enhancing openstack fwaas for real world application
TRANSCRIPT
Copyright © 2014 Juniper Networks, Inc. 1
Enhancing OpenStack FWaaS for real world applicationsPerformance, Logging & Scheduling
Sarath Chandra MekalaChandan Dutta Chowdhury
Copyright © 2014 Juniper Networks, Inc. 2
Sarath Chandra Mekala
• Tech Lead @ Juniper Networks• Works on Neutron Plugins• Over a decade+ of experience with J2EE/NMS• Contributed to Juniper’s FWaaS plugin• Blogs @ sarathblogs.blogspot.in• Likes Gadgets & Photography.
Copyright © 2014 Juniper Networks, Inc. 3
Chandan Dutta Chowdhury
• Tech Lead @ Juniper Networks• Works on Neutron Plugins• DevOPS & Opensource hacker • Contributed to Juniper’s L2, L3 & NSX plugins• Blogs @ chandanduttachowdhury.wordpress.com
Copyright © 2014 Juniper Networks, Inc. 4
Agenda
• Improve FWaaS Performance• Scheduling Firewall Policies• Logging Firewall Policies
Ideas to enable FWaaS cater to real world application needs
Copyright © 2014 Juniper Networks, Inc. 5
FWaaS Overview
Rule1
Rule2
Rule3
Router 1 Router 2 Router 3
Copyright © 2014 Juniper Networks, Inc. 6
FWaaS Performance
Copyright © 2014 Juniper Networks, Inc. 7
Reference Network Topology
Copyright © 2014 Juniper Networks, Inc. 8
Problem 1: Invalid Rules
Copyright © 2014 Juniper Networks, Inc. 9
Problem 2: Unnecessary Rule Deployment
Router 1 Router 2 Router 3
R1 R2 R3R1 R2 R3R1 R2 R3Firewall Policy
Firewall
Copyright © 2014 Juniper Networks, Inc. 10
Overview of FWaaS Performance Issues
• No rule validation• Allows invalid rules to be present
• All rules are pushed onto all routers• Unnecessary processing of rules on each router• Affects performance• Potential Security holes
Copyright © 2014 Juniper Networks, Inc. 11
Solution 1: Rule Validation
Copyright © 2014 Juniper Networks, Inc. 12
Copyright © 2014 Juniper Networks, Inc. 13
Solution 2: Rule Split & Distribution
Copyright © 2014 Juniper Networks, Inc. 14
Solution 2: Rule Split & Distribution
10 -> 20 30 -> 40
TCP-10-20-allow
Firewall Policy
Firewall
TCP-30-40-allow Any-AnyAny-Any
Copyright © 2014 Juniper Networks, Inc. 15
Proposed ImprovementsValidation (Invalid Rule Check)• Rule’s Source IP and/or Destination IP do not belong to any of tenant
networks (or)• Rule’s Source/Destination IP belong to an existing tenant’s network
but the network is yet to be assigned to any router.
Performance• All rules are segregated and grouped based on the networks they
belong to and allocated to their corresponding routers only.
Copyright © 2014 Juniper Networks, Inc. 16
Challenges
• Rule Ordering• Deletion of router
Copyright © 2014 Juniper Networks, Inc. 17
Scheduling
Copyright © 2014 Juniper Networks, Inc. 18
Scheduling Rules
• Restrict access to:• Web Sites• Web Servers/FTP servers/SSH/RDP e.t.c
• Improves productivity• Conserves Bandwidth • Increases ROI
Copyright © 2014 Juniper Networks, Inc. 19
Scheduling – IPTables Spec
• IPTables on Ubuntu & CentOS supports rule scheduling• Uses UTC for time zone by default
• iptables –A <chain> -m time --timestart 09:00 --timestop 17:00 -weekdays Mon,Tue,Wed,Thu,Fri -j <Action>
• -m time : match time• --timestart : Start time• --timestop : End time• --weekdays : Days of the week
Copyright © 2014 Juniper Networks, Inc. 20
Scheduling – IPTables Spec
• Periodicity:• datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]]• datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]]• timestart hh:mm[:ss]• timestop hh:mm[:ss]• monthdays day[,day...]• weekdays day[,day...]• contiguous• Kerneltz
Copyright © 2014 Juniper Networks, Inc. 21
Scheduling – IPTables Examples
• To match on weekends, use: -m time --weekdays SAT,SUN
• To match between a set of days with a specific time interval:-m time --datestart 2015-08-23 T09:00 --datestop 2007-01-01T15:00
• To match on a time interval:-m time --timestart 09:00 --timestop 17:00
Copyright © 2014 Juniper Networks, Inc. 22
Proposed Horizon Enhancement
Copyright © 2014 Juniper Networks, Inc. 23
Firewall Logs
Copyright © 2014 Juniper Networks, Inc. 24
Current Firewall implementation in OpenStack
• Doesn't provide packet logging• Tenant does not have any knowledge of dropped packets• While deploying new rules in the firewall, there is no way to
debug the rule• No way to determine the effectiveness of the firewall rules
Copyright © 2014 Juniper Networks, Inc. 25
Benefits of Enabling Firewall Logs
• Monitoring • Threat Alerting• Threat correlation • Report generation• Troubleshooting packet drops
• Fine tuning Rules• Detecting false positives• Detecting false negatives
Copyright © 2014 Juniper Networks, Inc. 26
Firewall Logging for OpenStack
COMPUTE/NETWORK NODE
ROUTER NAMESPACE
LOGGING RULE
LOG SERVER LOG ANALYSER
Firewall Agent
ENABLELOGGING
NEUTRON
FIREWALLLOGS
LOGS
ALERTS! REPORTS
OPENSTACKTENANT
FIREWALLRULES
FIREWALL RULES
Copyright © 2014 Juniper Networks, Inc. 27
Enable Firewall Logs with IPTables rules
iptables –A <chain> -m limit –limit <limit> -j LOG --log-prefix <prefix-string> --log-level <log-level>
-J LOG : processed by target LOG that logs packets with syslog--log-prefix : a string to identify the log message--log-level : log level to use with syslog message
iptables -A INPUT -j LOG --log-prefix "IPTABES LOG:" -m limit --limit 10/min --log-level 4
Copyright © 2014 Juniper Networks, Inc. 28
Example:
Copyright © 2014 Juniper Networks, Inc. 29
Proposed Horizon Enhancement for Firewall Logging
Copyright © 2014 Juniper Networks, Inc. 30
Horizon UI Enhancement -2
Copyright © 2014 Juniper Networks, Inc. 31
Summary of logging feature
• Firewall Logs • can help with debugging, threat analysis , Rule fine tuning
• Firewall Logging Can be integrated with FWaaS on OpenStack • IPTables provides options to enable packet logging
• A centralized server can be introduced to collect and analyze firewall logs
• Horizon UI extension can make logs accessible to the tenant
Q & A
Thank You