor
 
PPT
Firewalls (1056778990099000000000000).ppt
TamilArasan564275
 
PPTX
Firewall.pptx
SourabhPanigrahi2
 
PPT
Firewalls (6)
Bhargu Bhargavi
 
PPT
Day4
Jai4uk
 
PPT
Presentation, Firewalls
kkkseld
 
PDF
25 years of firewalls and network filtering - From antiquity to the cloud
shira koper
 
PPTX
Firewall
Ydel Capales
 
PPT
Lecture 4 firewalls
rajakhurram
 
Firewall fundamentals
Thang Man
 
Firewalld : A New Interface to Your Netfilter Stack
Mahmoud Shiri Varamini
 
Lecture-13-Firewall_information_Security.pptx
homecooking511
 
BAIT1103 Chapter 8
limsh
 
Firewalls
Shashwat Shriparv
 
firrewall and intrusion prevention system.pptx
fatimagull32
 
Cr32585591
IJERA Editor
 
firewall filtering and communication domain
MohammedAli580048
 
Stupid iptables tricks
Jim MacLeod
 
Firewall basics - types,architecture ,defination
Sucheta70
 
Firewalls and packet filters
MOHIT AGARWAL
 
Firewalld
Sagar Gor
 
Firewalls (1056778990099000000000000).ppt
TamilArasan564275
 
Firewall.pptx
SourabhPanigrahi2
 
Firewalls (6)
Bhargu Bhargavi
 
Day4
Jai4uk
 
Presentation, Firewalls
kkkseld
 
25 years of firewalls and network filtering - From antiquity to the cloud
shira koper
 
Firewall
Ydel Capales
 
Lecture 4 firewalls
rajakhurram
 
Ad

More from Sumit Naiksatam (8)

PPTX
Open stack gbp final sn-4-slideshare
Sumit Naiksatam
 
PPTX
Group-based Policy for Networking
Sumit Naiksatam
 
PPTX
Group-based Policy For OpenStack Networking
Sumit Naiksatam
 
PPTX
Network Policy Abstractions in OpenStack Neutron
Sumit Naiksatam
 
PPTX
OpenStack Neutron Service Chaining and Insertion
Sumit Naiksatam
 
PDF
Quantum services' chaining open stack havana design summit, portland 2013
Sumit Naiksatam
 
PPTX
Quantum L3 (forwarding) model - OpenStack Folsom Design Summit
Sumit Naiksatam
 
PPTX
OpenStack Quantum
Sumit Naiksatam
 
Open stack gbp final sn-4-slideshare
Sumit Naiksatam
 
Group-based Policy for Networking
Sumit Naiksatam
 
Group-based Policy For OpenStack Networking
Sumit Naiksatam
 
Network Policy Abstractions in OpenStack Neutron
Sumit Naiksatam
 
OpenStack Neutron Service Chaining and Insertion
Sumit Naiksatam
 
Quantum services' chaining open stack havana design summit, portland 2013
Sumit Naiksatam
 
Quantum L3 (forwarding) model - OpenStack Folsom Design Summit
Sumit Naiksatam
 
OpenStack Quantum
Sumit Naiksatam
 

Quantum firewall as a service open stack havana design summit, portland 2013

  • 1. Quantum - Firewall As A Service Havana Design Summit, Portland, April 2013 Big Switch Networks (Sumit Naiksatam, Kanzhe Jiang, KC Wang, Mike Cohen) Pay Pal (Vinay Bannai, Anand Palanisamy) VMware (Serge Maskalik, Kai-Wei, Aaron Rosen, Sachin Thakkar, Salvatore Orlando) Palo Alto Networks (Marc Benoit) Checkpoint (Tamir Zegman, Bob Hinden) Dell (Rajesh Mohan) Red Hat (Gary Kotton) NTT (Nachi Ueno) Cisco (Sirdar Kandaswamy, Dan Florea) Design doc: https://docs.google.com/document/d/1PJaKvsX2MzMRlLGfR0fBkrMraHYF0flvl0sqyZ704tA/edit Session Etherpad: https://etherpad.openstack.org/Quantum_Firewall_As_A_Service
  • 2. Goal and Guiding Principles ● Offer rich security features of Firewalls to Quantum users ● Tenant facing abstractions - users consume services through a logical Firewall instance ● Will hide implementation and device management details from the users ● No assumptions about virtual or physical Firewalls ● Adhere to established audit workflows, avoid reinventing accepted definitions/conventions ● Model for a reasonable common denominator, allow for extensions
  • 4. Web-Tier Firewall and Load Balancer Mid-Tier Firewall and Load Balancer Data-Tier Firewall and Load Balancer Storage North-South Traffic East – West Traffic
  • 5. Use Cases - Multi-tier - Firewalls fronting load balancers - Perimeter Firewall - Security Groups - Need a unified way to define security - Auditing - Logging - Firewall state enforcement
  • 6. Resource Model Firewalls - A logical instance of a firewall embodying a Firewall Policy Firewall Policies - An ordered collection of Firewall Rules Firewall Rules - N-tuple that generically models firewall rules
  • 7. Entity Relationship One Firewall -> One Firewall Policy One Firewall Policy -> Many Firewall Rules One Firewall Policy -> Many Firewalls (policies can be reused) One Firewall Rule -> Many Firewall Policies (rules can be reused) 1
  • 8. Workflow Firewall Rules are defined and Firewall Policy is composed Firewall Policy is audited (audit process in not modeled here) Tenant creates Firewall instance using Firewall Policy
  • 11. Firewall Rules - Attributes Core attributes: id, name, description, source, destination, action, service, action Extension candidates: user, firewall service profile, logging, zones Source and destination can point to raw IP addresses or grouping/dynamic/placeholder objects
  • 12. Firewall Policies - Attributes Core attributes: id, name, description, firewall rules, audited, shared Firewall rules: an ordered list of firewall rules
  • 13. Firewall Instances - Attributes Core attributes: id, name, description, firewall policy id, service type Extension candidates: firewall rules blob
  • 14. Dynamic and Grouping Objects ● Allow placeholders to be inserted into firewall rules ● Avoids having to audit firewall policies for dynamic tenant attributes ● Potentially avoids rules sprawl ● Commonly used for source and destination fields
  • 15. Firewall Insertion Types Q-Router + Q- Firewall Quantum Network Quantum Network Q-Router - Quantum Logical Router Instance Q-Firewall - Quantum Logical Firewall Instance Bump-in-the-wire insertion Quantum Network Quantum Network Q-Firewall L2 insertion L3 insertion Quantum Network Quantum Network Q-Firewall Quantum Network
  • 16. Firewall Service attachment ● Service has one or more interfaces (number of interfaces depend on the service type) ● Each interface plugs into a Quantum port ● Plugging operations is performed by an interface driver (interface driver is specific to the Firewall technology)
  • 17. Firewall Service Instances Base Service Definition: - service type - ingress/egress ports Firewall Service Service Type: - one of [LB, FW, ...] - service insertion type [L2, L3, BITW, Tap] - vendor Firewall Instances 1 *
  • 18. Havana Roadmap ● API, Resource and DB model implementation: https://blueprints.launchpad. net/quantum/+spec/quantum-fwaas ● Plugin integration ● Base firewall implementation/libraries ● CLI Support ● Horizon Support