SlideShare a Scribd company logo

Enhancing OpenStack FWaaS for real world application

Download as PPTX, PDF
openstackindia
openstackindia

q

Technology
1 of 33
Enhancing OpenStack FWaaS for real world applications Performance, Logging & Scheduling Sarath Chandra Mekala Chandan Dutta Chowdhury
Sarath Chandra Mekala • Tech Lead @ Juniper Networks • Works on Neutron Plugins • Over a decade+ of experience with J2EE/NMS • Contributed to Juniper’s FWaaS plugin • Blogs @ sarathblogs.blogspot.in • Likes Gadgets & Photography.
Chandan Dutta Chowdhury • Tech Lead @ Juniper Networks • Works on Neutron Plugins • DevOPS & Opensource hacker • Contributed to Juniper’s L2, L3 & NSX plugins • Blogs @ chandanduttachowdhury.wordpress.com
Agenda • Improve FWaaS Performance • Scheduling Firewall Policies • Logging Firewall Policies Ideas to enable FWaaS cater to real world application needs
FWaaS Overview Rule1 Rule2 Rule3 Router 1 Router 2 Router 3
FWaaS Performance
Reference Network Topology
Problem 1: Invalid Rules
Problem 2: Unnecessary Rule Deployment Router 1 Router 2 Router 3 R1 R2 R3R1 R2 R3R1 R2 R3Firewall Policy Firewall
Overview of FWaaS Performance Issues • No rule validation • Allows invalid rules to be present • All rules are pushed onto all routers • Unnecessary processing of rules on each router • Affects performance • Potential Security holes
Solution 1: Rule Validation
Solution 2: Rule Split & Distribution
Solution 2: Rule Split & Distribution 10 -> 20 30 -> 40 TCP-10-20- allow Firewall Policy Firewall TCP-30-40- allow Any-AnyAny-Any
Proposed Improvements Validation (Invalid Rule Check) • Rule’s Source IP and/or Destination IP do not belong to any of tenant networks (or) • Rule’s Source/Destination IP belong to an existing tenant’s network but the network is yet to be assigned to any router. Performance • All rules are segregated and grouped based on the networks they belong to and allocated to their corresponding routers only.
Challenges • Rule Ordering • Deletion of router
Scheduling
Scheduling Rules • Restrict access to: • Web Sites • Web Servers/FTP servers/SSH/RDP e.t.c • Improves productivity • Conserves Bandwidth • Increases ROI
Scheduling – IPTables Spec • IPTables on Ubuntu & CentOS supports rule scheduling • Uses UTC for time zone by default • iptables –A <chain> -m time --timestart 09:00 -- timestop 17:00 -weekdays Mon,Tue,Wed,Thu,Fri -j <Action> • -m time : match time • --timestart : Start time • --timestop : End time • --weekdays : Days of the week
Scheduling – IPTables Spec • Periodicity: • datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]] • datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]] • timestart hh:mm[:ss] • timestop hh:mm[:ss] • monthdays day[,day...] • weekdays day[,day...] • contiguous • Kerneltz
Scheduling – IPTables Examples • To match on weekends, use: -m time --weekdays SAT,SUN • To match between a set of days with a specific time interval: -m time --datestart 2015-08-23 T09:00 --datestop 2007-01-01T15:00 • To match on a time interval: -m time --timestart 09:00 --timestop 17:00
Proposed Horizon Enhancement
Firewall Logs
Current Firewall implementation in OpenStack • Doesn't provide packet logging • Tenant does not have any knowledge of dropped packets • While deploying new rules in the firewall, there is no way to debug the rule • No way to determine the effectiveness of the firewall rules
Benefits of Enabling Firewall Logs • Monitoring • Threat Alerting • Threat correlation • Report generation • Troubleshooting packet drops • Fine tuning Rules • Detecting false positives • Detecting false negatives
Firewall Logging for OpenStack COMPUTE/NETW ORK NODE ROUTER NAMESPACE LOGGING RULE LOG SERVER LOG ANALYSER Firewall Agent ENABLE LOGGING NEUTRON FIREWALL LOGS LOGS ALERTS! REPORTS OPENSTACK TENANT FIREWALL RULES FIREWALL RULES
Enable Firewall Logs with IPTables rules iptables –A <chain> -m limit –limit <limit> -j LOG --log-prefix <prefix-string> - -log-level <log-level> -J LOG : processed by target LOG that logs packets with syslog --log-prefix : a string to identify the log message --log-level : log level to use with syslog message iptables -A INPUT -j LOG --log-prefix "IPTABES LOG:" -m limit --limit 10/min --log-level 4
Example:
Proposed Horizon Enhancement for Firewall Logging
Horizon UI Enhancement -2
Summary of logging feature • Firewall Logs • can help with debugging, threat analysis , Rule fine tuning • Firewall Logging Can be integrated with FWaaS on OpenStack • IPTables provides options to enable packet logging • A centralized server can be introduced to collect and analyze firewall logs • Horizon UI extension can make logs accessible to the tenant
Q & A
Thank You

Recommended

OpenStack Tempest and REST API testing
OpenStack Tempest and REST API testingOpenStack Tempest and REST API testing
OpenStack Tempest and REST API testingopenstackindia
 
OPNFV & OpenStack
OPNFV & OpenStackOPNFV & OpenStack
OPNFV & OpenStackopenstackindia
 
OpenStack Summit Vancouver: Lessons learned on upgrades
OpenStack Summit Vancouver: Lessons learned on upgradesOpenStack Summit Vancouver: Lessons learned on upgrades
OpenStack Summit Vancouver: Lessons learned on upgradesFrédéric Lepied
 
OpenStack QA Tooling & How to use it for Production Cloud Testing | Ghanshyam...
OpenStack QA Tooling & How to use it for Production Cloud Testing | Ghanshyam...OpenStack QA Tooling & How to use it for Production Cloud Testing | Ghanshyam...
OpenStack QA Tooling & How to use it for Production Cloud Testing | Ghanshyam...Vietnam Open Infrastructure User Group
 
CAPS: What's best for deploying and managing OpenStack? Chef vs. Ansible vs. ...
CAPS: What's best for deploying and managing OpenStack? Chef vs. Ansible vs. ...CAPS: What's best for deploying and managing OpenStack? Chef vs. Ansible vs. ...
CAPS: What's best for deploying and managing OpenStack? Chef vs. Ansible vs. ...Daniel Krook
 
Hostvn ceph in production v1.1 dungtq
Hostvn ceph in production v1.1 dungtqHostvn ceph in production v1.1 dungtq
Hostvn ceph in production v1.1 dungtqViet Stack
 
OpenStack Neutron behind the Scenes
OpenStack Neutron behind the ScenesOpenStack Neutron behind the Scenes
OpenStack Neutron behind the ScenesAnil Bidari ( CEO , Cloud Enabled)
 
OpenStack Watcher
OpenStack WatcherOpenStack Watcher
OpenStack Watcheropenstackindia
 

Recommended

OpenStack Tempest and REST API testing
OpenStack Tempest and REST API testingOpenStack Tempest and REST API testing
OpenStack Tempest and REST API testingopenstackindia
 
OPNFV & OpenStack
OPNFV & OpenStackOPNFV & OpenStack
OPNFV & OpenStackopenstackindia
 
OpenStack Summit Vancouver: Lessons learned on upgrades
OpenStack Summit Vancouver: Lessons learned on upgradesOpenStack Summit Vancouver: Lessons learned on upgrades
OpenStack Summit Vancouver: Lessons learned on upgradesFrédéric Lepied
 
OpenStack QA Tooling & How to use it for Production Cloud Testing | Ghanshyam...
OpenStack QA Tooling & How to use it for Production Cloud Testing | Ghanshyam...OpenStack QA Tooling & How to use it for Production Cloud Testing | Ghanshyam...
OpenStack QA Tooling & How to use it for Production Cloud Testing | Ghanshyam...Vietnam Open Infrastructure User Group
 
CAPS: What's best for deploying and managing OpenStack? Chef vs. Ansible vs. ...
CAPS: What's best for deploying and managing OpenStack? Chef vs. Ansible vs. ...CAPS: What's best for deploying and managing OpenStack? Chef vs. Ansible vs. ...
CAPS: What's best for deploying and managing OpenStack? Chef vs. Ansible vs. ...Daniel Krook
 
Hostvn ceph in production v1.1 dungtq
Hostvn ceph in production v1.1 dungtqHostvn ceph in production v1.1 dungtq
Hostvn ceph in production v1.1 dungtqViet Stack
 
OpenStack Neutron behind the Scenes
OpenStack Neutron behind the ScenesOpenStack Neutron behind the Scenes
OpenStack Neutron behind the ScenesAnil Bidari ( CEO , Cloud Enabled)
 
OpenStack Watcher
OpenStack WatcherOpenStack Watcher
OpenStack Watcheropenstackindia
 
Build cloud like Rackspace with OpenStack Ansible
Build cloud like Rackspace with OpenStack AnsibleBuild cloud like Rackspace with OpenStack Ansible
Build cloud like Rackspace with OpenStack AnsibleJirayut Nimsaeng
 
Autoscaling OpenStack Natively with Heat, Ceilometer and LBaaS
Autoscaling OpenStack Natively with Heat, Ceilometer and LBaaSAutoscaling OpenStack Natively with Heat, Ceilometer and LBaaS
Autoscaling OpenStack Natively with Heat, Ceilometer and LBaaSShixiong Shang
 
Orchestration Tool Roundup - Arthur Berezin & Trammell Scruggs
Orchestration Tool Roundup - Arthur Berezin & Trammell ScruggsOrchestration Tool Roundup - Arthur Berezin & Trammell Scruggs
Orchestration Tool Roundup - Arthur Berezin & Trammell ScruggsCloud Native Day Tel Aviv
 
Openstack devops challenges
Openstack devops challenges Openstack devops challenges
Openstack devops challenges openstackindia
 
OpenStack Data Processing ("Sahara") project update - December 2014
OpenStack Data Processing ("Sahara") project update - December 2014OpenStack Data Processing ("Sahara") project update - December 2014
OpenStack Data Processing ("Sahara") project update - December 2014Sergey Lukjanov
 
HA in OpenStack service - meetup #9
HA in OpenStack service - meetup #9HA in OpenStack service - meetup #9
HA in OpenStack service - meetup #9Vietnam Open Infrastructure User Group
 
OpenStack and private cloud
OpenStack and private cloudOpenStack and private cloud
OpenStack and private cloudSK Telecom
 
Copr HD OpenStack Day India
Copr HD OpenStack Day IndiaCopr HD OpenStack Day India
Copr HD OpenStack Day Indiaopenstackindia
 
Devstack On Demand
Devstack On DemandDevstack On Demand
Devstack On DemandBarak Merimovich
 
Openstack in 10 mins
Openstack in 10 minsOpenstack in 10 mins
Openstack in 10 minsDawood M.S
 
OpenStack High Availability
OpenStack High AvailabilityOpenStack High Availability
OpenStack High AvailabilityJakub Pavlik
 
Tối ưu hiệu năng đáp ứng các yêu cầu của hệ thống 4G core
Tối ưu hiệu năng đáp ứng các yêu cầu của hệ thống 4G coreTối ưu hiệu năng đáp ứng các yêu cầu của hệ thống 4G core
Tối ưu hiệu năng đáp ứng các yêu cầu của hệ thống 4G coreVietnam Open Infrastructure User Group
 
OpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN Controller
OpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN ControllerOpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN Controller
OpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN ControllerYongyoon Shin
 
TripleO
TripleO TripleO
TripleOKiran Murari
 
Meetup 23 - 01 - The things I wish I would have known before doing OpenStack ...
Meetup 23 - 01 - The things I wish I would have known before doing OpenStack ...Meetup 23 - 01 - The things I wish I would have known before doing OpenStack ...
Meetup 23 - 01 - The things I wish I would have known before doing OpenStack ...Vietnam Open Infrastructure User Group
 
State of Containers in OpenStack
State of Containers in OpenStackState of Containers in OpenStack
State of Containers in OpenStackopenstackindia
 
High Availability in OpenStack Cloud
High Availability in OpenStack CloudHigh Availability in OpenStack Cloud
High Availability in OpenStack CloudQiming Teng
 
Chef and OpenStack Workshop from ChefConf 2013
Chef and OpenStack Workshop from ChefConf 2013Chef and OpenStack Workshop from ChefConf 2013
Chef and OpenStack Workshop from ChefConf 2013Matt Ray
 
Mastering OpenStack - Episode 05 - Controller Nodes
Mastering OpenStack - Episode 05 - Controller NodesMastering OpenStack - Episode 05 - Controller Nodes
Mastering OpenStack - Episode 05 - Controller NodesRoozbeh Shafiee
 
An Evaluation of OpenStack Deployment Frameworks
An Evaluation of OpenStack Deployment FrameworksAn Evaluation of OpenStack Deployment Frameworks
An Evaluation of OpenStack Deployment Frameworksshane_gibson
 
NCM Training - Part 2 - Automation, Notification, Compliance and Reports
NCM Training - Part 2 - Automation, Notification, Compliance and ReportsNCM Training - Part 2 - Automation, Notification, Compliance and Reports
NCM Training - Part 2 - Automation, Notification, Compliance and ReportsManageEngine, Zoho Corporation
 
OpenStack Infrastructure at any Scale - Simple is BEST!? - - OpenStack最新情報セミ...
OpenStack Infrastructure at any Scale - Simple is BEST!? - - OpenStack最新情報セミ...OpenStack Infrastructure at any Scale - Simple is BEST!? - - OpenStack最新情報セミ...
OpenStack Infrastructure at any Scale - Simple is BEST!? - - OpenStack最新情報セミ...VirtualTech Japan Inc.
 

More Related Content

What's hot

Build cloud like Rackspace with OpenStack Ansible
Build cloud like Rackspace with OpenStack AnsibleBuild cloud like Rackspace with OpenStack Ansible
Build cloud like Rackspace with OpenStack AnsibleJirayut Nimsaeng
 
Autoscaling OpenStack Natively with Heat, Ceilometer and LBaaS
Autoscaling OpenStack Natively with Heat, Ceilometer and LBaaSAutoscaling OpenStack Natively with Heat, Ceilometer and LBaaS
Autoscaling OpenStack Natively with Heat, Ceilometer and LBaaSShixiong Shang
 
Orchestration Tool Roundup - Arthur Berezin & Trammell Scruggs
Orchestration Tool Roundup - Arthur Berezin & Trammell ScruggsOrchestration Tool Roundup - Arthur Berezin & Trammell Scruggs
Orchestration Tool Roundup - Arthur Berezin & Trammell ScruggsCloud Native Day Tel Aviv
 
Openstack devops challenges
Openstack devops challenges Openstack devops challenges
Openstack devops challenges openstackindia
 
OpenStack Data Processing ("Sahara") project update - December 2014
OpenStack Data Processing ("Sahara") project update - December 2014OpenStack Data Processing ("Sahara") project update - December 2014
OpenStack Data Processing ("Sahara") project update - December 2014Sergey Lukjanov
 
OpenStack and private cloud
OpenStack and private cloudOpenStack and private cloud
OpenStack and private cloudSK Telecom
 
Copr HD OpenStack Day India
Copr HD OpenStack Day IndiaCopr HD OpenStack Day India
Copr HD OpenStack Day Indiaopenstackindia
 
Openstack in 10 mins
Openstack in 10 minsOpenstack in 10 mins
Openstack in 10 minsDawood M.S
 
OpenStack High Availability
OpenStack High AvailabilityOpenStack High Availability
OpenStack High AvailabilityJakub Pavlik
 
Tối ưu hiệu năng đáp ứng các yêu cầu của hệ thống 4G core
Tối ưu hiệu năng đáp ứng các yêu cầu của hệ thống 4G coreTối ưu hiệu năng đáp ứng các yêu cầu của hệ thống 4G core
Tối ưu hiệu năng đáp ứng các yêu cầu của hệ thống 4G coreVietnam Open Infrastructure User Group
 
OpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN Controller
OpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN ControllerOpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN Controller
OpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN ControllerYongyoon Shin
 
Meetup 23 - 01 - The things I wish I would have known before doing OpenStack ...
Meetup 23 - 01 - The things I wish I would have known before doing OpenStack ...Meetup 23 - 01 - The things I wish I would have known before doing OpenStack ...
Meetup 23 - 01 - The things I wish I would have known before doing OpenStack ...Vietnam Open Infrastructure User Group
 
State of Containers in OpenStack
State of Containers in OpenStackState of Containers in OpenStack
State of Containers in OpenStackopenstackindia
 
High Availability in OpenStack Cloud
High Availability in OpenStack CloudHigh Availability in OpenStack Cloud
High Availability in OpenStack CloudQiming Teng
 
Chef and OpenStack Workshop from ChefConf 2013
Chef and OpenStack Workshop from ChefConf 2013Chef and OpenStack Workshop from ChefConf 2013
Chef and OpenStack Workshop from ChefConf 2013Matt Ray
 
Mastering OpenStack - Episode 05 - Controller Nodes
Mastering OpenStack - Episode 05 - Controller NodesMastering OpenStack - Episode 05 - Controller Nodes
Mastering OpenStack - Episode 05 - Controller NodesRoozbeh Shafiee
 
An Evaluation of OpenStack Deployment Frameworks
An Evaluation of OpenStack Deployment FrameworksAn Evaluation of OpenStack Deployment Frameworks
An Evaluation of OpenStack Deployment Frameworksshane_gibson
 

What's hot (20)

Build cloud like Rackspace with OpenStack Ansible
Build cloud like Rackspace with OpenStack AnsibleBuild cloud like Rackspace with OpenStack Ansible
Build cloud like Rackspace with OpenStack Ansible
 
Autoscaling OpenStack Natively with Heat, Ceilometer and LBaaS
Autoscaling OpenStack Natively with Heat, Ceilometer and LBaaSAutoscaling OpenStack Natively with Heat, Ceilometer and LBaaS
Autoscaling OpenStack Natively with Heat, Ceilometer and LBaaS
 
Orchestration Tool Roundup - Arthur Berezin & Trammell Scruggs
Orchestration Tool Roundup - Arthur Berezin & Trammell ScruggsOrchestration Tool Roundup - Arthur Berezin & Trammell Scruggs
Orchestration Tool Roundup - Arthur Berezin & Trammell Scruggs
 
Openstack devops challenges
Openstack devops challenges Openstack devops challenges
Openstack devops challenges
 
OpenStack Data Processing ("Sahara") project update - December 2014
OpenStack Data Processing ("Sahara") project update - December 2014OpenStack Data Processing ("Sahara") project update - December 2014
OpenStack Data Processing ("Sahara") project update - December 2014
 
HA in OpenStack service - meetup #9
HA in OpenStack service - meetup #9HA in OpenStack service - meetup #9
HA in OpenStack service - meetup #9
 
OpenStack and private cloud
OpenStack and private cloudOpenStack and private cloud
OpenStack and private cloud
 
Copr HD OpenStack Day India
Copr HD OpenStack Day IndiaCopr HD OpenStack Day India
Copr HD OpenStack Day India
 
Devstack On Demand
Devstack On DemandDevstack On Demand
Devstack On Demand
 
Openstack in 10 mins
Openstack in 10 minsOpenstack in 10 mins
Openstack in 10 mins
 
OpenStack High Availability
OpenStack High AvailabilityOpenStack High Availability
OpenStack High Availability
 
Tối ưu hiệu năng đáp ứng các yêu cầu của hệ thống 4G core
Tối ưu hiệu năng đáp ứng các yêu cầu của hệ thống 4G coreTối ưu hiệu năng đáp ứng các yêu cầu của hệ thống 4G core
Tối ưu hiệu năng đáp ứng các yêu cầu của hệ thống 4G core
 
OpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN Controller
OpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN ControllerOpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN Controller
OpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN Controller
 
TripleO
TripleO TripleO
TripleO
 
Meetup 23 - 01 - The things I wish I would have known before doing OpenStack ...
Meetup 23 - 01 - The things I wish I would have known before doing OpenStack ...Meetup 23 - 01 - The things I wish I would have known before doing OpenStack ...
Meetup 23 - 01 - The things I wish I would have known before doing OpenStack ...
 
State of Containers in OpenStack
State of Containers in OpenStackState of Containers in OpenStack
State of Containers in OpenStack
 
High Availability in OpenStack Cloud
High Availability in OpenStack CloudHigh Availability in OpenStack Cloud
High Availability in OpenStack Cloud
 
Chef and OpenStack Workshop from ChefConf 2013
Chef and OpenStack Workshop from ChefConf 2013Chef and OpenStack Workshop from ChefConf 2013
Chef and OpenStack Workshop from ChefConf 2013
 
Mastering OpenStack - Episode 05 - Controller Nodes
Mastering OpenStack - Episode 05 - Controller NodesMastering OpenStack - Episode 05 - Controller Nodes
Mastering OpenStack - Episode 05 - Controller Nodes
 
An Evaluation of OpenStack Deployment Frameworks
An Evaluation of OpenStack Deployment FrameworksAn Evaluation of OpenStack Deployment Frameworks
An Evaluation of OpenStack Deployment Frameworks
 

Similar to Enhancing OpenStack FWaaS for real world application

NCM Training - Part 2 - Automation, Notification, Compliance and Reports
NCM Training - Part 2 - Automation, Notification, Compliance and ReportsNCM Training - Part 2 - Automation, Notification, Compliance and Reports
NCM Training - Part 2 - Automation, Notification, Compliance and ReportsManageEngine, Zoho Corporation
 
OpenStack Infrastructure at any Scale - Simple is BEST!? - - OpenStack最新情報セミ...
OpenStack Infrastructure at any Scale - Simple is BEST!? - - OpenStack最新情報セミ...OpenStack Infrastructure at any Scale - Simple is BEST!? - - OpenStack最新情報セミ...
OpenStack Infrastructure at any Scale - Simple is BEST!? - - OpenStack最新情報セミ...VirtualTech Japan Inc.
 
Mike Guthrie - Revamping Your 10 Year Old Nagios Installation
Mike Guthrie - Revamping Your 10 Year Old Nagios InstallationMike Guthrie - Revamping Your 10 Year Old Nagios Installation
Mike Guthrie - Revamping Your 10 Year Old Nagios InstallationNagios
 
Free training on Network Configuration Manager - Season 2 - Part 2
Free training on Network Configuration Manager - Season 2 - Part 2Free training on Network Configuration Manager - Season 2 - Part 2
Free training on Network Configuration Manager - Season 2 - Part 2ManageEngine, Zoho Corporation
 
Integrating Active Networking and Commercial-Grade Routing Platforms
Integrating Active Networking and Commercial-Grade Routing PlatformsIntegrating Active Networking and Commercial-Grade Routing Platforms
Integrating Active Networking and Commercial-Grade Routing PlatformsTal Lavian Ph.D.
 
Configlets, compliance, RBAC & reports - Network Configuration Manager
Configlets, compliance, RBAC & reports - Network Configuration ManagerConfiglets, compliance, RBAC & reports - Network Configuration Manager
Configlets, compliance, RBAC & reports - Network Configuration ManagerManageEngine, Zoho Corporation
 
How we scaled Rudder to 10k, and the road to 50k
How we scaled Rudder to 10k, and the road to 50kHow we scaled Rudder to 10k, and the road to 50k
How we scaled Rudder to 10k, and the road to 50kRUDDER
 
DevOops - Lessons Learned from an OpenStack Network Architect
DevOops - Lessons Learned from an OpenStack Network ArchitectDevOops - Lessons Learned from an OpenStack Network Architect
DevOops - Lessons Learned from an OpenStack Network ArchitectJames Denton
 
Telecommunications and Network Security Presentation
Telecommunications and Network Security PresentationTelecommunications and Network Security Presentation
Telecommunications and Network Security PresentationWajahat Rajab
 
WebLogic Stability; Detect and Analyse Stuck Threads
WebLogic Stability; Detect and Analyse Stuck ThreadsWebLogic Stability; Detect and Analyse Stuck Threads
WebLogic Stability; Detect and Analyse Stuck ThreadsMaarten Smeets
 
08. networking-part-2
08. networking-part-208. networking-part-2
08. networking-part-2Muhammad Ahad
 
4 ip services span,rspan
4 ip services span,rspan4 ip services span,rspan
4 ip services span,rspanSagarR24
 
Integrating Active Networking and Commercial-Grade Routing Platforms
Integrating Active Networking and Commercial-Grade Routing PlatformsIntegrating Active Networking and Commercial-Grade Routing Platforms
Integrating Active Networking and Commercial-Grade Routing PlatformsTal Lavian Ph.D.
 
Virt july-2013-meetup
Virt july-2013-meetupVirt july-2013-meetup
Virt july-2013-meetupnvirters
 
4 ip services nat
4 ip services nat4 ip services nat
4 ip services natSagarR24
 
4 ip services dhcp-part b
4 ip services dhcp-part b4 ip services dhcp-part b
4 ip services dhcp-part bSagarR24
 

Similar to Enhancing OpenStack FWaaS for real world application (20)

NCM Training - Part 2 - Automation, Notification, Compliance and Reports
NCM Training - Part 2 - Automation, Notification, Compliance and ReportsNCM Training - Part 2 - Automation, Notification, Compliance and Reports
NCM Training - Part 2 - Automation, Notification, Compliance and Reports
 
OpenStack Infrastructure at any Scale - Simple is BEST!? - - OpenStack最新情報セミ...
OpenStack Infrastructure at any Scale - Simple is BEST!? - - OpenStack最新情報セミ...OpenStack Infrastructure at any Scale - Simple is BEST!? - - OpenStack最新情報セミ...
OpenStack Infrastructure at any Scale - Simple is BEST!? - - OpenStack最新情報セミ...
 
Mike Guthrie - Revamping Your 10 Year Old Nagios Installation
Mike Guthrie - Revamping Your 10 Year Old Nagios InstallationMike Guthrie - Revamping Your 10 Year Old Nagios Installation
Mike Guthrie - Revamping Your 10 Year Old Nagios Installation
 
Free training on Network Configuration Manager - Season 2 - Part 2
Free training on Network Configuration Manager - Season 2 - Part 2Free training on Network Configuration Manager - Season 2 - Part 2
Free training on Network Configuration Manager - Season 2 - Part 2
 
Integrating Active Networking and Commercial-Grade Routing Platforms
Integrating Active Networking and Commercial-Grade Routing PlatformsIntegrating Active Networking and Commercial-Grade Routing Platforms
Integrating Active Networking and Commercial-Grade Routing Platforms
 
Software defined network
Software defined network Software defined network
Software defined network
 
Configlets, compliance, RBAC & reports - Network Configuration Manager
Configlets, compliance, RBAC & reports - Network Configuration ManagerConfiglets, compliance, RBAC & reports - Network Configuration Manager
Configlets, compliance, RBAC & reports - Network Configuration Manager
 
Neutron scaling
Neutron scalingNeutron scaling
Neutron scaling
 
How we scaled Rudder to 10k, and the road to 50k
How we scaled Rudder to 10k, and the road to 50kHow we scaled Rudder to 10k, and the road to 50k
How we scaled Rudder to 10k, and the road to 50k
 
DevOops - Lessons Learned from an OpenStack Network Architect
DevOops - Lessons Learned from an OpenStack Network ArchitectDevOops - Lessons Learned from an OpenStack Network Architect
DevOops - Lessons Learned from an OpenStack Network Architect
 
Software defined networking: Primer
Software defined networking: PrimerSoftware defined networking: Primer
Software defined networking: Primer
 
Telecommunications and Network Security Presentation
Telecommunications and Network Security PresentationTelecommunications and Network Security Presentation
Telecommunications and Network Security Presentation
 
WebLogic Stability; Detect and Analyse Stuck Threads
WebLogic Stability; Detect and Analyse Stuck ThreadsWebLogic Stability; Detect and Analyse Stuck Threads
WebLogic Stability; Detect and Analyse Stuck Threads
 
08. networking-part-2
08. networking-part-208. networking-part-2
08. networking-part-2
 
4 ip services span,rspan
4 ip services span,rspan4 ip services span,rspan
4 ip services span,rspan
 
Integrating Active Networking and Commercial-Grade Routing Platforms
Integrating Active Networking and Commercial-Grade Routing PlatformsIntegrating Active Networking and Commercial-Grade Routing Platforms
Integrating Active Networking and Commercial-Grade Routing Platforms
 
Virt july-2013-meetup
Virt july-2013-meetupVirt july-2013-meetup
Virt july-2013-meetup
 
4 ip services nat
4 ip services nat4 ip services nat
4 ip services nat
 
4 ip services dhcp-part b
4 ip services dhcp-part b4 ip services dhcp-part b
4 ip services dhcp-part b
 
Senthil _Updated _Resume_V1
Senthil _Updated _Resume_V1Senthil _Updated _Resume_V1
Senthil _Updated _Resume_V1
 

More from openstackindia

Guts & OpenStack migration
Guts & OpenStack migrationGuts & OpenStack migration
Guts & OpenStack migrationopenstackindia
 
Your first patch to OpenStack
Your first patch to OpenStackYour first patch to OpenStack
Your first patch to OpenStackopenstackindia
 
OpenStack Neutron Behind The Senes
OpenStack Neutron Behind The SenesOpenStack Neutron Behind The Senes
OpenStack Neutron Behind The Senesopenstackindia
 
OpenStack Storage Buddy Ceph
OpenStack Storage Buddy CephOpenStack Storage Buddy Ceph
OpenStack Storage Buddy Cephopenstackindia
 
The OpenStack Contribution Workflow
The OpenStack Contribution WorkflowThe OpenStack Contribution Workflow
The OpenStack Contribution Workflowopenstackindia
 
Introduction to Cinder
Introduction to CinderIntroduction to Cinder
Introduction to Cinderopenstackindia
 
OpenStack NFV Edge computing for IOT microservices
OpenStack NFV Edge computing for IOT microservicesOpenStack NFV Edge computing for IOT microservices
OpenStack NFV Edge computing for IOT microservicesopenstackindia
 
Deploying openstack using ansible
Deploying openstack using ansibleDeploying openstack using ansible
Deploying openstack using ansibleopenstackindia
 
Ceph openstack-jun-2015-meetup
Ceph openstack-jun-2015-meetupCeph openstack-jun-2015-meetup
Ceph openstack-jun-2015-meetupopenstackindia
 
Role of sdn controllers in open stack
Role of sdn controllers in open stackRole of sdn controllers in open stack
Role of sdn controllers in open stackopenstackindia
 
Outreachy with-openstack-zaqar
Outreachy with-openstack-zaqarOutreachy with-openstack-zaqar
Outreachy with-openstack-zaqaropenstackindia
 
Demistifying open stack storage
Demistifying open stack storageDemistifying open stack storage
Demistifying open stack storageopenstackindia
 
Why open stack database as a service offerings are doomed
Why open stack database as a service offerings are doomedWhy open stack database as a service offerings are doomed
Why open stack database as a service offerings are doomedopenstackindia
 
OpenStack Neutron Reverse Engineered
OpenStack Neutron Reverse EngineeredOpenStack Neutron Reverse Engineered
OpenStack Neutron Reverse Engineeredopenstackindia
 
State of Linux Containers in OpenStack
State of Linux Containers in OpenStackState of Linux Containers in OpenStack
State of Linux Containers in OpenStackopenstackindia
 
Database experiences designing cassandra schema for keystone
Database experiences designing cassandra schema for keystone Database experiences designing cassandra schema for keystone
Database experiences designing cassandra schema for keystone openstackindia
 
6 open stack_swift_panoramic_view
6 open stack_swift_panoramic_view6 open stack_swift_panoramic_view
6 open stack_swift_panoramic_viewopenstackindia
 
8 devstack beyond_hello-world
8 devstack beyond_hello-world8 devstack beyond_hello-world
8 devstack beyond_hello-worldopenstackindia
 
7 distributed storage_open_stack
7 distributed storage_open_stack7 distributed storage_open_stack
7 distributed storage_open_stackopenstackindia
 

More from openstackindia (20)

Guts & OpenStack migration
Guts & OpenStack migrationGuts & OpenStack migration
Guts & OpenStack migration
 
Your first patch to OpenStack
Your first patch to OpenStackYour first patch to OpenStack
Your first patch to OpenStack
 
OpenStack Neutron Behind The Senes
OpenStack Neutron Behind The SenesOpenStack Neutron Behind The Senes
OpenStack Neutron Behind The Senes
 
OpenStack Storage Buddy Ceph
OpenStack Storage Buddy CephOpenStack Storage Buddy Ceph
OpenStack Storage Buddy Ceph
 
The OpenStack Contribution Workflow
The OpenStack Contribution WorkflowThe OpenStack Contribution Workflow
The OpenStack Contribution Workflow
 
Introduction to Cinder
Introduction to CinderIntroduction to Cinder
Introduction to Cinder
 
OpenStack NFV Edge computing for IOT microservices
OpenStack NFV Edge computing for IOT microservicesOpenStack NFV Edge computing for IOT microservices
OpenStack NFV Edge computing for IOT microservices
 
Deploying openstack using ansible
Deploying openstack using ansibleDeploying openstack using ansible
Deploying openstack using ansible
 
Ceph openstack-jun-2015-meetup
Ceph openstack-jun-2015-meetupCeph openstack-jun-2015-meetup
Ceph openstack-jun-2015-meetup
 
Role of sdn controllers in open stack
Role of sdn controllers in open stackRole of sdn controllers in open stack
Role of sdn controllers in open stack
 
Outreachy with-openstack-zaqar
Outreachy with-openstack-zaqarOutreachy with-openstack-zaqar
Outreachy with-openstack-zaqar
 
Demistifying open stack storage
Demistifying open stack storageDemistifying open stack storage
Demistifying open stack storage
 
OpenStack Heat
OpenStack HeatOpenStack Heat
OpenStack Heat
 
Why open stack database as a service offerings are doomed
Why open stack database as a service offerings are doomedWhy open stack database as a service offerings are doomed
Why open stack database as a service offerings are doomed
 
OpenStack Neutron Reverse Engineered
OpenStack Neutron Reverse EngineeredOpenStack Neutron Reverse Engineered
OpenStack Neutron Reverse Engineered
 
State of Linux Containers in OpenStack
State of Linux Containers in OpenStackState of Linux Containers in OpenStack
State of Linux Containers in OpenStack
 
Database experiences designing cassandra schema for keystone
Database experiences designing cassandra schema for keystone Database experiences designing cassandra schema for keystone
Database experiences designing cassandra schema for keystone
 
6 open stack_swift_panoramic_view
6 open stack_swift_panoramic_view6 open stack_swift_panoramic_view
6 open stack_swift_panoramic_view
 
8 devstack beyond_hello-world
8 devstack beyond_hello-world8 devstack beyond_hello-world
8 devstack beyond_hello-world
 
7 distributed storage_open_stack
7 distributed storage_open_stack7 distributed storage_open_stack
7 distributed storage_open_stack
 

Recently uploaded

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 

Recently uploaded (20)

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 

Enhancing OpenStack FWaaS for real world application

  • 1. Enhancing OpenStack FWaaS for real world applications Performance, Logging & Scheduling Sarath Chandra Mekala Chandan Dutta Chowdhury
  • 2. Sarath Chandra Mekala • Tech Lead @ Juniper Networks • Works on Neutron Plugins • Over a decade+ of experience with J2EE/NMS • Contributed to Juniper’s FWaaS plugin • Blogs @ sarathblogs.blogspot.in • Likes Gadgets & Photography.
  • 3. Chandan Dutta Chowdhury • Tech Lead @ Juniper Networks • Works on Neutron Plugins • DevOPS & Opensource hacker • Contributed to Juniper’s L2, L3 & NSX plugins • Blogs @ chandanduttachowdhury.wordpress.com
  • 4. Agenda • Improve FWaaS Performance • Scheduling Firewall Policies • Logging Firewall Policies Ideas to enable FWaaS cater to real world application needs
  • 9. Problem 2: Unnecessary Rule Deployment Router 1 Router 2 Router 3 R1 R2 R3R1 R2 R3R1 R2 R3Firewall Policy Firewall
  • 10. Overview of FWaaS Performance Issues • No rule validation • Allows invalid rules to be present • All rules are pushed onto all routers • Unnecessary processing of rules on each router • Affects performance • Potential Security holes
  • 11. Solution 1: Rule Validation
  • 12.
  • 13. Solution 2: Rule Split & Distribution
  • 14. Solution 2: Rule Split & Distribution 10 -> 20 30 -> 40 TCP-10-20- allow Firewall Policy Firewall TCP-30-40- allow Any-AnyAny-Any
  • 15. Proposed Improvements Validation (Invalid Rule Check) • Rule’s Source IP and/or Destination IP do not belong to any of tenant networks (or) • Rule’s Source/Destination IP belong to an existing tenant’s network but the network is yet to be assigned to any router. Performance • All rules are segregated and grouped based on the networks they belong to and allocated to their corresponding routers only.
  • 16. Challenges • Rule Ordering • Deletion of router
  • 18. Scheduling Rules • Restrict access to: • Web Sites • Web Servers/FTP servers/SSH/RDP e.t.c • Improves productivity • Conserves Bandwidth • Increases ROI
  • 19. Scheduling – IPTables Spec • IPTables on Ubuntu & CentOS supports rule scheduling • Uses UTC for time zone by default • iptables –A <chain> -m time --timestart 09:00 -- timestop 17:00 -weekdays Mon,Tue,Wed,Thu,Fri -j <Action> • -m time : match time • --timestart : Start time • --timestop : End time • --weekdays : Days of the week
  • 20. Scheduling – IPTables Spec • Periodicity: • datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]] • datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]] • timestart hh:mm[:ss] • timestop hh:mm[:ss] • monthdays day[,day...] • weekdays day[,day...] • contiguous • Kerneltz
  • 21. Scheduling – IPTables Examples • To match on weekends, use: -m time --weekdays SAT,SUN • To match between a set of days with a specific time interval: -m time --datestart 2015-08-23 T09:00 --datestop 2007-01-01T15:00 • To match on a time interval: -m time --timestart 09:00 --timestop 17:00
  • 24. Current Firewall implementation in OpenStack • Doesn't provide packet logging • Tenant does not have any knowledge of dropped packets • While deploying new rules in the firewall, there is no way to debug the rule • No way to determine the effectiveness of the firewall rules
  • 25. Benefits of Enabling Firewall Logs • Monitoring • Threat Alerting • Threat correlation • Report generation • Troubleshooting packet drops • Fine tuning Rules • Detecting false positives • Detecting false negatives
  • 26. Firewall Logging for OpenStack COMPUTE/NETW ORK NODE ROUTER NAMESPACE LOGGING RULE LOG SERVER LOG ANALYSER Firewall Agent ENABLE LOGGING NEUTRON FIREWALL LOGS LOGS ALERTS! REPORTS OPENSTACK TENANT FIREWALL RULES FIREWALL RULES
  • 27. Enable Firewall Logs with IPTables rules iptables –A <chain> -m limit –limit <limit> -j LOG --log-prefix <prefix-string> - -log-level <log-level> -J LOG : processed by target LOG that logs packets with syslog --log-prefix : a string to identify the log message --log-level : log level to use with syslog message iptables -A INPUT -j LOG --log-prefix "IPTABES LOG:" -m limit --limit 10/min --log-level 4
  • 29. Proposed Horizon Enhancement for Firewall Logging
  • 31. Summary of logging feature • Firewall Logs • can help with debugging, threat analysis , Rule fine tuning • Firewall Logging Can be integrated with FWaaS on OpenStack • IPTables provides options to enable packet logging • A centralized server can be introduced to collect and analyze firewall logs • Horizon UI extension can make logs accessible to the tenant
  • 32. Q & A

Editor's Notes

  1. We live in a connected world and the foundation for these connections is the network. Broadband Internet traffic is doubling each and every year (according to IDC) [or] Internet traffic worldwide will grow three-fold by the year 2017. (Internet Trends, Mary Meeker (KCPB) Today we have 2.5 billion Internet users in the world – roughly one-third of the Earth’s population. In the next decade, the number of Internet users will double to 5 billion (Mary Meeker, KPCB) That means that two-thirds of the world will be connected by 2023. When you add in the big trends of cloud, mobility, video and security, the combined rate of acceleration is placing unprecedented demands on the network. [Optional stats/factoids] 100 hours of video uploaded every single minute to YouTube (YouTube)   Mobile video traffic exceeded 50 percent for the first time in 2012. (Cisco VNI)   Mobile network connection speeds more than doubled in 2012. (Cisco VNI)   In 2012, a fourth-generation (4G) connection generated 19 times more traffic on average than a non-4G connection. Although 4G connections represent only 0.9 percent of mobile connections today, they already account for 14 percent of mobile data traffic. (Cisco VNI)   [NOTE: Consider finding alternate source for above stats to avoid siting Cisco] As you just described (refer to pain points from previous slide), you are living in this world and feeling the pressure every day. Pradeep Sindhu founded Juniper 17 years ago on the belief that we should solve technology problems that matter most to our customers and that make a difference in the world. He recognized the importance of the network and the impact it would have on our world. Our mission is simple, but powerful; to connect everything and empower everyone. In today’s connected world, this mission is more relevant than ever. Here at Juniper we are focused on helping alleviate those pain points through our portfolio of high performance networking products. [T] And we do this by listening to our customers and helping them address their challenges and capitalize on their opportunities.