WordPress Websites for Engineers: Elevate Your Brand
Enhancing OpenStack FWaaS for real world application
1. Enhancing OpenStack
FWaaS for real world
applications
Performance, Logging & Scheduling
Sarath Chandra Mekala
Chandan Dutta Chowdhury
2. Sarath Chandra Mekala
• Tech Lead @ Juniper Networks
• Works on Neutron Plugins
• Over a decade+ of experience with J2EE/NMS
• Contributed to Juniper’s FWaaS plugin
• Blogs @ sarathblogs.blogspot.in
• Likes Gadgets & Photography.
3. Chandan Dutta Chowdhury
• Tech Lead @ Juniper Networks
• Works on Neutron Plugins
• DevOPS & Opensource hacker
• Contributed to Juniper’s L2, L3 & NSX plugins
• Blogs @ chandanduttachowdhury.wordpress.com
4. Agenda
• Improve FWaaS Performance
• Scheduling Firewall Policies
• Logging Firewall Policies
Ideas to enable FWaaS cater to real world application needs
10. Overview of FWaaS Performance Issues
• No rule validation
• Allows invalid rules to be present
• All rules are pushed onto all routers
• Unnecessary processing of rules on each router
• Affects performance
• Potential Security holes
15. Proposed Improvements
Validation (Invalid Rule Check)
• Rule’s Source IP and/or Destination IP do not belong to any of tenant
networks
(or)
• Rule’s Source/Destination IP belong to an existing tenant’s network
but the network is yet to be assigned to any router.
Performance
• All rules are segregated and grouped based on the networks they
belong to and allocated to their corresponding routers only.
18. Scheduling Rules
• Restrict access to:
• Web Sites
• Web Servers/FTP servers/SSH/RDP e.t.c
• Improves productivity
• Conserves Bandwidth
• Increases ROI
19. Scheduling – IPTables Spec
• IPTables on Ubuntu & CentOS supports rule scheduling
• Uses UTC for time zone by default
• iptables –A <chain> -m time --timestart 09:00 --
timestop 17:00 -weekdays Mon,Tue,Wed,Thu,Fri -j
<Action>
• -m time : match time
• --timestart : Start time
• --timestop : End time
• --weekdays : Days of the week
21. Scheduling – IPTables Examples
• To match on weekends, use:
-m time --weekdays SAT,SUN
• To match between a set of days with a specific time interval:
-m time --datestart 2015-08-23 T09:00 --datestop 2007-01-01T15:00
• To match on a time interval:
-m time --timestart 09:00 --timestop 17:00
24. Current Firewall implementation in OpenStack
• Doesn't provide packet logging
• Tenant does not have any knowledge of dropped packets
• While deploying new rules in the firewall, there is no way to
debug the rule
• No way to determine the effectiveness of the firewall rules
31. Summary of logging feature
• Firewall Logs
• can help with debugging, threat analysis , Rule fine tuning
• Firewall Logging Can be integrated with FWaaS on OpenStack
• IPTables provides options to enable packet logging
• A centralized server can be introduced to collect and analyze firewall
logs
• Horizon UI extension can make logs accessible to the tenant
We live in a connected world and the foundation for these connections is the network.
Broadband Internet traffic is doubling each and every year (according to IDC) [or] Internet traffic worldwide will grow three-fold by the year 2017. (Internet Trends, Mary Meeker (KCPB)
Today we have 2.5 billion Internet users in the world – roughly one-third of the Earth’s population. In the next decade, the number of Internet users will double to 5 billion (Mary Meeker, KPCB)
That means that two-thirds of the world will be connected by 2023.
When you add in the big trends of cloud, mobility, video and security, the combined rate of acceleration is placing unprecedented demands on the network.
[Optional stats/factoids]
100 hours of video uploaded every single minute to YouTube (YouTube)
Mobile video traffic exceeded 50 percent for the first time in 2012. (Cisco VNI)
Mobile network connection speeds more than doubled in 2012. (Cisco VNI)
In 2012, a fourth-generation (4G) connection generated 19 times more traffic on average than a non-4G connection. Although 4G connections represent only 0.9 percent of mobile connections today, they already account for 14 percent of mobile data traffic. (Cisco VNI)
[NOTE: Consider finding alternate source for above stats to avoid siting Cisco]
As you just described (refer to pain points from previous slide), you are living in this world and feeling the pressure every day.
Pradeep Sindhu founded Juniper 17 years ago on the belief that we should solve technology problems that matter most to our customers and that make a difference in the world. He recognized the importance of the network and the impact it would have on our world.
Our mission is simple, but powerful; to connect everything and empower everyone.
In today’s connected world, this mission is more relevant than ever.
Here at Juniper we are focused on helping alleviate those pain points through our portfolio of high performance networking products.
[T] And we do this by listening to our customers and helping them address their challenges and capitalize on their opportunities.