Successfully reported this slideshow.

Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]

1

Share

May. 05, 2016
1 like 1,571 views
Upcoming SlideShare
Evolving Virtual Networking with IO Visor
Evolving Virtual Networking with IO Visor
Loading in …3
×
1 of 15
1 of 15

Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]

May. 05, 2016
1 like 1,571 views

1

Share

Download to read offline

Technology

As microservices grow, traditional firewall rules based on network ACLs are no longer scalable and fall short of providing fine-grained enforcement. Group Based Policy (GBP) is a flexible policy language that allows users to specify policy enforcement based on intent, independent of network infrastructure and IP addressing. Using micro-segmented virtual domains, administrators can define policies at a centralized location and use IO Visor technology for distributed enforcement. This provides infrastructure independent rules, template-based policy definitions, and scale-out policy enforcement for a solution that secures and scales with microservices. This session will be presented by members of the IO Visor community and will cover how IO Visor technology can be used to define and enforce GBP. The discussion will also cover using GBP for cloud foundry application spaces where microservices are deployed and need scalable, efficient security policies.

As microservices grow, traditional firewall rules based on network ACLs are no longer scalable and fall short of providing fine-grained enforcement. Group Based Policy (GBP) is a flexible policy language that allows users to specify policy enforcement based on intent, independent of network infrastructure and IP addressing. Using micro-segmented virtual domains, administrators can define policies at a centralized location and use IO Visor technology for distributed enforcement. This provides infrastructure independent rules, template-based policy definitions, and scale-out policy enforcement for a solution that secures and scales with microservices. This session will be presented by members of the IO Visor community and will cover how IO Visor technology can be used to define and enforce GBP. The discussion will also cover using GBP for cloud foundry application spaces where microservices are deployed and need scalable, efficient security policies.

Technology

Recommended

More Related Content

Viewers also liked

Osnug meetup-tungsten fabric - overview.pptx
M.Qasim Arham
Cilium - API-aware Networking and Security for Containers based on BPF
Thomas Graf
Kernel advantages for Istio realized with Cilium
Cynthia Thomas
The Universal Dataplane
Michelle Holley
Kubernetes Networking with Cilium - Deep Dive
Michal Rostecki
Data Plane and VNF Acceleration Mini Summit
Open-NFP
TLDK - FD.io Sept 2016
Benoit Hudzia
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds
PLUMgrid
Replacing iptables with eBPF in Kubernetes with Cilium
Michal Rostecki
FD.io - The Universal Dataplane
Open Networking Summit
Cilium - Fast IPv6 Container Networking with BPF and XDP
Thomas Graf
Cilium - overview and recent updates
Michal Rostecki
EBPF and Linux Networking
PLUMgrid
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
Thomas Graf
LF_DPDK17_Abstract APIs for DPDK and ODP
LF_DPDK
LF_DPDK_Mellanox bifurcated driver model
LF_DPDK
Linux Kernel Cryptographic API and Use Cases
Kernel TLV
Kernel Recipes 2017 - EBPF and XDP - Eric Leblond
Anne Nicolas
Introduction to eBPF
RogerColl2

Similar to Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]

Openstack Nova and Quantum
David Lapsley
Dave Chandler Presents SDN at World Wide Technology's TECday - St. Louis
World Wide Technology
CloudOpen 2014 - Mixing Your Open Source Cloud Cocktail
Mark Hinkle
Kubernetes @ pixel
Adam Hamsik
OpenStack and OpenDaylight: An Integrated IaaS for SDN/NFV
Cloud Native Day Tel Aviv
Am 04 track1--salvatore orlando--openstack-apac-2012-final
OpenCity Community
FIWARE Global Summit - Leveraging Kubernetes for FIWARE Components Automations
FIWARE
Openstack meetup-pune-aug22-overview
rajdeep
Encompassing Information Integration
nguyenfilip
Chef and OpenStack Workshop from ChefConf 2013
Matt Ray
2016 open-source-network-softwarization
Christian Esteve Rothenberg
OpenStack Quantum: Cloud Carrier Summit 2012
Dan Wendlandt
Running Kubernetes
Pixel Federation
Zun presentation (OpenStack Barcelona summit)
hongbin034
Oscon London 2016 - Docker from Development to Production
Patrick Chanezon
Kubernetes integration with ODL
Prem Sankar Gopannan
Cloud computing and OpenStack
Edgar Magana
Adam Hamsik - Kubernetes
Patricia Romanikova
Building Distributed Systems without Docker, Using Docker Plumbing Projects -...
Patrick Chanezon
Full Stack Automation with Katello & The Foreman
Weston Bassler

Featured

What to Upload to SlideShare
SlideShare
Be A Great Product Leader (Amplify, Oct 2019)
Adam Nash
Trillion Dollar Coach Book (Bill Campbell)
Eric Schmidt
APIdays Paris 2019 - Innovation @ scale, APIs as Digital Factories' New Machi...
apidays
A few thoughts on work life-balance
Wim Vanderbauwhede
Is vc still a thing final
Mark Suster
The GaryVee Content Model
Gary Vaynerchuk
Mammalian Brain Chemistry Explains Everything
Loretta Breuning, PhD
Blockchain + AI + Crypto Economics Are We Creating a Code Tsunami?
Dinis Guarda
The AI Rush
Jean-Baptiste Dumont
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
10 facts about jobs in the future
Pew Research Center's Internet & American Life Project
Harry Surden - Artificial Intelligence and Law Overview
Harry Surden
Inside Google's Numbers in 2017
Rand Fishkin
Pinot: Realtime Distributed OLAP datastore
Kishore Gopalakrishna
How to Become a Thought Leader in Your Niche
Leslie Samuel
Visual Design with Data
Seth Familian
Designing Teams for Emerging Challenges
Aaron Irizarry
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
Winners and Losers - All the (Russian) President's Men
Ian Bremmer

Related Books

Free with a 14 day trial from Scribd

See all
Autonomy: The Quest to Build the Driverless Car—And How It Will Reshape Our World Lawrence D. Burns
(5/5)
Free
No Filter: The Inside Story of Instagram Sarah Frier
(4.5/5)
Free
Bezonomics: How Amazon Is Changing Our Lives and What the World's Best Companies Are Learning from It Brian Dumaine
(4/5)
Free
So You Want to Start a Podcast: Finding Your Voice, Telling Your Story, and Building a Community That Will Listen Kristen Meinzer
(3.5/5)
Free
The Future Is Faster Than You Think: How Converging Technologies Are Transforming Business, Industries, and Our Lives Peter H. Diamandis
(4.5/5)
Free
Talk to Me: How Voice Computing Will Transform the Way We Live, Work, and Think James Vlahos
(4/5)
Free
SAM: One Robot, a Dozen Engineers, and the Race to Revolutionize the Way We Build Jonathan Waldman
(5/5)
Free
From Gutenberg to Google: The History of Our Future Tom Wheeler
(3.5/5)
Free
Life After Google: The Fall of Big Data and the Rise of the Blockchain Economy George Gilder
(4/5)
Free
Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Seth Stephens-Davidowitz
(4.5/5)
Free
Live Work Work Work Die: A Journey into the Savage Heart of Silicon Valley Corey Pein
(4.5/5)
Free
Future Presence: How Virtual Reality Is Changing Human Connection, Intimacy, and the Limits of Ordinary Life Peter Rubin
(4/5)
Free
How to Lie with Maps, Third Edition Mark Monmonier
(4.5/5)
Free
On War: With linked Table of Contents Carl von Clausewitz
(4.5/5)
Free
The Basics of Bitcoins and Blockchains: An Introduction to Cryptocurrencies and the Technology that Powers Them (Cryptography, Derivatives Investments, Futures Trading, Digital Assets, NFT) Antony Lewis
(4/5)
Free
Wizard:: The Life and Times of Nikolas Tesla Marc Seifer
(2.5/5)
Free

Related Audiobooks

Free with a 14 day trial from Scribd

See all
Spooked: The Trump Dossier, Black Cube, and the Rise of Private Spies Barry Meier
(4/5)
Free
Second Nature: Scenes from a World Remade Nathaniel Rich
(5/5)
Free
An Ugly Truth: Inside Facebook’s Battle for Domination Sheera Frenkel
(4.5/5)
Free
A Brief History of Motion: From the Wheel, to the Car, to What Comes Next Tom Standage
(4/5)
Free
Liftoff: Elon Musk and the Desperate Early Days That Launched SpaceX Eric Berger
(5/5)
Free
The Science of Time Travel: The Secrets Behind Time Machines, Time Loops, Alternate Realities, and More! Elizabeth Howell
(3/5)
Free
If Then: How the Simulmatics Corporation Invented the Future Jill Lepore
(4.5/5)
Free
The Wires of War: Technology and the Global Struggle for Power Jacob Helberg
(4/5)
Free
System Error: Where Big Tech Went Wrong and How We Can Reboot Rob Reich
(4.5/5)
Free
The Quiet Zone: Unraveling the Mystery of a Town Suspended in Silence Stephen Kurczy
(4.5/5)
Free
The Players Ball: A Genius, a Con Man, and the Secret History of the Internet's Rise David Kushner
(4.5/5)
Free
Bitcoin Billionaires: A True Story of Genius, Betrayal, and Redemption Ben Mezrich
(4.5/5)
Free
A World Without Work: Technology, Automation, and How We Should Respond Daniel Susskind
(4.5/5)
Free
Blockchain: The Next Everything Stephen P. Williams
(4/5)
Free
Uncanny Valley: A Memoir Anna Wiener
(4/5)
Free
Lean Out: The Truth About Women, Power, and the Workplace Marissa Orr
(4.5/5)
Free

Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Summit Austin | April 2016]

  1. 1. Securing Microservices in CloudFoundry Brenden Blanco and Deepa Kalani! Architects, CTO Office - PLUMgrid!
  2. 2. Need for Micro Segmentation §  Movement towards cloud native applications. §  Elastic nature of applications requires a more agile way of configuring policies §  Operators would like to have an intuitive way of defining policies, based on application roles and not ip addresses. §  Relying on traditional firewall rules will quickly make it unmanageable as applications move around §  Move towards a whitelist model of policy definition, where one defines acceptable information flow and everything else is blocked
  3. 3. IPTables to define Endpoint Policy - State Explosion IP1->IP3 IP1->IP5 IP1->IP7 IP1->IP8 IP3->IP1 IP3->IP5 IP3->IP7 IP3->IP8 IP2->IP4 IP2->IP6 IP2->IP9 IP2->IP10 IP4->IP6 IP4->IP2 IP4->IP9 IP4->IP10 IP2->IP4 IP2->IP6 IP2->IP9 IP2->IP10 IP4->IP6 IP4->IP2 IP4->IP9 IP4->IP10 IP5->IP1 IP5->IP3 IP5->IP7 IP5->IP8 IP7->IP1 IP7->IP5 IP7->IP3 IP7->IP8 IP8->IP3 IP8->IP5 IP8->IP7 IP8->IP1 IP9->IP4 IP9->IP6 IP9->IP2 IP9->IP10 IP10->IP2 IP10->IP6 IP10->IP4 IP10->IP9 IP Table Rules
  4. 4. Group Based Policy - secure, scalable, intent based Green->Green Red->Red Green->Green Red->Red Green->Green Red->Red IP1,IP3->Green IP2,IP4-> Red IP5,IP7->Green IP6-> Red IP8->Green IP9,IP10-> Red Endpoint Groups Policies
  5. 5. Policy specification for Cloud Foundry Applications §  Define Endpoints and EPGs (Applications are represented by Groups of Endpoints) §  Policy definition is in the nature of applications. §  e.g. A_APP->A_DB 80 allow, B_APP->A_APP allow. §  Envision policy as a graph of application connectivity A_App B_APP C_APP A_DB DB_Ext
  6. 6. www.iovisor.org IO Module, users perspective IO Module Management interface - REST API - Cli / config file Interfaces - Interface Type (Net, Tracing, Storage, …) Something runs in kernel Something runs in user space Controllers live up here IO Modules Catalog Search for IO Mod Download IO Mod Somewhere in the cloud (iovisor.org) there is a catalog of public IO Modules
  7. 7. www.iovisor.org IO Module, developers perspective IO Modules Catalog Publish new Modules Somewhere in the cloud (iovisor.org) there is a catalog of public IO Modules Data Plane Management interface - REST API - Cli / config file Interfaces - Interface Type (Net, Tracing, Storage, …) Users interact with the Module with: User space helper IO Module Control Plane (user space) IO Module Data Plane (kernel) IO Module developer IO Module IOVisor SDK Clang / P4 Python, C, C++, Go, JS …
  8. 8. www.iovisor.org IO Module, graph composition IOVisor Manager Kernel a^achment points Kernel space User space Open repo of “IO Modules” Kernel code Kernel code •  extending Linux Kernel capabilices APIs to Controllers Metadata
  9. 9. www.iovisor.org Composing IO Modules
  10. 10. Policy Plugin with IO Visor 10 Overlay –VXLAN 192.168.0.0/16 192.168.1.0/16 Linux Bridge Vxlan Dev C C C Garden/1 - 10.244.18.3 Garden/0 - 10.244.18.2 Linux Bridge Vxlan Dev C C C Policy boundary
  11. 11. Thank You! www.iovisor.org
  12. 12. www.iovisor.org Backup Slides 1 2
  13. 13. www.iovisor.org Introducing IO Visor Project 1 3 Future of Linux Kernel IO for soDware defined services Led by iniHal contribuHons from PLUMgrid (Upstreamed since Kernel 3.16) EvoluHon of Kernel BPF & eBPF (Berkeley Packet Filter) “IO Visor will work closely with the Linux kernel community to advance universal IO extensibility for Linux. This collabora=on is cri=cally important as virtualiza=on is puAng more demands on flexibility, performance and security. Open source soFware and collabora=ve development are the ingredients for addressing massive change in any industry. IO Visor will provide the essen:al framework for this work on Linux virtualiza:on and networking.” Jim Zemlin, Execu:ve Director, The Linux Founda:on.
  14. 14. www.iovisor.org IO Visor Project: What? 1 4 •  A programmable data plane and development tools to simplify the creation of new infrastructure ideas •  An open source project and a community of developers •  Enables a new way to Innovate, Develop and Share IO and Networking functions Open Source & Community Programmable Data Plane 1 2 •  A place to share / standardize new ideas in the form of “IO Modules” Repository of “IO Modules” 3
  15. 15. www.iovisor.org IO Visor Project Use Cases Example: Networking §  IO Visor is used to build a fully distributed virtual network across multiple compute nodes §  All data plane components are inserted dynamically in the kernel §  No usage of virtual/physical appliances needed §  Example here https://github.com/iovisor/bcc/tree/ master/examples/distributed_bridge 1 5 Virtual/Physical Appliances Virtual Network Topology in Kernel Space

×