Recommended
Recommended
More Related Content
What's hot
What's hot (13)
Similar to L7 firewall API for Neutron-FWaaS
Similar to L7 firewall API for Neutron-FWaaS (20)
Recently uploaded
Recently uploaded (20)
L7 firewall API for Neutron-FWaaS
- 1. New weapon for neutron-fwaas: L7 firewall API Nguyen Phuong An 1Vietnam OpenInfra day 2018
- 2. The preface This short talk show my knowledge about L7 layer filtering from point of view of a man, who haven’t had much experience about security and trying to understand ‘the world of network’. Please free feel to discuss. Thanks in advance! 2Vietnam OpenInfra day 2018
- 3. Abstract Defense in depth L7 firewall API HTTP over TCP Iptables or BPF SQLinjection XSS attack Extension Apply on VM port Deny URL 3Vietnam OpenInfra day 2018
- 4. Agenda • Who am I? • Motivation • How L7 firewall API look like • API Driver • Future of Firewall • Demo driver concept 4Vietnam OpenInfra day 2018
- 5. Who am I? • My name: Nguyen Phuong An • Neutron developer – Co-author of Neutron packet logging framework – Active contributor for Neutron fwaas – Develop deployment neutron-api via wsgi feature • IRC: annp • Email: annp.cs51@gmail.com • Recently, Rust is my favorite language. 5Vietnam OpenInfra day 2018
- 6. Motivation • Defense in depth – More layer more secure • Standard firewall: – Define security rule base protocol and port Web-app GET /health User PUT /store/{id} unexpected OK Allow TCP port 80 Security hole! 6Vietnam OpenInfra day 2018
- 7. Motivation • Append L7 layer filtering – Examine the payload of a packet and make decisions based on content. Web-app GET /health User PUT /store/{id} unexpected OK Allow TCP port 80 Allow GET /healt h 7Vietnam OpenInfra day 2018
- 8. Motivation • With L7 firewall API: – Allow to restrict SQLInjection, XSS attack,.. – Allow to block unexpected URL – … 8Vietnam OpenInfra day 2018
- 9. How L7 firewall API look like • How API work: – Filtering base on: • URL string: Accept/drop a request from/to domain • HTTP header: Accept/drop based POST/PUT/GET method. • HTTP body: drop based pattern SQLInjection, XSS, … 9Vietnam OpenInfra day 2018
- 10. How L7 firewall API look like • Which protocols are supported? – HTTP over TCP only as first proposal. – In future, support other protocols like p2p, ftp … • Where L7 rule is applied? – Instance port level as first proposal (E-W traffic) – In future router-interface port (N-S traffic) 10Vietnam OpenInfra day 2018
- 11. How L7 firewall API look like • How L7 firewall API is designed: – The API will be designed as a Extension API of Firewall Plugin V2. • Allow to enable/disable L7 firewall API if need 11Vietnam OpenInfra day 2018
- 12. How L7 firewall API look like • How L7 rule is define: – Extend Firewall Rule with new attributes: 12Vietnam OpenInfra day 2018
- 13. How L7 firewall API look like • L7 attribute would includes: • type: [‘url', ‘header', ‘body', ‘cookie'] • compare_type: [‘contain', ‘starts_with’, ‘ends_with', ‘regex', ‘equal_to'] • value: a string, e.g: ‘POST /v2/example’ • action: DROP/ACCEPT – Action LOG and STATS should propose in neutron-packet-logging https://docs.openstack.org/neutron/rocky/admin/config- logging.html 13Vietnam OpenInfra day 2018
- 14. How L7 firewall API look like • How L7 attribute would define: – http://paste.openstack.org/show/728183/ • Firewall rule would look like: – http://paste.openstack.org/show/728180/ 14Vietnam OpenInfra day 2018
- 15. API Driver • How API driver work GET v2/example 15 L3 rules L7 rules HTTP_FILTER Drop Allow Default Policy DROP Default Policy ALLOW allow drop Vietnam OpenInfra day 2018
- 16. API Driver • Possible implementation: – Iptables or XDP & eBPF: • Iptables based: old fashioned! – e.g l7_filter • XDP & eBPF based: is trending. – integrate with Cilium – Building a http filter from scratch with bcc – Other: • Integrate with nDPI 16Vietnam OpenInfra day 2018
- 17. API Driver • As a Proof of Concept: – Trying to implement http_filter with XDP & eBPF • Pros: – Flexible in design • Cons: – Take time to develop and test 17Vietnam OpenInfra day 2018
- 18. API Driver • In future: – Integrate with Cilium or nDPI: • Pros: – Developed & tested • Cons: – Need time to customize to match our requirement – Depends on third party release schedule 18Vietnam OpenInfra day 2018
- 19. API Driver • How HTTP_FILTER is implement: 19 TC ingress HTTP_FILTER Bcc python app GET v2/example BPF_MAP User space Kernel NetDevice Network stack TC egress NetDevice HTTP_FILTER BPF bytecode Vietnam OpenInfra day 2018
- 20. API Driver • Show me the code: – https://github.com/annp1987/http_filter_with_xdp • Will support L7 firewall API in Stein cycle? – Maybe, Yes! 20Vietnam OpenInfra day 2018
- 21. Future of Firewall Neutron FWaaS + Neutron-Packet-Logging + ELK = ML Firewall 21Vietnam OpenInfra day 2018
- 22. Demo driver concept 22Vietnam OpenInfra day 2018
Editor's Notes
- In spirit of “defense in depth”, more filtering layer more secure which is a real demand of customer to protect their application. So this short talk will bring up new weapon for firewall as a service in neutron network: L7 firewall API. In this session we will answer a question: “Why L7 firewall API is good for your cloud?”. As a standard firewall may only allow HTTP traffic on TCP port 80, but SQL injection attacks will be allowed through as valid HTTP request. How do we protect customer app? OK. let's discuss about: How does L7 firewall API look like? Which protocols L7 firewall API will support? HTTP over TCP only? How to implement L7 firewall API? iptables or bpf? Future of firewall. Last but not least, demo as demand.
- Default L3 rules policy is DROP, Default L7 rules policy is ACCEPT.