In spirit of “defense in depth”, more filtering layer more secure which is a real demand of customer to protect their application. So this short talk will bring up new weapon for firewall as a service in neutron network: L7 firewall API. In this session we will answer a question: “Why L7 firewall API is good for your cloud?”. As a standard firewall may only allow HTTP traffic on TCP port 80, but SQL injection attacks will be allowed through as valid HTTP request. How do we protect customer app? OK. let's discuss about: How does L7 firewall API look like? Which protocols L7 firewall API will support? HTTP over TCP only? How to implement L7 firewall API? iptables or bpf? Future of firewall. Last but not least, demo as demand.
Involute of a circle,Square, pentagon,HexagonInvolute_Engineering Drawing.pdf
L7 firewall API for Neutron-FWaaS
1. New weapon for neutron-fwaas:
L7 firewall API
Nguyen Phuong An
1Vietnam OpenInfra day 2018
2. The preface
This short talk show my knowledge about L7
layer filtering from point of view of a man, who
haven’t had much experience about security
and trying to understand ‘the world of network’.
Please free feel to discuss.
Thanks in advance!
2Vietnam OpenInfra day 2018
3. Abstract
Defense in depth
L7 firewall API
HTTP over TCP
Iptables or BPF
SQLinjection
XSS attack
Extension
Apply on VM port
Deny URL
3Vietnam OpenInfra day 2018
4. Agenda
• Who am I?
• Motivation
• How L7 firewall API look like
• API Driver
• Future of Firewall
• Demo driver concept
4Vietnam OpenInfra day 2018
5. Who am I?
• My name: Nguyen Phuong An
• Neutron developer
– Co-author of Neutron packet logging framework
– Active contributor for Neutron fwaas
– Develop deployment neutron-api via wsgi feature
• IRC: annp
• Email: annp.cs51@gmail.com
• Recently, Rust is my favorite language.
5Vietnam OpenInfra day 2018
6. Motivation
• Defense in depth
– More layer more secure
• Standard firewall:
– Define security rule base protocol and port
Web-app
GET /health
User
PUT /store/{id}
unexpected
OK
Allow
TCP
port
80
Security hole!
6Vietnam OpenInfra day 2018
7. Motivation
• Append L7 layer filtering
– Examine the payload of a packet and make
decisions based on content.
Web-app
GET /health
User
PUT /store/{id}
unexpected
OK Allow
TCP
port
80
Allow
GET
/healt
h
7Vietnam OpenInfra day 2018
8. Motivation
• With L7 firewall API:
– Allow to restrict SQLInjection, XSS attack,..
– Allow to block unexpected URL
– …
8Vietnam OpenInfra day 2018
9. How L7 firewall API look like
• How API work:
– Filtering base on:
• URL string: Accept/drop a request from/to domain
• HTTP header: Accept/drop based POST/PUT/GET
method.
• HTTP body: drop based pattern SQLInjection, XSS, …
9Vietnam OpenInfra day 2018
10. How L7 firewall API look like
• Which protocols are supported?
– HTTP over TCP only as first proposal.
– In future, support other protocols like p2p, ftp …
• Where L7 rule is applied?
– Instance port level as first proposal (E-W traffic)
– In future router-interface port (N-S traffic)
10Vietnam OpenInfra day 2018
11. How L7 firewall API look like
• How L7 firewall API is designed:
– The API will be designed as a Extension API of
Firewall Plugin V2.
• Allow to enable/disable L7 firewall API if need
11Vietnam OpenInfra day 2018
12. How L7 firewall API look like
• How L7 rule is define:
– Extend Firewall Rule with new attributes:
12Vietnam OpenInfra day 2018
13. How L7 firewall API look like
• L7 attribute would includes:
• type: [‘url', ‘header', ‘body', ‘cookie']
• compare_type: [‘contain', ‘starts_with’, ‘ends_with', ‘regex',
‘equal_to']
• value: a string, e.g: ‘POST /v2/example’
• action: DROP/ACCEPT
– Action LOG and STATS should propose in neutron-packet-logging
https://docs.openstack.org/neutron/rocky/admin/config-
logging.html
13Vietnam OpenInfra day 2018
14. How L7 firewall API look like
• How L7 attribute would define:
– http://paste.openstack.org/show/728183/
• Firewall rule would look like:
– http://paste.openstack.org/show/728180/
14Vietnam OpenInfra day 2018
15. API Driver
• How API driver work
GET v2/example
15
L3 rules L7 rules
HTTP_FILTER
Drop
Allow
Default Policy
DROP
Default Policy
ALLOW
allow
drop
Vietnam OpenInfra day 2018
16. API Driver
• Possible implementation:
– Iptables or XDP & eBPF:
• Iptables based: old fashioned!
– e.g l7_filter
• XDP & eBPF based: is trending.
– integrate with Cilium
– Building a http filter from scratch with bcc
– Other:
• Integrate with nDPI
16Vietnam OpenInfra day 2018
17. API Driver
• As a Proof of Concept:
– Trying to implement http_filter with XDP & eBPF
• Pros:
– Flexible in design
• Cons:
– Take time to develop and test
17Vietnam OpenInfra day 2018
18. API Driver
• In future:
– Integrate with Cilium or nDPI:
• Pros:
– Developed & tested
• Cons:
– Need time to customize to match our requirement
– Depends on third party release schedule
18Vietnam OpenInfra day 2018
19. API Driver
• How HTTP_FILTER is implement:
19
TC ingress
HTTP_FILTER
Bcc python app
GET v2/example
BPF_MAP
User space
Kernel
NetDevice Network stack TC egress NetDevice
HTTP_FILTER
BPF bytecode
Vietnam OpenInfra day 2018
20. API Driver
• Show me the code:
– https://github.com/annp1987/http_filter_with_xdp
• Will support L7 firewall API in Stein cycle?
– Maybe, Yes!
20Vietnam OpenInfra day 2018
21. Future of Firewall
Neutron FWaaS + Neutron-Packet-Logging + ELK
= ML Firewall
21Vietnam OpenInfra day 2018
In spirit of “defense in depth”, more filtering layer more secure which is a real demand of customer to protect their application. So this short talk will bring up new weapon for firewall as a service in neutron network: L7 firewall API. In this session we will answer a question: “Why L7 firewall API is good for your cloud?”. As a standard firewall may only allow HTTP traffic on TCP port 80, but SQL injection attacks will be allowed through as valid HTTP request. How do we protect customer app? OK. let's discuss about: How does L7 firewall API look like? Which protocols L7 firewall API will support? HTTP over TCP only? How to implement L7 firewall API? iptables or bpf? Future of firewall. Last but not least, demo as demand.
Default L3 rules policy is DROP, Default L7 rules policy is ACCEPT.