Networking Concepts and Tools for the Cloud

GCG Regional Technical Exchange 2012Networking Concepts and Tools for the CloudThis presentation describes some important conceptsof networking in the cloud, including Virtual LocalArea Networks, Virtual Private Networks, and thedifferent protocol layers. Following that, we willexplain how to use tools including OpenSSH,OpenVPN, and proxy servers to set up differentnetwork topologies and solve connectivity problems,giving examples important to common cloudsituations. We will discuss the relative advantages ofeach in different business scenarios.The fundamental difference with cloud computing isthat network resources can be provisioned verydynamically and responsibility for managing themoften falls down to the individual project level. 2 2 © 2012 IBM Corporation

GCG Regional Technical Exchange 2012IntroductionNetworking is one of the fundamental enabling elements of cloud computing and also one of the hazards to users of cloud computing. OSI Layer Example IaaS PaaS SaaS Protocols 7 Application HTTP, FTP, Consumer Consumer Provider NFS, SMTP, SSH 6 Presentation SSL, TLS Consumer Provider Provider 5 Session TCP Consumer Provider Provider 4 Transport TCP Consumer Provider Provider 3 Network IP, IPSec Consumer Provider Provider 2 Data Link Ethernet, Fibre Provider Provider Provider channel 1 Physical Copper, optic Provider Provider Provider fibre © 2012 IBM Corporation

GCG Regional Technical Exchange 2012Advantages of Network Tools for Different Business ScenariosThe diagram below depicts typical network topology for a composite web application. It contains Firewallconfigurations, VLAN set up, public/private ip configuration for load balancer, and access to businesspartners intranet © 2012 IBM Corporation

GCG Regional Technical Exchange 2012Scenarios1)Production (firewall)  A proxy may also be used but usually for load balancing, rather than security purposes  An administrator may access back end servers via SSH tunnel or a SOCKS proxy  Firewall rules are needed to allow servers inside firewall to access Internet for security updates, license activation, etc without making them visible to the Internet2)Development (VPN) scenarios  Reverse access into enterprise may be needed  A light weight setup is required because a network expert may not be available to help  VPN server on a laptop with DHCP may be used to allow access from the cloud3)Enterprise level  Site to site VPN for general access to the Enterprise  Covered by articles in references section, including CohesiveFT © 2012 IBM Corporation

GCG Regional Technical Exchange 2012FirewallsAn individual fire wall is a fire wall that is installed on the same server as the resource it is protecting. This is an essential tool in cloud computing. Most modern operating systems, including all the images on the IBM SmartCloud Enterprise, are packaged with an individual firewall. On Linux virtual machines this is iptables and on Windows it is a Microsoft solution. On the IBM SmartCloud Enterprise, there is also a firewall between the hypervisor and the virtual machines that it manages.A firewall rule specifies a set of criteria for a network packet and a target. When a network packet arrives each rule is checked. If the packet does not meet the criteria for the rule then the next rule is checked. © 2012 IBM Corporation

GCG Regional Technical Exchange 2012Custom Firewall Rule in YASTNavigate to Custom Rules and click Enter. Navigate to Add and click Enter. Enter 0/0 for the SourceNetwork, which indicates any source computer, and 50030 for the port, which is the port we are interestedin. © 2012 IBM Corporation

GCG Regional Technical Exchange 2012Managing Firewalls on Red Hat Enterprise LinuxOn Red Hat images you can use the iptables command to manage firewall rules. The basic form of an iptables command is# iptables [-t table] -[AD] chain rule-specification [options]The actions associated with a firewall rule include ACCEPT, DROP, QUEUE, and RETURN. If you you dont want to accept a network packet then you should specify a DROP action. In the iptables command A appends a rule and D deletes one.There are three firewal tables. The default table is named filter. This table contains three chains: input, forward, and output. The input chain is for packets coming in to the local sockets, the forward chain is for packets that are routed, and the output chain is for locally generated packets.As an example, to allow network packets from any source on port 80, the default HTTP port, use the command.# /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT © 2012 IBM Corporation

GCG Regional Technical Exchange 2012iptables for Red Hat Enterprise LinuxThis adds a rule to the INPUT chain of the filter table for TCP packets on port 80 with an ACCEPT action. The -p parameter specifies the protocol, tcp in this case. The --dport 80 option is the destination port, 80 in this case. The -j (jump) option is the target, ACCEPT in this case. It can be a good practice to only leave firewall rules in place for as long as you need them. The command form is ideal for doing this. However, often, you will want to keep the rules permanently, including after the next time you restart the instance. To do this, edit the file /etc/sysconfig/iptables. A typical iptables file looks like this*filter:INPUT DROP [67:14849]:FORWARD DROP [0:0]:OUTPUT ACCEPT [346:34696]-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A INPUT -p tcp -m tcp --dport 22 -j ACCEPTCOMMITThis specifies the rules for the filter table. All incoming packets from ports 67 to 14849 are dropped. No forwarding is allowed, all outgoing packets on ports 346 to 34696 are allowed, and incoming packets on port 22 (SSH) are allowed. © 2012 IBM Corporation

GCG Regional Technical Exchange 2012iptables commands on RHELAfter you have made the edits and saved the file, start or restart the iptables service with the command.# /sbin/service iptables restartIf you have made changes with the iptables command, you can save them with the command# /sbin/service iptables saveCheck the status of the firewall with the command# /sbin/service iptables status © 2012 IBM Corporation

GCG Regional Technical Exchange 2012Stand-alone FirewallsLinux firewalls can also be used to protect servers other than the server that the firewall resides on.Actually, this is a preferred configuration because it provides an additional level of isolation. © 2012 IBM Corporation

GCG Regional Technical Exchange 2012Secure Shell (SSH)As seen in the sections above, SSH is a fundamental tool in cloud computing. It can be worth learning as a power user to solve numerous practical problems in cloud computing. SSH was designed as a secure replacement for telnet but now is also commonly used programmatically for many applications.SmartCloud Enterprise and other clouds will help you generate and manage SSH keys but you can also create them yourself with openSSH.To generate a new SSH key use the ssh-keygen command. For example,> ssh-keygen -t rsa -P My Passphrase -f ~/.ssh/mykeyThis will generate an RSA type (-t flag) with the passphrase My Passphrase (-P flag), place the private key in the file ~/.ssh/mykey (-f flag) and place the public key in the file ~/.ssh/mykey.pub. If you do not use a -f option then the private key will be written to ~/.ssh/identity. © 2012 IBM Corporation

GCG Regional Technical Exchange 2012OpenSSH CommandsThe configuration file for SSH on the Linux systems on the IBM SmartCloud Enterprise is at /etc/ssh/ssh_config and /etc/ssh/sshd_config. The AllowedUsers setting in is one setting that you might change. The value of this parameter is space separated list of user name patterns. For example,AllowUsers idcuser webadminTo start the SSH server (sshd) use the command# /etc/init.d/sshd startto restart use the command# /etc/init.d/sshd restartYou may want to include the user name in the SSH command in some cases, especially from scripts. To do that use the form$ ssh -i .ssh/key-file idcuser@hostThe @ symbol delineates the user name from the host name or IP address. © 2012 IBM Corporation

GCG Regional Technical Exchange 2012Port ForwardingPort forwarding with SSH is a process where1.the address and port of a packet is translated to a new destination2.the packet is carried over an SSH connection where the destination is accessedIt allows a user to tunnel another protocol over an SSH connection. With openSSH this is done with sshd. This can be useful if the protocol being tunneled is not secure or the destination address and port combination is not visible from the origin. The client that uses the tunneled protocol must be able to specify a non-standard port for this to work. The concept is that you establish a SSH session to your server and then specify which port on the client machine to forward connections from. © 2012 IBM Corporation

GCG Regional Technical Exchange 2012Port forwarding with OpenSSHYou may use OpenSSH on Linux or Windows via a Cygwin command line. With Cygwin, install the cygwin openssh package first, if your system does not already have it. Start a tunnel from your SSH client to the virtual machine on port 5901 with the command shown below.$ ssh -i ~/.ssh/key_name -L 5901:localhost:5901 idcuser@${SCE_VM}where the -i option specifies the key to use and the -L option specifies the tunnel. The port used (5901) must match the port used by the VNC server running on the virtual machine. © 2012 IBM Corporation

GCG Regional Technical Exchange 2012Virtual Private NetworksVirtual Private Networks (VPNs) rely on encryption to create an extension of a private network over the Internet. VPNs enable several network scenarios that are valuable to enterprises.A traditional use of VPNs is to connect the local area networks of different offices of an enterprise into a wide area network. These types of connections are site-to-site. When VPNs were introduced for this purpose they replaced the use of leased lines, greatly reducing cost for the enterprises.Another traditional use of a VPN is to allow employees to access an enterprises private network remotely, for example, to work from home. In this scenario, the enterprise provides a VPN gateway that is accessible from the Internet and the employee installs a VPN client that she installs on her laptop to access applications, such as email. This is termed a mobile virtual private network because one of the end points (where the employee is located) does not have a fixed IP address. © 2012 IBM Corporation

GCG Regional Technical Exchange 2012Encryption with VPNsWhen a client sends a packet through a VPN gateway an authentication header is added, the data is encrypted, and the data is placed in an Encapsulating Security Payload. The receiving VPN server decrypts the data and routes the packet to the destination according to information in the header.The encryption provided by VPNs is at a low level so that all communication to the enterprise is encrypted . This can be at either OSI Layer 2 (Data Link layer) or Layer 3 (Network layer) and can include any of the methods below IPSec SSL / TLS Datagram Transport Layer Security (Cisco) Microsoft Point-to-Point encryption SSH tunneling © 2012 IBM Corporation

GCG Regional Technical Exchange 2012Use of a VPN to Extend an Enterprise NetworkMany enterprises may want to use cloud computing to extend the capacity of their IT infrastructure. Tosupport this scenario the VPN is configured via a gateway in the enterprise network to a private VLAN inthe cloud. © 2012 IBM Corporation

GCG Regional Technical Exchange 2012OpenVPNOpenVPN is an open source VPN client and server solution that can manage point-to-point and site-to-site connections. It uses the openSSL encryption library.The OpenVPN install image can be downloaded from the OpenVPN web site. It includes both client and server software and must be installed on both client and server machines. You can install using the RPM package on RHEL machines and using the apt-get command on SUSE or other Debian based systems. It is possible to install on other Linux systems from the tarball using make. There is a self-extracting installer for Windows and also client only install images that you can direct end-users to. © 2012 IBM Corporation

GCG Regional Technical Exchange 2012References Alex Amies, Harm Sluiman, Qiang Guo Tong, and Guo Ning Liu 2012. Developing and Hosting Applications on the Cloud. IBM Press, ISBN-10: 0-13-306684-3, ISBN-13: 978-0-13-306684-5. http://www.ibmpressbooks.com/bookstore/product.asp?isbn=9780133066845 CohesiveFT, 2011. VPN-Cubed 2.0 product page, at www.cohesiveft.com/vpncubed/.3)Frields, P., 2007. SSH Port Forwarding. Red Hat Magazine at magazine.redhat.com/2007/11/06/ssh- port-forwarding/. Hatch, B., 2011. SSH Port Forwarding, Symatec at http://www.symantec.com/connect/articles/ssh-port-forwarding. IBM 2011. IBM SmartCloud Enterprise: User Guide, Version 1.4.1, http://ibm.com/cloud/enterprise. Koop, R. 2010. Deliver cloud network control to the user, IBM developerWorks at www.ibm.com/developerworks/cloud/library/cl-cloudvirtualnetwork/. OpenSSH Project Team, OpenSSH Documentation, at www.openssh.com/manual.html.8)OpenVPN. Documentation page at openvpn.net/index.php/open-source/documentation.html. Red Hat, 2011. Red Hat Product Documentation, at http://docs.redhat.com. Rokosz, V., 2011. Extend your corporate network with the IBM Cloud, IBM developerWorks at www.ibm.com/developerworks/cloud/library/cl-extendnetworkcloud/index.html. Shewbert, J., 2006. Tunneling with SSH. IBM developerWorks at www.ibm.com/developerworks/aix/library/au-tunnelingssh/index.html. Vernier D. and Jones, A., 2011. IBM SmartCloud Enterprise tip: Span virtual local area networks, IBM developerWorks at www.ibm.com/developerworks/cloud/library/cl-spanvlan/. © 2012 IBM Corporation

GCG Regional Technical Exchange 2012Copyright and Trademarks© Copyright IBM Corp. 2012IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both © 2012 IBM Corporation

Networking Concepts and Tools for the Cloud

by Alex Amies on Jun 20, 2012

Accessibility

Categories

Upload Details

Usage Rights

Statistics

Networking Concepts and Tools for the Cloud Presentation Transcript