Advertisement

Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]

IO Visor Project
IO Visor Project
May. 5, 2016
Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]
Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]
Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]
Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]
Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]
Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]
Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]
Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]
Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]
Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]
Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]
Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]
Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]
Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]
Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]

Check these out next

Intel® RDT Hands-on Lab
Intel® RDT Hands-on Lab
Michelle Holley
Tungsten Fabric Overview
Tungsten Fabric Overview
Michelle Holley
Osnug meetup-tungsten fabric - overview.pptx
Osnug meetup-tungsten fabric - overview.pptx
M.Qasim Arham
Cilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPF
Thomas Graf
Kernel advantages for Istio realized with Cilium
Kernel advantages for Istio realized with Cilium
Cynthia Thomas
The Universal Dataplane
The Universal Dataplane
Michelle Holley
Kubernetes Networking with Cilium - Deep Dive
Kubernetes Networking with Cilium - Deep Dive
Michal Rostecki
Data Plane and VNF Acceleration Mini Summit
Data Plane and VNF Acceleration Mini Summit
Open-NFP
1 of 15

Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]

May. 5, 2016
Download to read offline
Technology

As microservices grow, traditional firewall rules based on network ACLs are no longer scalable and fall short of providing fine-grained enforcement. Group Based Policy (GBP) is a flexible policy language that allows users to specify policy enforcement based on intent, independent of network infrastructure and IP addressing. Using micro-segmented virtual domains, administrators can define policies at a centralized location and use IO Visor technology for distributed enforcement. This provides infrastructure independent rules, template-based policy definitions, and scale-out policy enforcement for a solution that secures and scales with microservices. This session will be presented by members of the IO Visor community and will cover how IO Visor technology can be used to define and enforce GBP. The discussion will also cover using GBP for cloud foundry application spaces where microservices are deployed and need scalable, efficient security policies.

IO Visor Project
IO Visor Project
Advertisement
Advertisement
Advertisement

Recommended

Evolving Virtual Networking with IO VisorEvolving Virtual Networking with IO Visor
Evolving Virtual Networking with IO VisorLarry Lang662 views17 slides
Accelerating Envoy and Istio with Cilium and the Linux KernelAccelerating Envoy and Istio with Cilium and the Linux Kernel
Accelerating Envoy and Istio with Cilium and the Linux KernelThomas Graf7.3K views39 slides
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityCilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityThomas Graf2.5K views32 slides
LinuxCon 2015 Stateful NAT with OVSLinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVSThomas Graf4.1K views13 slides
Cilium - Network security for microservicesCilium - Network security for microservices
Cilium - Network security for microservicesThomas Graf2.6K views62 slides
eBPF - Rethinking the Linux KerneleBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux KernelThomas Graf1.1K views24 slides

More Related Content

Slideshows for you(20)

Intel® RDT Hands-on LabIntel® RDT Hands-on Lab
Intel® RDT Hands-on Lab
Michelle Holley3.8K views
Tungsten Fabric OverviewTungsten Fabric Overview
Tungsten Fabric Overview
Michelle Holley2K views
Osnug meetup-tungsten fabric - overview.pptxOsnug meetup-tungsten fabric - overview.pptx
Osnug meetup-tungsten fabric - overview.pptx
M.Qasim Arham602 views
Cilium - API-aware Networking and Security for Containers based on BPFCilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPF
Thomas Graf1.1K views
Kernel advantages for Istio realized with CiliumKernel advantages for Istio realized with Cilium
Kernel advantages for Istio realized with Cilium
Cynthia Thomas1.1K views
The Universal DataplaneThe Universal Dataplane
The Universal Dataplane
Michelle Holley481 views
Kubernetes Networking with Cilium - Deep DiveKubernetes Networking with Cilium - Deep Dive
Kubernetes Networking with Cilium - Deep Dive
Michal Rostecki430 views
Data Plane and VNF Acceleration Mini Summit Data Plane and VNF Acceleration Mini Summit
Data Plane and VNF Acceleration Mini Summit
Open-NFP3.4K views
TLDK - FD.io Sept 2016 TLDK - FD.io Sept 2016
TLDK - FD.io Sept 2016
Benoit Hudzia815 views
In-kernel Analytics and Tracing with eBPF for OpenStack CloudsIn-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds
PLUMgrid2K views
Replacing iptables with eBPF in Kubernetes with CiliumReplacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with Cilium
Michal Rostecki409 views
FD.io - The Universal DataplaneFD.io - The Universal Dataplane
FD.io - The Universal Dataplane
Open Networking Summit324 views
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDP
Thomas Graf8.5K views
Cilium - overview and recent updatesCilium - overview and recent updates
Cilium - overview and recent updates
Michal Rostecki1.3K views
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux Networking
PLUMgrid14.5K views
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemBPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
Thomas Graf2.9K views
LF_DPDK17_Abstract APIs for DPDK and ODPLF_DPDK17_Abstract APIs for DPDK and ODP
LF_DPDK17_Abstract APIs for DPDK and ODP
LF_DPDK99 views
LF_DPDK_Mellanox bifurcated driver modelLF_DPDK_Mellanox bifurcated driver model
LF_DPDK_Mellanox bifurcated driver model
LF_DPDK920 views
Linux Kernel Cryptographic API and Use CasesLinux Kernel Cryptographic API and Use Cases
Linux Kernel Cryptographic API and Use Cases
Kernel TLV5.3K views
Kernel Recipes 2017 - EBPF and XDP - Eric LeblondKernel Recipes 2017 - EBPF and XDP - Eric Leblond
Kernel Recipes 2017 - EBPF and XDP - Eric Leblond
Anne Nicolas4.3K views

Similar to Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016](20)

Securing Micro Services in Cloud FoundrySecuring Micro Services in Cloud Foundry
Securing Micro Services in Cloud Foundry
PLUMgrid385 views
RTI/Cisco response to the Software Defined Networks (SDN) OMG RFIRTI/Cisco response to the Software Defined Networks (SDN) OMG RFI
RTI/Cisco response to the Software Defined Networks (SDN) OMG RFI
Gerardo Pardo-Castellote6.1K views
Object Broker Infrastructure for Wide Area NetworksObject Broker Infrastructure for Wide Area Networks
Object Broker Infrastructure for Wide Area Networks
Vaidas Brundza429 views
The International standards landscape for IoT in SmartHomeThe International standards landscape for IoT in SmartHome
The International standards landscape for IoT in SmartHome
ir. Carmelo Zaccone574 views
ONOS SDN-IP: Tutorial and Use Case for SDXONOS SDN-IP: Tutorial and Use Case for SDX
ONOS SDN-IP: Tutorial and Use Case for SDX
APNIC2.5K views
CPaaS.io Y1 Review Meeting - Cloud & Edge ProgrammingCPaaS.io Y1 Review Meeting - Cloud & Edge Programming
CPaaS.io Y1 Review Meeting - Cloud & Edge Programming
Stephan Haller104 views
IoTWorld 2016 OSS Keynote Param Singh, Ian SkerrettIoTWorld 2016 OSS Keynote Param Singh, Ian Skerrett
IoTWorld 2016 OSS Keynote Param Singh, Ian Skerrett
Param Singh1.5K views
Model-driven Telemetry: The Foundation of Big Data AnalyticsModel-driven Telemetry: The Foundation of Big Data Analytics
Model-driven Telemetry: The Foundation of Big Data Analytics
Cisco Canada1.9K views
Akka.Net and .Net Core - The Developer Conference 2018 FlorianopolisAkka.Net and .Net Core - The Developer Conference 2018 Florianopolis
Akka.Net and .Net Core - The Developer Conference 2018 Florianopolis
Alexandre Brandão Lustosa558 views
SDN and metrics from the SDOsSDN and metrics from the SDOs
SDN and metrics from the SDOs
Open Networking Summit371 views
StampedeCon 2015 KeynoteStampedeCon 2015 Keynote
StampedeCon 2015 Keynote
Ken Owens1K views
How Cisco Migrated from MapReduce Jobs to Spark Jobs - StampedeCon 2015How Cisco Migrated from MapReduce Jobs to Spark Jobs - StampedeCon 2015
How Cisco Migrated from MapReduce Jobs to Spark Jobs - StampedeCon 2015
StampedeCon1.2K views
The Enterprise Guide to Building a Data Mesh - Introducing SpecMeshThe Enterprise Guide to Building a Data Mesh - Introducing SpecMesh
The Enterprise Guide to Building a Data Mesh - Introducing SpecMesh
IanFurlong4597 views
Using Cisco pxGrid for Security Platform Integration: a deep diveUsing Cisco pxGrid for Security Platform Integration: a deep dive
Using Cisco pxGrid for Security Platform Integration: a deep dive
Cisco DevNet2.8K views
Cloud Native Application Integration With APIsCloud Native Application Integration With APIs
Cloud Native Application Integration With APIs
Nirmal Fernando154 views
IEEE HPSR 2017 Keynote: Softwarized Dataplanes and the P^3 trade-offs: Progra...IEEE HPSR 2017 Keynote: Softwarized Dataplanes and the P^3 trade-offs: Progra...
IEEE HPSR 2017 Keynote: Softwarized Dataplanes and the P^3 trade-offs: Progra...
Christian Esteve Rothenberg582 views
Are you ready to be edgy? Bringing applications to the edge of the networkAre you ready to be edgy? Bringing applications to the edge of the network
Are you ready to be edgy? Bringing applications to the edge of the network
Megan O'Keefe1.6K views
The Current And Future State Of Service MeshThe Current And Future State Of Service Mesh
The Current And Future State Of Service Mesh
Ram Vennam81 views
Developers’ mDay u Banjoj Luci - Janko Isidorović, Mainflux – Unified IoT Pl...Developers’ mDay u Banjoj Luci - Janko Isidorović, Mainflux – Unified IoT Pl...
Developers’ mDay u Banjoj Luci - Janko Isidorović, Mainflux – Unified IoT Pl...
mCloud320 views
Io t standard_bis_arpanpalIo t standard_bis_arpanpal
Io t standard_bis_arpanpal
Arpan Pal231 views
Advertisement

Recently uploaded(20)

LanGCHAIN FrameworkLanGCHAIN Framework
LanGCHAIN Framework
Keymate.AI0 views
STRENGTH OF MATERIAL.pptxSTRENGTH OF MATERIAL.pptx
STRENGTH OF MATERIAL.pptx
MohdMeraj150 views
videographyppt.pptxvideographyppt.pptx
videographyppt.pptx
AamirMaqsood80 views
USO-HA-2U-Storage-Controllers-24-bay-4U-HA-RAID-array-and-12-bay-Storage-Expa...USO-HA-2U-Storage-Controllers-24-bay-4U-HA-RAID-array-and-12-bay-Storage-Expa...
USO-HA-2U-Storage-Controllers-24-bay-4U-HA-RAID-array-and-12-bay-Storage-Expa...
FinnJohn20 views
Chapter One Method of Teaching.pptxChapter One Method of Teaching.pptx
Chapter One Method of Teaching.pptx
YoomifTube0 views
JourneyMap: How Do I Become A DevOps Engineer.pdfJourneyMap: How Do I Become A DevOps Engineer.pdf
JourneyMap: How Do I Become A DevOps Engineer.pdf
Abdur Rofi0 views
FC-7664PRO alarm panel professional security systemFC-7664PRO alarm panel professional security system
FC-7664PRO alarm panel professional security system
Vedard Security Alarm System Store0 views
Ini Spesifikasi dan Harga Zenbook S 13 OLED (UX5304)Ini Spesifikasi dan Harga Zenbook S 13 OLED (UX5304)
Ini Spesifikasi dan Harga Zenbook S 13 OLED (UX5304)
Dot Semarang0 views
76075-technology powerpoint presentation ideas.pptx76075-technology powerpoint presentation ideas.pptx
76075-technology powerpoint presentation ideas.pptx
MuhammadumairKhan740 views
Top 12 Benefits of Automated Software Testing.pdfTop 12 Benefits of Automated Software Testing.pdf
Top 12 Benefits of Automated Software Testing.pdf
RohitBhandari660 views
Stories of scale: How two operators efficiently grew their businessesStories of scale: How two operators efficiently grew their businesses
Stories of scale: How two operators efficiently grew their businesses
AppFolio0 views
Cloud ComputingCloud Computing
Cloud Computing
VICTOR MAESTRE RAMIREZ0 views
在哪里可以办加拿大大学文凭《温哥华社区学院毕业证成绩单仿制》在哪里可以办加拿大大学文凭《温哥华社区学院毕业证成绩单仿制》
在哪里可以办加拿大大学文凭《温哥华社区学院毕业证成绩单仿制》
nukotk0 views
ace_get_gcp_certified_2023_journey_roadmap.pdface_get_gcp_certified_2023_journey_roadmap.pdf
ace_get_gcp_certified_2023_journey_roadmap.pdf
Muhammad Herwindra Berlian0 views
Multicore Stranded Conductor and Sheathed 450-750 V Fire Resistant Cables by ...Multicore Stranded Conductor and Sheathed 450-750 V Fire Resistant Cables by ...
Multicore Stranded Conductor and Sheathed 450-750 V Fire Resistant Cables by ...
Karupaswamy10 views
poweredge R7525 installation service manual.pdfpoweredge R7525 installation service manual.pdf
poweredge R7525 installation service manual.pdf
psyberdude10 views
Stay Ahead of the Competition: The Advantages of Hiring a Digital Marketing E...Stay Ahead of the Competition: The Advantages of Hiring a Digital Marketing E...
Stay Ahead of the Competition: The Advantages of Hiring a Digital Marketing E...
AlisonTaylor860 views
6+1 Technical Tips for Tech Startups (2023 Edition)6+1 Technical Tips for Tech Startups (2023 Edition)
6+1 Technical Tips for Tech Startups (2023 Edition)
Ahmed Misbah0 views
Feng_Gao_Presentation.pdfFeng_Gao_Presentation.pdf
Feng_Gao_Presentation.pdf
FabianToh20 views
Spacemesh, Tomer Afek, ICC conf, May 2023.pptxSpacemesh, Tomer Afek, ICC conf, May 2023.pptx
Spacemesh, Tomer Afek, ICC conf, May 2023.pptx
Tomer Afek0 views

Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]

  1. Securing Microservices in CloudFoundry Brenden Blanco and Deepa Kalani! Architects, CTO Office - PLUMgrid!
  2. Need for Micro Segmentation §  Movement towards cloud native applications. §  Elastic nature of applications requires a more agile way of configuring policies §  Operators would like to have an intuitive way of defining policies, based on application roles and not ip addresses. §  Relying on traditional firewall rules will quickly make it unmanageable as applications move around §  Move towards a whitelist model of policy definition, where one defines acceptable information flow and everything else is blocked
  3. IPTables to define Endpoint Policy - State Explosion IP1->IP3 IP1->IP5 IP1->IP7 IP1->IP8 IP3->IP1 IP3->IP5 IP3->IP7 IP3->IP8 IP2->IP4 IP2->IP6 IP2->IP9 IP2->IP10 IP4->IP6 IP4->IP2 IP4->IP9 IP4->IP10 IP2->IP4 IP2->IP6 IP2->IP9 IP2->IP10 IP4->IP6 IP4->IP2 IP4->IP9 IP4->IP10 IP5->IP1 IP5->IP3 IP5->IP7 IP5->IP8 IP7->IP1 IP7->IP5 IP7->IP3 IP7->IP8 IP8->IP3 IP8->IP5 IP8->IP7 IP8->IP1 IP9->IP4 IP9->IP6 IP9->IP2 IP9->IP10 IP10->IP2 IP10->IP6 IP10->IP4 IP10->IP9 IP Table Rules
  4. Group Based Policy - secure, scalable, intent based Green->Green Red->Red Green->Green Red->Red Green->Green Red->Red IP1,IP3->Green IP2,IP4-> Red IP5,IP7->Green IP6-> Red IP8->Green IP9,IP10-> Red Endpoint Groups Policies
  5. Policy specification for Cloud Foundry Applications §  Define Endpoints and EPGs (Applications are represented by Groups of Endpoints) §  Policy definition is in the nature of applications. §  e.g. A_APP->A_DB 80 allow, B_APP->A_APP allow. §  Envision policy as a graph of application connectivity A_App B_APP C_APP A_DB DB_Ext
  6. www.iovisor.org IO Module, users perspective IO Module Management interface - REST API - Cli / config file Interfaces - Interface Type (Net, Tracing, Storage, …) Something runs in kernel Something runs in user space Controllers live up here IO Modules Catalog Search for IO Mod Download IO Mod Somewhere in the cloud (iovisor.org) there is a catalog of public IO Modules
  7. www.iovisor.org IO Module, developers perspective IO Modules Catalog Publish new Modules Somewhere in the cloud (iovisor.org) there is a catalog of public IO Modules Data Plane Management interface - REST API - Cli / config file Interfaces - Interface Type (Net, Tracing, Storage, …) Users interact with the Module with: User space helper IO Module Control Plane (user space) IO Module Data Plane (kernel) IO Module developer IO Module IOVisor SDK Clang / P4 Python, C, C++, Go, JS …
  8. www.iovisor.org IO Module, graph composition IOVisor Manager Kernel a^achment points Kernel space User space Open repo of “IO Modules” Kernel code Kernel code •  extending Linux Kernel capabilices APIs to Controllers Metadata
  9. www.iovisor.org Composing IO Modules
  10. Policy Plugin with IO Visor 10 Overlay –VXLAN 192.168.0.0/16 192.168.1.0/16 Linux Bridge Vxlan Dev C C C Garden/1 - 10.244.18.3 Garden/0 - 10.244.18.2 Linux Bridge Vxlan Dev C C C Policy boundary
  11. Thank You! www.iovisor.org
  12. www.iovisor.org Backup Slides 1 2
  13. www.iovisor.org Introducing IO Visor Project 1 3 Future of Linux Kernel IO for soDware defined services Led by iniHal contribuHons from PLUMgrid (Upstreamed since Kernel 3.16) EvoluHon of Kernel BPF & eBPF (Berkeley Packet Filter) “IO Visor will work closely with the Linux kernel community to advance universal IO extensibility for Linux. This collabora=on is cri=cally important as virtualiza=on is puAng more demands on flexibility, performance and security. Open source soFware and collabora=ve development are the ingredients for addressing massive change in any industry. IO Visor will provide the essen:al framework for this work on Linux virtualiza:on and networking.” Jim Zemlin, Execu:ve Director, The Linux Founda:on.
  14. www.iovisor.org IO Visor Project: What? 1 4 •  A programmable data plane and development tools to simplify the creation of new infrastructure ideas •  An open source project and a community of developers •  Enables a new way to Innovate, Develop and Share IO and Networking functions Open Source & Community Programmable Data Plane 1 2 •  A place to share / standardize new ideas in the form of “IO Modules” Repository of “IO Modules” 3
  15. www.iovisor.org IO Visor Project Use Cases Example: Networking §  IO Visor is used to build a fully distributed virtual network across multiple compute nodes §  All data plane components are inserted dynamically in the kernel §  No usage of virtual/physical appliances needed §  Example here https://github.com/iovisor/bcc/tree/ master/examples/distributed_bridge 1 5 Virtual/Physical Appliances Virtual Network Topology in Kernel Space
Advertisement