Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]

IO Visor Project
IO Visor ProjectIO Visor Project
Securing Microservices in CloudFoundry Brenden Blanco and Deepa Kalani! Architects, CTO Office - PLUMgrid!
Need for Micro Segmentation §  Movement towards cloud native applications. §  Elastic nature of applications requires a more agile way of configuring policies §  Operators would like to have an intuitive way of defining policies, based on application roles and not ip addresses. §  Relying on traditional firewall rules will quickly make it unmanageable as applications move around §  Move towards a whitelist model of policy definition, where one defines acceptable information flow and everything else is blocked
IPTables to define Endpoint Policy - State Explosion IP1->IP3 IP1->IP5 IP1->IP7 IP1->IP8 IP3->IP1 IP3->IP5 IP3->IP7 IP3->IP8 IP2->IP4 IP2->IP6 IP2->IP9 IP2->IP10 IP4->IP6 IP4->IP2 IP4->IP9 IP4->IP10 IP2->IP4 IP2->IP6 IP2->IP9 IP2->IP10 IP4->IP6 IP4->IP2 IP4->IP9 IP4->IP10 IP5->IP1 IP5->IP3 IP5->IP7 IP5->IP8 IP7->IP1 IP7->IP5 IP7->IP3 IP7->IP8 IP8->IP3 IP8->IP5 IP8->IP7 IP8->IP1 IP9->IP4 IP9->IP6 IP9->IP2 IP9->IP10 IP10->IP2 IP10->IP6 IP10->IP4 IP10->IP9 IP Table Rules
Group Based Policy - secure, scalable, intent based Green->Green Red->Red Green->Green Red->Red Green->Green Red->Red IP1,IP3->Green IP2,IP4-> Red IP5,IP7->Green IP6-> Red IP8->Green IP9,IP10-> Red Endpoint Groups Policies
Policy specification for Cloud Foundry Applications §  Define Endpoints and EPGs (Applications are represented by Groups of Endpoints) §  Policy definition is in the nature of applications. §  e.g. A_APP->A_DB 80 allow, B_APP->A_APP allow. §  Envision policy as a graph of application connectivity A_App B_APP C_APP A_DB DB_Ext
www.iovisor.org IO Module, users perspective IO Module Management interface - REST API - Cli / config file Interfaces - Interface Type (Net, Tracing, Storage, …) Something runs in kernel Something runs in user space Controllers live up here IO Modules Catalog Search for IO Mod Download IO Mod Somewhere in the cloud (iovisor.org) there is a catalog of public IO Modules
www.iovisor.org IO Module, developers perspective IO Modules Catalog Publish new Modules Somewhere in the cloud (iovisor.org) there is a catalog of public IO Modules Data Plane Management interface - REST API - Cli / config file Interfaces - Interface Type (Net, Tracing, Storage, …) Users interact with the Module with: User space helper IO Module Control Plane (user space) IO Module Data Plane (kernel) IO Module developer IO Module IOVisor SDK Clang / P4 Python, C, C++, Go, JS …
www.iovisor.org IO Module, graph composition IOVisor Manager Kernel a^achment points Kernel space User space Open repo of “IO Modules” Kernel code Kernel code •  extending Linux Kernel capabilices APIs to Controllers Metadata
www.iovisor.org Composing IO Modules
Policy Plugin with IO Visor 10 Overlay –VXLAN 192.168.0.0/16 192.168.1.0/16 Linux Bridge Vxlan Dev C C C Garden/1 - 10.244.18.3 Garden/0 - 10.244.18.2 Linux Bridge Vxlan Dev C C C Policy boundary
Thank You! www.iovisor.org
www.iovisor.org Backup Slides 1 2
www.iovisor.org Introducing IO Visor Project 1 3 Future of Linux Kernel IO for soDware defined services Led by iniHal contribuHons from PLUMgrid (Upstreamed since Kernel 3.16) EvoluHon of Kernel BPF & eBPF (Berkeley Packet Filter) “IO Visor will work closely with the Linux kernel community to advance universal IO extensibility for Linux. This collabora=on is cri=cally important as virtualiza=on is puAng more demands on flexibility, performance and security. Open source soFware and collabora=ve development are the ingredients for addressing massive change in any industry. IO Visor will provide the essen:al framework for this work on Linux virtualiza:on and networking.” Jim Zemlin, Execu:ve Director, The Linux Founda:on.
www.iovisor.org IO Visor Project: What? 1 4 •  A programmable data plane and development tools to simplify the creation of new infrastructure ideas •  An open source project and a community of developers •  Enables a new way to Innovate, Develop and Share IO and Networking functions Open Source & Community Programmable Data Plane 1 2 •  A place to share / standardize new ideas in the form of “IO Modules” Repository of “IO Modules” 3
www.iovisor.org IO Visor Project Use Cases Example: Networking §  IO Visor is used to build a fully distributed virtual network across multiple compute nodes §  All data plane components are inserted dynamically in the kernel §  No usage of virtual/physical appliances needed §  Example here https://github.com/iovisor/bcc/tree/ master/examples/distributed_bridge 1 5 Virtual/Physical Appliances Virtual Network Topology in Kernel Space
1 of 15

Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]

Download to read offline
Technology

As microservices grow, traditional firewall rules based on network ACLs are no longer scalable and fall short of providing fine-grained enforcement. Group Based Policy (GBP) is a flexible policy language that allows users to specify policy enforcement based on intent, independent of network infrastructure and IP addressing. Using micro-segmented virtual domains, administrators can define policies at a centralized location and use IO Visor technology for distributed enforcement. This provides infrastructure independent rules, template-based policy definitions, and scale-out policy enforcement for a solution that secures and scales with microservices. This session will be presented by members of the IO Visor community and will cover how IO Visor technology can be used to define and enforce GBP. The discussion will also cover using GBP for cloud foundry application spaces where microservices are deployed and need scalable, efficient security policies.

IO Visor Project
IO Visor ProjectIO Visor Project

Recommended

Evolving Virtual Networking with IO Visor by
Evolving Virtual Networking with IO VisorEvolving Virtual Networking with IO Visor
Evolving Virtual Networking with IO VisorLarry Lang
663 views17 slides
Accelerating Envoy and Istio with Cilium and the Linux Kernel by
Accelerating Envoy and Istio with Cilium and the Linux KernelAccelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux KernelThomas Graf
7.5K views39 slides
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security by
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityCilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityThomas Graf
2.6K views32 slides
LinuxCon 2015 Stateful NAT with OVS by
LinuxCon 2015 Stateful NAT with OVSLinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVSThomas Graf
4.1K views13 slides
Cilium - Network security for microservices by
Cilium - Network security for microservicesCilium - Network security for microservices
Cilium - Network security for microservicesThomas Graf
2.6K views62 slides
eBPF - Rethinking the Linux Kernel by
eBPF - Rethinking the Linux KerneleBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux KernelThomas Graf
1.2K views24 slides

More Related Content

What's hot

Intel® RDT Hands-on Lab by
Intel® RDT Hands-on LabIntel® RDT Hands-on Lab
Intel® RDT Hands-on LabMichelle Holley
3.9K views32 slides
Tungsten Fabric Overview by
Tungsten Fabric OverviewTungsten Fabric Overview
Tungsten Fabric OverviewMichelle Holley
2K views26 slides
Osnug meetup-tungsten fabric - overview.pptx by
Osnug meetup-tungsten fabric - overview.pptxOsnug meetup-tungsten fabric - overview.pptx
Osnug meetup-tungsten fabric - overview.pptxM.Qasim Arham
607 views39 slides
Cilium - API-aware Networking and Security for Containers based on BPF by
Cilium - API-aware Networking and Security for Containers based on BPFCilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFThomas Graf
1.1K views46 slides
Kernel advantages for Istio realized with Cilium by
Kernel advantages for Istio realized with CiliumKernel advantages for Istio realized with Cilium
Kernel advantages for Istio realized with CiliumCynthia Thomas
1.1K views12 slides
The Universal Dataplane by
The Universal DataplaneThe Universal Dataplane
The Universal DataplaneMichelle Holley
503 views31 slides

What's hot(20)

Intel® RDT Hands-on Lab by Michelle Holley
Intel® RDT Hands-on LabIntel® RDT Hands-on Lab
Intel® RDT Hands-on Lab
Michelle Holley3.9K views
Tungsten Fabric Overview by Michelle Holley
Tungsten Fabric OverviewTungsten Fabric Overview
Tungsten Fabric Overview
Michelle Holley2K views
Osnug meetup-tungsten fabric - overview.pptx by M.Qasim Arham
Osnug meetup-tungsten fabric - overview.pptxOsnug meetup-tungsten fabric - overview.pptx
Osnug meetup-tungsten fabric - overview.pptx
M.Qasim Arham607 views
Cilium - API-aware Networking and Security for Containers based on BPF by Thomas Graf
Cilium - API-aware Networking and Security for Containers based on BPFCilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPF
Thomas Graf1.1K views
Kernel advantages for Istio realized with Cilium by Cynthia Thomas
Kernel advantages for Istio realized with CiliumKernel advantages for Istio realized with Cilium
Kernel advantages for Istio realized with Cilium
Cynthia Thomas1.1K views
The Universal Dataplane by Michelle Holley
The Universal DataplaneThe Universal Dataplane
The Universal Dataplane
Michelle Holley503 views
Kubernetes Networking with Cilium - Deep Dive by Michal Rostecki
Kubernetes Networking with Cilium - Deep DiveKubernetes Networking with Cilium - Deep Dive
Kubernetes Networking with Cilium - Deep Dive
Michal Rostecki502 views
Data Plane and VNF Acceleration Mini Summit by Open-NFP
Data Plane and VNF Acceleration Mini Summit Data Plane and VNF Acceleration Mini Summit
Data Plane and VNF Acceleration Mini Summit
Open-NFP3.4K views
TLDK - FD.io Sept 2016 by Benoit Hudzia
TLDK - FD.io Sept 2016 TLDK - FD.io Sept 2016
TLDK - FD.io Sept 2016
Benoit Hudzia818 views
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds by PLUMgrid
In-kernel Analytics and Tracing with eBPF for OpenStack CloudsIn-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds
PLUMgrid2K views
Replacing iptables with eBPF in Kubernetes with Cilium by Michal Rostecki
Replacing iptables with eBPF in Kubernetes with CiliumReplacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with Cilium
Michal Rostecki469 views
FD.io - The Universal Dataplane by Open Networking Summit
FD.io - The Universal DataplaneFD.io - The Universal Dataplane
FD.io - The Universal Dataplane
Open Networking Summit329 views
Cilium - Fast IPv6 Container Networking with BPF and XDP by Thomas Graf
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDP
Thomas Graf8.6K views
Cilium - overview and recent updates by Michal Rostecki
Cilium - overview and recent updatesCilium - overview and recent updates
Cilium - overview and recent updates
Michal Rostecki1.3K views
EBPF and Linux Networking by PLUMgrid
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux Networking
PLUMgrid14.6K views
BPF & Cilium - Turning Linux into a Microservices-aware Operating System by Thomas Graf
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemBPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
Thomas Graf2.9K views
LF_DPDK17_Abstract APIs for DPDK and ODP by LF_DPDK
LF_DPDK17_Abstract APIs for DPDK and ODPLF_DPDK17_Abstract APIs for DPDK and ODP
LF_DPDK17_Abstract APIs for DPDK and ODP
LF_DPDK99 views
LF_DPDK_Mellanox bifurcated driver model by LF_DPDK
LF_DPDK_Mellanox bifurcated driver modelLF_DPDK_Mellanox bifurcated driver model
LF_DPDK_Mellanox bifurcated driver model
LF_DPDK944 views
Linux Kernel Cryptographic API and Use Cases by Kernel TLV
Linux Kernel Cryptographic API and Use CasesLinux Kernel Cryptographic API and Use Cases
Linux Kernel Cryptographic API and Use Cases
Kernel TLV5.3K views
Kernel Recipes 2017 - EBPF and XDP - Eric Leblond by Anne Nicolas
Kernel Recipes 2017 - EBPF and XDP - Eric LeblondKernel Recipes 2017 - EBPF and XDP - Eric Leblond
Kernel Recipes 2017 - EBPF and XDP - Eric Leblond
Anne Nicolas4.4K views

Viewers also liked

Evolving Virtual Networking with IO Visor [OpenStack Summit Austin | April 2016] by
Evolving Virtual Networking with IO Visor [OpenStack Summit Austin | April 2016]Evolving Virtual Networking with IO Visor [OpenStack Summit Austin | April 2016]
Evolving Virtual Networking with IO Visor [OpenStack Summit Austin | April 2016]IO Visor Project
2.6K views17 slides
bcc/BPF tools - Strategy, current tools, future challenges by
bcc/BPF tools - Strategy, current tools, future challengesbcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challengesIO Visor Project
1K views44 slides
CETH for XDP [Linux Meetup Santa Clara | July 2016] by
CETH for XDP [Linux Meetup Santa Clara | July 2016] CETH for XDP [Linux Meetup Santa Clara | July 2016]
CETH for XDP [Linux Meetup Santa Clara | July 2016] IO Visor Project
6K views10 slides
IO Visor Summit 2017: Welcome & Overview via Pere Monclus by
IO Visor Summit 2017: Welcome & Overview via Pere MonclusIO Visor Summit 2017: Welcome & Overview via Pere Monclus
IO Visor Summit 2017: Welcome & Overview via Pere MonclusIO Visor Project
454 views8 slides
Linux BPF Superpowers by
Linux BPF SuperpowersLinux BPF Superpowers
Linux BPF SuperpowersBrendan Gregg
423.3K views60 slides
BPF: Tracing and more by
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and moreBrendan Gregg
200.3K views72 slides

Viewers also liked(20)

Evolving Virtual Networking with IO Visor [OpenStack Summit Austin | April 2016] by IO Visor Project
Evolving Virtual Networking with IO Visor [OpenStack Summit Austin | April 2016]Evolving Virtual Networking with IO Visor [OpenStack Summit Austin | April 2016]
Evolving Virtual Networking with IO Visor [OpenStack Summit Austin | April 2016]
IO Visor Project2.6K views
bcc/BPF tools - Strategy, current tools, future challenges by IO Visor Project
bcc/BPF tools - Strategy, current tools, future challengesbcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challenges
IO Visor Project1K views
CETH for XDP [Linux Meetup Santa Clara | July 2016] by IO Visor Project
CETH for XDP [Linux Meetup Santa Clara | July 2016] CETH for XDP [Linux Meetup Santa Clara | July 2016]
CETH for XDP [Linux Meetup Santa Clara | July 2016]
IO Visor Project6K views
IO Visor Summit 2017: Welcome & Overview via Pere Monclus by IO Visor Project
IO Visor Summit 2017: Welcome & Overview via Pere MonclusIO Visor Summit 2017: Welcome & Overview via Pere Monclus
IO Visor Summit 2017: Welcome & Overview via Pere Monclus
IO Visor Project454 views
Linux BPF Superpowers by Brendan Gregg
Linux BPF SuperpowersLinux BPF Superpowers
Linux BPF Superpowers
Brendan Gregg423.3K views
BPF: Tracing and more by Brendan Gregg
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
Brendan Gregg200.3K views
In out system by Agnas Jasmine
In out systemIn out system
In out system
Agnas Jasmine193 views
The end of embedded Linux (as we know it) by Chris Simmonds
The end of embedded Linux (as we know it)The end of embedded Linux (as we know it)
The end of embedded Linux (as we know it)
Chris Simmonds1.9K views
Portland Science Hack Day: Open Source Hardware by Drew Fustini
Portland Science Hack Day: Open Source HardwarePortland Science Hack Day: Open Source Hardware
Portland Science Hack Day: Open Source Hardware
Drew Fustini843 views
Linux on Open Source Hardware by Drew Fustini
Linux on Open Source HardwareLinux on Open Source Hardware
Linux on Open Source Hardware
Drew Fustini1.6K views
Android beyond the smartphone by Chris Simmonds
Android beyond the smartphoneAndroid beyond the smartphone
Android beyond the smartphone
Chris Simmonds1.3K views
Germany in wwii by mrbruns
Germany in wwiiGermany in wwii
Germany in wwii
mrbruns1.1K views
Tuning Android for low RAM by Chris Simmonds
Tuning Android for low RAMTuning Android for low RAM
Tuning Android for low RAM
Chris Simmonds13.1K views
Software update for IoT: the current state of play by Chris Simmonds
Software update for IoT: the current state of playSoftware update for IoT: the current state of play
Software update for IoT: the current state of play
Chris Simmonds4.7K views
10 ways hardware engineers can make software integration easier by Chris Simmonds
10 ways hardware engineers can make software integration easier10 ways hardware engineers can make software integration easier
10 ways hardware engineers can make software integration easier
Chris Simmonds680 views
Software Defined Radio (SDR) by Drew Fustini
Software Defined Radio (SDR)Software Defined Radio (SDR)
Software Defined Radio (SDR)
Drew Fustini2.6K views
Read-only rootfs: theory and practice by Chris Simmonds
Read-only rootfs: theory and practiceRead-only rootfs: theory and practice
Read-only rootfs: theory and practice
Chris Simmonds4.7K views
Userspace drivers-2016 by Chris Simmonds
Userspace drivers-2016Userspace drivers-2016
Userspace drivers-2016
Chris Simmonds1.9K views
Adapt or Die: A Microservices Story at Google by Apigee | Google Cloud
Adapt or Die: A Microservices Story at GoogleAdapt or Die: A Microservices Story at Google
Adapt or Die: A Microservices Story at Google
Apigee | Google Cloud2.2K views
What's Better than Microservices? Serverless Microservices. by Apigee | Google Cloud
What's Better than Microservices? Serverless Microservices.What's Better than Microservices? Serverless Microservices.
What's Better than Microservices? Serverless Microservices.
Apigee | Google Cloud9.6K views

Similar to Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]

Securing Micro Services in Cloud Foundry by
Securing Micro Services in Cloud FoundrySecuring Micro Services in Cloud Foundry
Securing Micro Services in Cloud FoundryPLUMgrid
387 views14 slides
RTI/Cisco response to the Software Defined Networks (SDN) OMG RFI by
RTI/Cisco response to the Software Defined Networks (SDN) OMG RFIRTI/Cisco response to the Software Defined Networks (SDN) OMG RFI
RTI/Cisco response to the Software Defined Networks (SDN) OMG RFIGerardo Pardo-Castellote
6.1K views11 slides
Object Broker Infrastructure for Wide Area Networks by
Object Broker Infrastructure for Wide Area NetworksObject Broker Infrastructure for Wide Area Networks
Object Broker Infrastructure for Wide Area NetworksVaidas Brundza
430 views15 slides
The International standards landscape for IoT in SmartHome by
The International standards landscape for IoT in SmartHomeThe International standards landscape for IoT in SmartHome
The International standards landscape for IoT in SmartHomeir. Carmelo Zaccone
579 views42 slides
ONOS SDN-IP: Tutorial and Use Case for SDX by
ONOS SDN-IP: Tutorial and Use Case for SDXONOS SDN-IP: Tutorial and Use Case for SDX
ONOS SDN-IP: Tutorial and Use Case for SDXAPNIC
2.6K views62 slides
CPaaS.io Y1 Review Meeting - Cloud & Edge Programming by
CPaaS.io Y1 Review Meeting - Cloud & Edge ProgrammingCPaaS.io Y1 Review Meeting - Cloud & Edge Programming
CPaaS.io Y1 Review Meeting - Cloud & Edge ProgrammingStephan Haller
105 views29 slides

Similar to Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016](20)

Securing Micro Services in Cloud Foundry by PLUMgrid
Securing Micro Services in Cloud FoundrySecuring Micro Services in Cloud Foundry
Securing Micro Services in Cloud Foundry
PLUMgrid387 views
RTI/Cisco response to the Software Defined Networks (SDN) OMG RFI by Gerardo Pardo-Castellote
RTI/Cisco response to the Software Defined Networks (SDN) OMG RFIRTI/Cisco response to the Software Defined Networks (SDN) OMG RFI
RTI/Cisco response to the Software Defined Networks (SDN) OMG RFI
Gerardo Pardo-Castellote6.1K views
Object Broker Infrastructure for Wide Area Networks by Vaidas Brundza
Object Broker Infrastructure for Wide Area NetworksObject Broker Infrastructure for Wide Area Networks
Object Broker Infrastructure for Wide Area Networks
Vaidas Brundza430 views
The International standards landscape for IoT in SmartHome by ir. Carmelo Zaccone
The International standards landscape for IoT in SmartHomeThe International standards landscape for IoT in SmartHome
The International standards landscape for IoT in SmartHome
ir. Carmelo Zaccone579 views
ONOS SDN-IP: Tutorial and Use Case for SDX by APNIC
ONOS SDN-IP: Tutorial and Use Case for SDXONOS SDN-IP: Tutorial and Use Case for SDX
ONOS SDN-IP: Tutorial and Use Case for SDX
APNIC2.6K views
CPaaS.io Y1 Review Meeting - Cloud & Edge Programming by Stephan Haller
CPaaS.io Y1 Review Meeting - Cloud & Edge ProgrammingCPaaS.io Y1 Review Meeting - Cloud & Edge Programming
CPaaS.io Y1 Review Meeting - Cloud & Edge Programming
Stephan Haller105 views
IoTWorld 2016 OSS Keynote Param Singh, Ian Skerrett by Param Singh
IoTWorld 2016 OSS Keynote Param Singh, Ian SkerrettIoTWorld 2016 OSS Keynote Param Singh, Ian Skerrett
IoTWorld 2016 OSS Keynote Param Singh, Ian Skerrett
Param Singh1.5K views
Model-driven Telemetry: The Foundation of Big Data Analytics by Cisco Canada
Model-driven Telemetry: The Foundation of Big Data AnalyticsModel-driven Telemetry: The Foundation of Big Data Analytics
Model-driven Telemetry: The Foundation of Big Data Analytics
Cisco Canada1.9K views
Akka.Net and .Net Core - The Developer Conference 2018 Florianopolis by Alexandre Brandão Lustosa
Akka.Net and .Net Core - The Developer Conference 2018 FlorianopolisAkka.Net and .Net Core - The Developer Conference 2018 Florianopolis
Akka.Net and .Net Core - The Developer Conference 2018 Florianopolis
Alexandre Brandão Lustosa560 views
SDN and metrics from the SDOs by Open Networking Summit
SDN and metrics from the SDOsSDN and metrics from the SDOs
SDN and metrics from the SDOs
Open Networking Summit377 views
StampedeCon 2015 Keynote by Ken Owens
StampedeCon 2015 KeynoteStampedeCon 2015 Keynote
StampedeCon 2015 Keynote
Ken Owens1K views
How Cisco Migrated from MapReduce Jobs to Spark Jobs - StampedeCon 2015 by StampedeCon
How Cisco Migrated from MapReduce Jobs to Spark Jobs - StampedeCon 2015How Cisco Migrated from MapReduce Jobs to Spark Jobs - StampedeCon 2015
How Cisco Migrated from MapReduce Jobs to Spark Jobs - StampedeCon 2015
StampedeCon1.2K views
The Enterprise Guide to Building a Data Mesh - Introducing SpecMesh by IanFurlong4
The Enterprise Guide to Building a Data Mesh - Introducing SpecMeshThe Enterprise Guide to Building a Data Mesh - Introducing SpecMesh
The Enterprise Guide to Building a Data Mesh - Introducing SpecMesh
IanFurlong4617 views
Using Cisco pxGrid for Security Platform Integration: a deep dive by Cisco DevNet
Using Cisco pxGrid for Security Platform Integration: a deep diveUsing Cisco pxGrid for Security Platform Integration: a deep dive
Using Cisco pxGrid for Security Platform Integration: a deep dive
Cisco DevNet2.8K views
Cloud Native Application Integration With APIs by Nirmal Fernando
Cloud Native Application Integration With APIsCloud Native Application Integration With APIs
Cloud Native Application Integration With APIs
Nirmal Fernando158 views
IEEE HPSR 2017 Keynote: Softwarized Dataplanes and the P^3 trade-offs: Progra... by Christian Esteve Rothenberg
IEEE HPSR 2017 Keynote: Softwarized Dataplanes and the P^3 trade-offs: Progra...IEEE HPSR 2017 Keynote: Softwarized Dataplanes and the P^3 trade-offs: Progra...
IEEE HPSR 2017 Keynote: Softwarized Dataplanes and the P^3 trade-offs: Progra...
Christian Esteve Rothenberg585 views
Are you ready to be edgy? Bringing applications to the edge of the network by Megan O'Keefe
Are you ready to be edgy? Bringing applications to the edge of the networkAre you ready to be edgy? Bringing applications to the edge of the network
Are you ready to be edgy? Bringing applications to the edge of the network
Megan O'Keefe1.6K views
The Current And Future State Of Service Mesh by Ram Vennam
The Current And Future State Of Service MeshThe Current And Future State Of Service Mesh
The Current And Future State Of Service Mesh
Ram Vennam90 views
Developers’ mDay u Banjoj Luci - Janko Isidorović, Mainflux – Unified IoT Pl... by mCloud
Developers’ mDay u Banjoj Luci - Janko Isidorović, Mainflux – Unified IoT Pl...Developers’ mDay u Banjoj Luci - Janko Isidorović, Mainflux – Unified IoT Pl...
Developers’ mDay u Banjoj Luci - Janko Isidorović, Mainflux – Unified IoT Pl...
mCloud326 views
Io t standard_bis_arpanpal by Arpan Pal
Io t standard_bis_arpanpalIo t standard_bis_arpanpal
Io t standard_bis_arpanpal
Arpan Pal236 views

Recently uploaded

KVM Security Groups Under the Hood - Wido den Hollander - Your.Online by
KVM Security Groups Under the Hood - Wido den Hollander - Your.OnlineKVM Security Groups Under the Hood - Wido den Hollander - Your.Online
KVM Security Groups Under the Hood - Wido den Hollander - Your.OnlineShapeBlue
225 views19 slides
"Node.js Development in 2024: trends and tools", Nikita Galkin by
"Node.js Development in 2024: trends and tools", Nikita Galkin "Node.js Development in 2024: trends and tools", Nikita Galkin
"Node.js Development in 2024: trends and tools", Nikita Galkin Fwdays
33 views38 slides
Generative AI: Shifting the AI Landscape by
Generative AI: Shifting the AI LandscapeGenerative AI: Shifting the AI Landscape
Generative AI: Shifting the AI LandscapeDeakin University
67 views55 slides
CloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlue by
CloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlueCloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlue
CloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlueShapeBlue
139 views15 slides
Business Analyst Series 2023 - Week 4 Session 7 by
Business Analyst Series 2023 - Week 4 Session 7Business Analyst Series 2023 - Week 4 Session 7
Business Analyst Series 2023 - Week 4 Session 7DianaGray10
146 views31 slides
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit... by
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...ShapeBlue
162 views25 slides

Recently uploaded(20)

KVM Security Groups Under the Hood - Wido den Hollander - Your.Online by ShapeBlue
KVM Security Groups Under the Hood - Wido den Hollander - Your.OnlineKVM Security Groups Under the Hood - Wido den Hollander - Your.Online
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online
ShapeBlue225 views
"Node.js Development in 2024: trends and tools", Nikita Galkin by Fwdays
"Node.js Development in 2024: trends and tools", Nikita Galkin "Node.js Development in 2024: trends and tools", Nikita Galkin
"Node.js Development in 2024: trends and tools", Nikita Galkin
Fwdays33 views
Generative AI: Shifting the AI Landscape by Deakin University
Generative AI: Shifting the AI LandscapeGenerative AI: Shifting the AI Landscape
Generative AI: Shifting the AI Landscape
Deakin University67 views
CloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlue by ShapeBlue
CloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlueCloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlue
CloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlue
ShapeBlue139 views
Business Analyst Series 2023 - Week 4 Session 7 by DianaGray10
Business Analyst Series 2023 - Week 4 Session 7Business Analyst Series 2023 - Week 4 Session 7
Business Analyst Series 2023 - Week 4 Session 7
DianaGray10146 views
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit... by ShapeBlue
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...
ShapeBlue162 views
CryptoBotsAI by chandureddyvadala199
CryptoBotsAICryptoBotsAI
CryptoBotsAI
chandureddyvadala19942 views
The Power of Heat Decarbonisation Plans in the Built Environment by IES VE
The Power of Heat Decarbonisation Plans in the Built EnvironmentThe Power of Heat Decarbonisation Plans in the Built Environment
The Power of Heat Decarbonisation Plans in the Built Environment
IES VE84 views
Initiating and Advancing Your Strategic GIS Governance Strategy by Safe Software
Initiating and Advancing Your Strategic GIS Governance StrategyInitiating and Advancing Your Strategic GIS Governance Strategy
Initiating and Advancing Your Strategic GIS Governance Strategy
Safe Software184 views
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading... by The Digital Insurer
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...
The Digital Insurer91 views
LLMs in Production: Tooling, Process, and Team Structure by Aggregage
LLMs in Production: Tooling, Process, and Team StructureLLMs in Production: Tooling, Process, and Team Structure
LLMs in Production: Tooling, Process, and Team Structure
Aggregage57 views
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda... by ShapeBlue
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...
ShapeBlue164 views
Ransomware is Knocking your Door_Final.pdf by Security Bootcamp
Ransomware is Knocking your Door_Final.pdfRansomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdf
Security Bootcamp98 views
MVP and prioritization.pdf by rahuldharwal141
MVP and prioritization.pdfMVP and prioritization.pdf
MVP and prioritization.pdf
rahuldharwal14139 views
Future of Indian ConsumerTech by Kapil Khandelwal (KK)
Future of Indian ConsumerTechFuture of Indian ConsumerTech
Future of Indian ConsumerTech
Kapil Khandelwal (KK)36 views
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT by ShapeBlue
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBITUpdates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
ShapeBlue208 views
Redefining the book supply chain: A glimpse into the future - Tech Forum 2023 by BookNet Canada
Redefining the book supply chain: A glimpse into the future - Tech Forum 2023Redefining the book supply chain: A glimpse into the future - Tech Forum 2023
Redefining the book supply chain: A glimpse into the future - Tech Forum 2023
BookNet Canada44 views
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f... by TrustArc
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc176 views
Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P... by ShapeBlue
Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P...Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P...
Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P...
ShapeBlue196 views
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or... by ShapeBlue
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...
ShapeBlue199 views

Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]

  • 1. Securing Microservices in CloudFoundry Brenden Blanco and Deepa Kalani! Architects, CTO Office - PLUMgrid!
  • 2. Need for Micro Segmentation §  Movement towards cloud native applications. §  Elastic nature of applications requires a more agile way of configuring policies §  Operators would like to have an intuitive way of defining policies, based on application roles and not ip addresses. §  Relying on traditional firewall rules will quickly make it unmanageable as applications move around §  Move towards a whitelist model of policy definition, where one defines acceptable information flow and everything else is blocked
  • 3. IPTables to define Endpoint Policy - State Explosion IP1->IP3 IP1->IP5 IP1->IP7 IP1->IP8 IP3->IP1 IP3->IP5 IP3->IP7 IP3->IP8 IP2->IP4 IP2->IP6 IP2->IP9 IP2->IP10 IP4->IP6 IP4->IP2 IP4->IP9 IP4->IP10 IP2->IP4 IP2->IP6 IP2->IP9 IP2->IP10 IP4->IP6 IP4->IP2 IP4->IP9 IP4->IP10 IP5->IP1 IP5->IP3 IP5->IP7 IP5->IP8 IP7->IP1 IP7->IP5 IP7->IP3 IP7->IP8 IP8->IP3 IP8->IP5 IP8->IP7 IP8->IP1 IP9->IP4 IP9->IP6 IP9->IP2 IP9->IP10 IP10->IP2 IP10->IP6 IP10->IP4 IP10->IP9 IP Table Rules
  • 4. Group Based Policy - secure, scalable, intent based Green->Green Red->Red Green->Green Red->Red Green->Green Red->Red IP1,IP3->Green IP2,IP4-> Red IP5,IP7->Green IP6-> Red IP8->Green IP9,IP10-> Red Endpoint Groups Policies
  • 5. Policy specification for Cloud Foundry Applications §  Define Endpoints and EPGs (Applications are represented by Groups of Endpoints) §  Policy definition is in the nature of applications. §  e.g. A_APP->A_DB 80 allow, B_APP->A_APP allow. §  Envision policy as a graph of application connectivity A_App B_APP C_APP A_DB DB_Ext
  • 6. www.iovisor.org IO Module, users perspective IO Module Management interface - REST API - Cli / config file Interfaces - Interface Type (Net, Tracing, Storage, …) Something runs in kernel Something runs in user space Controllers live up here IO Modules Catalog Search for IO Mod Download IO Mod Somewhere in the cloud (iovisor.org) there is a catalog of public IO Modules
  • 7. www.iovisor.org IO Module, developers perspective IO Modules Catalog Publish new Modules Somewhere in the cloud (iovisor.org) there is a catalog of public IO Modules Data Plane Management interface - REST API - Cli / config file Interfaces - Interface Type (Net, Tracing, Storage, …) Users interact with the Module with: User space helper IO Module Control Plane (user space) IO Module Data Plane (kernel) IO Module developer IO Module IOVisor SDK Clang / P4 Python, C, C++, Go, JS …
  • 8. www.iovisor.org IO Module, graph composition IOVisor Manager Kernel a^achment points Kernel space User space Open repo of “IO Modules” Kernel code Kernel code •  extending Linux Kernel capabilices APIs to Controllers Metadata
  • 10. Policy Plugin with IO Visor 10 Overlay –VXLAN 192.168.0.0/16 192.168.1.0/16 Linux Bridge Vxlan Dev C C C Garden/1 - 10.244.18.3 Garden/0 - 10.244.18.2 Linux Bridge Vxlan Dev C C C Policy boundary
  • 13. www.iovisor.org Introducing IO Visor Project 1 3 Future of Linux Kernel IO for soDware defined services Led by iniHal contribuHons from PLUMgrid (Upstreamed since Kernel 3.16) EvoluHon of Kernel BPF & eBPF (Berkeley Packet Filter) “IO Visor will work closely with the Linux kernel community to advance universal IO extensibility for Linux. This collabora=on is cri=cally important as virtualiza=on is puAng more demands on flexibility, performance and security. Open source soFware and collabora=ve development are the ingredients for addressing massive change in any industry. IO Visor will provide the essen:al framework for this work on Linux virtualiza:on and networking.” Jim Zemlin, Execu:ve Director, The Linux Founda:on.
  • 14. www.iovisor.org IO Visor Project: What? 1 4 •  A programmable data plane and development tools to simplify the creation of new infrastructure ideas •  An open source project and a community of developers •  Enables a new way to Innovate, Develop and Share IO and Networking functions Open Source & Community Programmable Data Plane 1 2 •  A place to share / standardize new ideas in the form of “IO Modules” Repository of “IO Modules” 3
  • 15. www.iovisor.org IO Visor Project Use Cases Example: Networking §  IO Visor is used to build a fully distributed virtual network across multiple compute nodes §  All data plane components are inserted dynamically in the kernel §  No usage of virtual/physical appliances needed §  Example here https://github.com/iovisor/bcc/tree/ master/examples/distributed_bridge 1 5 Virtual/Physical Appliances Virtual Network Topology in Kernel Space