Linux offers an extensive selection of programmable and configurable networking components from traditional bridges, encryption, to container optimized layer 2/3 devices, link aggregation, tunneling, several classification and filtering languages all the way up to full SDN components. This talk will provide an overview of many Linux networking components covering the Linux bridge, IPVLAN, MACVLAN, MACVTAP, Bonding/Team, OVS, classification & queueing, tunnel types, hidden routing tricks, IPSec, VTI, VRF and many others.
This presentation covers the basics about OpenvSwitch and its components. OpenvSwitch is a Open Source implementation of OpenFlow by the Nicira team.
It also also talks about OpenvSwitch and its role in OpenStack Networking
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Thomas Graf
Open vSwitch (OVS) has long been a critical component of the Neutron's reference implementation, offering reliable and flexible virtual switching for cloud environments.
Being an early adopter of the OVS technology, Neutron's reference implementation made some compromises to stay within the early, stable featureset OVS exposed. In particular, Security Groups (SG) have been so far implemented by leveraging hybrid Linux Bridging and IPTables, which come at a significant performance overhead. However, thanks to recent developments and ongoing improvements within the OVS community, we are now able to implement feature-complete security groups directly within OVS.
In this talk we will summarize the existing Security Groups implementation in Neutron and compare its performance with the Open vSwitch-only approach. We hope this analysis will form the foundation of future improvements to the Neutron Open vSwitch reference design.
Linux offers an extensive selection of programmable and configurable networking components from traditional bridges, encryption, to container optimized layer 2/3 devices, link aggregation, tunneling, several classification and filtering languages all the way up to full SDN components. This talk will provide an overview of many Linux networking components covering the Linux bridge, IPVLAN, MACVLAN, MACVTAP, Bonding/Team, OVS, classification & queueing, tunnel types, hidden routing tricks, IPSec, VTI, VRF and many others.
This presentation covers the basics about OpenvSwitch and its components. OpenvSwitch is a Open Source implementation of OpenFlow by the Nicira team.
It also also talks about OpenvSwitch and its role in OpenStack Networking
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Thomas Graf
Open vSwitch (OVS) has long been a critical component of the Neutron's reference implementation, offering reliable and flexible virtual switching for cloud environments.
Being an early adopter of the OVS technology, Neutron's reference implementation made some compromises to stay within the early, stable featureset OVS exposed. In particular, Security Groups (SG) have been so far implemented by leveraging hybrid Linux Bridging and IPTables, which come at a significant performance overhead. However, thanks to recent developments and ongoing improvements within the OVS community, we are now able to implement feature-complete security groups directly within OVS.
In this talk we will summarize the existing Security Groups implementation in Neutron and compare its performance with the Open vSwitch-only approach. We hope this analysis will form the foundation of future improvements to the Neutron Open vSwitch reference design.
Open vSwitch - Stateful Connection Tracking & Stateful NATThomas Graf
Update on status of connection tracking and stateful NAT addition to the Linux kernel datapath. Followed by a discussion on the topic to collect ideas and come up with next steps.
The new virtualization technologies and cloud environments are a big challenge for testing network performance. We need a new approach for testing, using realistic scenarios and flexible tools that allow us to generate packets at high speed. Trex is an Open Source network generator with all these batteries included.
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThomas Graf
The Linux packet filtering technology, iptables, has its roots in times when networking was relatively simple and network bandwidth was measured in mere megabits. Emerging technologies, such as distributed NAT, overlay networks and containers require enhanced functionality and additional flexibility. In parallel, the next generation of network cards with speeds of 40Gb and 100Gb will put additional pressure on performance.
In the upcoming Red Hat Enterprise Linux 7, a new dynamic firewall service, FirewallD, is planned to provide greater flexibility over iptables by eliminating service disruptions during rule updates, abstraction, and support for different network trust zones. Additionally, a new virtual machine-based packet filtering technology, nftables, addresses the functionality and flexibility requirements of modern network workloads.
In this session you’ll:
Deep dive into the newly introduced packet filtering capabilities of Red Hat Enterprise Linux 7 beta.
Learn best practices.
See the new set of configuration utilities that allow new optimization possibilities.
this slide is created for understand open vswitch more easily.
so I tried to make it practical. if you just follow up this scenario, then you will get some knowledge about OVS.
In this document, I mainly use only two command "ip" and "ovs-vsctl" to show you the ability of these commands.
Open VSwitch .. Use it for your day to day needsrranjithrajaram
Slides of open vSwitch used for Fudcon 2015.
Main agenda for this talk was.. why openvswitch is a better alternative to Linux bridge and why you should start using it as the bridge for your KVM host.
Accelerating Envoy and Istio with Cilium and the Linux KernelThomas Graf
This talk will provide an introduction to injection options of Envoy and then deep dive into ongoing Linux kernel work that enables injecting Envoy while introducing as little latency as possible.
The servicemesh and the sidecar proxy model are on a steep trajectory to redefine many networking and security use cases. This talk explains and demos a new socket redirect Linux kernel technology that allows running Envoy with similar performance as if the sidecar was linked to the application using a UNIX domain socket. The talk will also give an outlook on how Envoy can use the recently merged kernel TLS functionality to gain access to the clear text payload transparently for end to end encrypted applications without requiring to decrypt and re-encrypt any data to further reduce the overhead and latency.
NAT and firewall presentation - how setup a nice firewallCassiano Campes
This is a presentation I did during my internship @ PARKS in 2014. It shows how to configure NAT & firewall rules using IPTABLES.
I hope this can be useful to somebody in the future.
This presentation features a walk through the Linux kernel networking stack covering the essentials and recent developments a developer needs to know. Our starting point is the network card driver as it feeds a packet into the stack. We will follow the packet as it traverses through various subsystems such as packet filtering, routing, protocol stacks, and the socket layer. We will pause here and there to look into concepts such as segmentation offloading, TCP small queues, and low latency polling. We will cover APIs exposed by the kernel that go beyond use of write()/read() on sockets and will look into how they are implemented on the kernel side.
Accelerate Service Function Chaining Vertical Solution with DPDKOPNFV
Service Function Chaining (SFC) is one of top 5 NFV use case. Supporting SFC in provider and enterprise networks requires performance assurance. Specifically, the Classifier and the Service Function Forwarder which are typically implemented in software such as virtual switches need to match line rate requirement. DPDK (Data Plane Development Kit) is an open source project comprising a set of libraries and drivers for fast packet processing. In this presentation, we will discuss our experiences accelerating SFC with DPDK. In addition, Telco and Datacenter carriers demands dynamic SFC that requires new SFC wire protocols (e.g. VxLAN-GPE and NSH) support in both data and control planes. We intend to share our experiences and future works of a high performance, NSH-aware SFC vertical solution with open-source ingredients: Openstack, Opendaylight, OpenvSwitch with DPDK acceleration.
Troy Lea's presentation on Leveraging and Understanding Performance Data and Graphs.
The presentation was given during the Nagios World Conference North America held Sept 20-Oct 2nd, 2013 in Saint Paul, MN. For more information on the conference (including photos and videos), visit: http://go.nagios.com/nwcna
Open vSwitch - Stateful Connection Tracking & Stateful NATThomas Graf
Update on status of connection tracking and stateful NAT addition to the Linux kernel datapath. Followed by a discussion on the topic to collect ideas and come up with next steps.
The new virtualization technologies and cloud environments are a big challenge for testing network performance. We need a new approach for testing, using realistic scenarios and flexible tools that allow us to generate packets at high speed. Trex is an Open Source network generator with all these batteries included.
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThomas Graf
The Linux packet filtering technology, iptables, has its roots in times when networking was relatively simple and network bandwidth was measured in mere megabits. Emerging technologies, such as distributed NAT, overlay networks and containers require enhanced functionality and additional flexibility. In parallel, the next generation of network cards with speeds of 40Gb and 100Gb will put additional pressure on performance.
In the upcoming Red Hat Enterprise Linux 7, a new dynamic firewall service, FirewallD, is planned to provide greater flexibility over iptables by eliminating service disruptions during rule updates, abstraction, and support for different network trust zones. Additionally, a new virtual machine-based packet filtering technology, nftables, addresses the functionality and flexibility requirements of modern network workloads.
In this session you’ll:
Deep dive into the newly introduced packet filtering capabilities of Red Hat Enterprise Linux 7 beta.
Learn best practices.
See the new set of configuration utilities that allow new optimization possibilities.
this slide is created for understand open vswitch more easily.
so I tried to make it practical. if you just follow up this scenario, then you will get some knowledge about OVS.
In this document, I mainly use only two command "ip" and "ovs-vsctl" to show you the ability of these commands.
Open VSwitch .. Use it for your day to day needsrranjithrajaram
Slides of open vSwitch used for Fudcon 2015.
Main agenda for this talk was.. why openvswitch is a better alternative to Linux bridge and why you should start using it as the bridge for your KVM host.
Accelerating Envoy and Istio with Cilium and the Linux KernelThomas Graf
This talk will provide an introduction to injection options of Envoy and then deep dive into ongoing Linux kernel work that enables injecting Envoy while introducing as little latency as possible.
The servicemesh and the sidecar proxy model are on a steep trajectory to redefine many networking and security use cases. This talk explains and demos a new socket redirect Linux kernel technology that allows running Envoy with similar performance as if the sidecar was linked to the application using a UNIX domain socket. The talk will also give an outlook on how Envoy can use the recently merged kernel TLS functionality to gain access to the clear text payload transparently for end to end encrypted applications without requiring to decrypt and re-encrypt any data to further reduce the overhead and latency.
NAT and firewall presentation - how setup a nice firewallCassiano Campes
This is a presentation I did during my internship @ PARKS in 2014. It shows how to configure NAT & firewall rules using IPTABLES.
I hope this can be useful to somebody in the future.
This presentation features a walk through the Linux kernel networking stack covering the essentials and recent developments a developer needs to know. Our starting point is the network card driver as it feeds a packet into the stack. We will follow the packet as it traverses through various subsystems such as packet filtering, routing, protocol stacks, and the socket layer. We will pause here and there to look into concepts such as segmentation offloading, TCP small queues, and low latency polling. We will cover APIs exposed by the kernel that go beyond use of write()/read() on sockets and will look into how they are implemented on the kernel side.
Accelerate Service Function Chaining Vertical Solution with DPDKOPNFV
Service Function Chaining (SFC) is one of top 5 NFV use case. Supporting SFC in provider and enterprise networks requires performance assurance. Specifically, the Classifier and the Service Function Forwarder which are typically implemented in software such as virtual switches need to match line rate requirement. DPDK (Data Plane Development Kit) is an open source project comprising a set of libraries and drivers for fast packet processing. In this presentation, we will discuss our experiences accelerating SFC with DPDK. In addition, Telco and Datacenter carriers demands dynamic SFC that requires new SFC wire protocols (e.g. VxLAN-GPE and NSH) support in both data and control planes. We intend to share our experiences and future works of a high performance, NSH-aware SFC vertical solution with open-source ingredients: Openstack, Opendaylight, OpenvSwitch with DPDK acceleration.
Troy Lea's presentation on Leveraging and Understanding Performance Data and Graphs.
The presentation was given during the Nagios World Conference North America held Sept 20-Oct 2nd, 2013 in Saint Paul, MN. For more information on the conference (including photos and videos), visit: http://go.nagios.com/nwcna
Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.Nagios
Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs. - Lee will present how he overcame timeperiod issues, through the use of MK_Livestatus, Pushbullet, and scripts to notify of him of alerts while he is at work. All the user needs to do is execute a command at the start of their shift, and they will receive all their notifications until their shift ends.
Rudder 4.1 was released in March 2017 with:
- an advanced feature to query external APIs and pull in node properties dynamically
the ability to add "key=value" tags to all Rules and Directives in order to categorize them
- a new API on relay servers to enable node-to-node file sharing and remote run in firewalled environments performance improvements
- a new plugin package format
Rudder 4.2 was released in September 2017 and includes the support for a new plugin that adds support for a new Windows DSC-based agent. Rudder 4.3 will include:
- Parameters for Technique Editor techniques
- ACLs on the API accounts
- Many architecture improvements
In parallel, new plugins are being developed:
- A plugin to integrate data from external APIs
- Monitoring integration with Centreon
- CMDB integration with iTop
- A reporting plugin for historized compliance
This talk will introduce these new features and show how to use them, hopefully getting you as excited as we are! Then, we will move on to explain about longer-term feature ideas we have for Rudder, and the general vision linked to future developments.
About Nicolas Charles
Nicolas is a tinkerer who likes when things just work, and tries his best to reach this goal. He started as a developer 15 years ago, and often had to reach out of this role to solve issues.
In 2010, he co-founded Normation, and he still enjoys fixing things in Rudder and at its users.
Android 5.0 Lollipop brings huge change, compare to before.
This report includes statistics from source code with data and hidden features from source code & git log investigation.
deep understanding of howto packet would reach to destination and basic understanding of network protocols.
learn howto manipulate with linux network and know howto manipulate with linux iptables.
XDP in Practice: DDoS Mitigation @CloudflareC4Media
Video and slides synchronized, mp3 and slide download available at URL https://bit.ly/2NtlaER.
Gilberto Bertin discusses the architecture of Cloudflare’s automatic DDoS mitigation pipeline, the initial packet filtering solution based on Iptables, and why Cloudflare had to introduce userspace offload. Bertin also describes how they switched from a proprietary offload technology to XDP for network stack bypass and how they are using XDP to load balance traffic. Filmed at qconlondon.com.
Gilberto Bertin works as a System Engineer at Cloudflare London. After working on variety of technologies like P2P VPNs and userspace TCP/IP stacks, he joined the Cloudflare DDoS team in London to help filter all the bad internet traffic.
Memcacheas UDP Reflectors: A Massive Amplified DDoSthe World(Attack Formulation and Mitigation) by
Muhammad Morshed Alam, AmberIT Limited.morshed@amberit.com.bd
Handy Networking Tools and How to Use ThemSneha Inguva
When I joined the networking team at DigitalOcean a few years ago, I dove into an entirely different world of software-defined networking in the data center. Virtual switches, networking protocols — these were concepts that I had encountered at the surface level before — but now I frequently found myself debugging them. With time, I came to rely on a variety of Linux networking tools for introspecting, troubleshooting, and examining network state. In this talk, I’ll share some of my favorite Linux networking tools and discuss scenarios in which they are quite helpful.
[Advantech] ADAM-3600 open vpn setting Tutorial step by step Ming-Hung Hseih
This is tutorial how to configure VPN client on IOT gateway ADAM-3600.
•Build up OpenVPN server/client
•ADAM-3600 OpenVPN setting
•ADAM-3600 OpenVPN : 3G + DDNS + public dynamic IP
Tutorial WiFi driver code - Opening Nuts and Bolts of Linux WiFi SubsystemDheryta Jaisinghani
While we understand the complex interplay of OSI layers, in theory, in practice understanding their implementation is a non-trivial task. The implementation details that enables a network interface card to communicate with its peers are oblivious to the end-users. Developers venturing into this domain for the first time often find it hard to find relevant tutorials that enable them to understand these implementation details. The aim of this talk is to provide an overview of WiFi Subsystem implemented in the Linux operating system. Specifically, this talk will explain the sequence of events that occur from application layer till physical layer when a connection is established over WiFi. After this talk, the audience will understand
(1) the bird's eye view of Linux WiFi Subsystem,
(2) what happens in an operating system when a WiFi card is plugged-in,
(3) how is a packet received/transmitted from physical layer to operating system kernel and vice-versa,
(4) brief overview of code structure of open-source drivers, and lastly
(5) important pointers to kick start driver code modifications.
Video Available here: https://www.youtube.com/watch?v=pa1oEyc7Dm0
Hierarchical Digital Twin of a Naval Power SystemKerry Sado
A hierarchical digital twin of a Naval DC power system has been developed and experimentally verified. Similar to other state-of-the-art digital twins, this technology creates a digital replica of the physical system executed in real-time or faster, which can modify hardware controls. However, its advantage stems from distributing computational efforts by utilizing a hierarchical structure composed of lower-level digital twin blocks and a higher-level system digital twin. Each digital twin block is associated with a physical subsystem of the hardware and communicates with a singular system digital twin, which creates a system-level response. By extracting information from each level of the hierarchy, power system controls of the hardware were reconfigured autonomously. This hierarchical digital twin development offers several advantages over other digital twins, particularly in the field of naval power systems. The hierarchical structure allows for greater computational efficiency and scalability while the ability to autonomously reconfigure hardware controls offers increased flexibility and responsiveness. The hierarchical decomposition and models utilized were well aligned with the physical twin, as indicated by the maximum deviations between the developed digital twin hierarchy and the hardware.
Final project report on grocery store management system..pdfKamal Acharya
In today’s fast-changing business environment, it’s extremely important to be able to respond to client needs in the most effective and timely manner. If your customers wish to see your business online and have instant access to your products or services.
Online Grocery Store is an e-commerce website, which retails various grocery products. This project allows viewing various products available enables registered users to purchase desired products instantly using Paytm, UPI payment processor (Instant Pay) and also can place order by using Cash on Delivery (Pay Later) option. This project provides an easy access to Administrators and Managers to view orders placed using Pay Later and Instant Pay options.
In order to develop an e-commerce website, a number of Technologies must be studied and understood. These include multi-tiered architecture, server and client-side scripting techniques, implementation technologies, programming language (such as PHP, HTML, CSS, JavaScript) and MySQL relational databases. This is a project with the objective to develop a basic website where a consumer is provided with a shopping cart website and also to know about the technologies used to develop such a website.
This document will discuss each of the underlying technologies to create and implement an e- commerce website.
Student information management system project report ii.pdfKamal Acharya
Our project explains about the student management. This project mainly explains the various actions related to student details. This project shows some ease in adding, editing and deleting the student details. It also provides a less time consuming process for viewing, adding, editing and deleting the marks of the students.
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)MdTanvirMahtab2
This presentation is about the working procedure of Shahjalal Fertilizer Company Limited (SFCL). A Govt. owned Company of Bangladesh Chemical Industries Corporation under Ministry of Industries.
Explore the innovative world of trenchless pipe repair with our comprehensive guide, "The Benefits and Techniques of Trenchless Pipe Repair." This document delves into the modern methods of repairing underground pipes without the need for extensive excavation, highlighting the numerous advantages and the latest techniques used in the industry.
Learn about the cost savings, reduced environmental impact, and minimal disruption associated with trenchless technology. Discover detailed explanations of popular techniques such as pipe bursting, cured-in-place pipe (CIPP) lining, and directional drilling. Understand how these methods can be applied to various types of infrastructure, from residential plumbing to large-scale municipal systems.
Ideal for homeowners, contractors, engineers, and anyone interested in modern plumbing solutions, this guide provides valuable insights into why trenchless pipe repair is becoming the preferred choice for pipe rehabilitation. Stay informed about the latest advancements and best practices in the field.
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptxR&R Consult
CFD analysis is incredibly effective at solving mysteries and improving the performance of complex systems!
Here's a great example: At a large natural gas-fired power plant, where they use waste heat to generate steam and energy, they were puzzled that their boiler wasn't producing as much steam as expected.
R&R and Tetra Engineering Group Inc. were asked to solve the issue with reduced steam production.
An inspection had shown that a significant amount of hot flue gas was bypassing the boiler tubes, where the heat was supposed to be transferred.
R&R Consult conducted a CFD analysis, which revealed that 6.3% of the flue gas was bypassing the boiler tubes without transferring heat. The analysis also showed that the flue gas was instead being directed along the sides of the boiler and between the modules that were supposed to capture the heat. This was the cause of the reduced performance.
Based on our results, Tetra Engineering installed covering plates to reduce the bypass flow. This improved the boiler's performance and increased electricity production.
It is always satisfying when we can help solve complex challenges like this. Do your systems also need a check-up or optimization? Give us a call!
Work done in cooperation with James Malloy and David Moelling from Tetra Engineering.
More examples of our work https://www.r-r-consult.dk/en/cases-en/
9. Goals
● First Milestone:
○ Address 80% of firewall request tickets
○ Achieve consistency and standardization in rules
○ Increase reliability
● Second Milestone:
○ Service based
○ Improve speed and reliability
13. Getting the ticket somewhere we can use it
jira = netops_jira.JiraSearch()
jira.query = 'project in (NETOPS) AND status in (OPEN) AND component
in (Firewall)'
data = jira.search()
for request in data:
ticket = netops_jira.FirewallTicketParser(request)
netops_jira.py
14. Jira to Python - netops_jira.py objects
In [11]: ticket.source
Out[11]: {'Group 1': ['host1.grpn', 'host2.grpn',
'host3.grpn']}
In [12]: ticket.destination
Out[12]: {'Group 1': ['otherhost11.ls', 'otherhost12.ls']}
In [13]: ticket.port
Out[13]: {'Group 1': ['2222', '80', '99-100']}
15. Step 2 - Determine which Devices to
Configure
create_firewall_rule.py - step 2
17. Global standardization of policy flow
● Decide on a standard for directionality
● Treat VPN Concentrators like Backbone routers
Backbone
Internal
Network
● Result: FW to configure is deterministic
Primary
VPN BB Rtr
18. Step 3 - Determining the Zones
create_firewall_rule.py - step 3
19. Getting the zone of a destination
● Steps:
○ Resolve the host IP
○ Connect to the determined firewall
○ Do a route lookup for the host IP
○ Find the outgoing interface for that
route
○ Check the security zones table for
that interface
hammer@fw> show route 8.8.8.8
inet.0: 258 destinations, 259 routes (258 active, 0 holddown, 0
hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 36w5d 14:05:18
> to 1.2.3.4 via ge-0/0/7.0
hammer@fw> show security zones
Security zone: untrust
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Screen: untrust-screen
Interfaces bound: 1
Interfaces:
ge-0/0/7.0
20. Determining Zone Step 1: Resolve the host IP
Step 1 - Resolve the host IP
Step 2 - ???
Step 3 - Profit!
● There are hidden complexities
● Why not just >show route host1.grpn ?
● Round Robin DNS
● IP used in request?
● Special cases in request?
21. Determining Zone Step 1a: Parsing the source/dest
● Goal - {name : address}
○ Hostname → Forward Lookup → IP → {hostname : IP}
○ IP → Reverse Lookup → Hostname → {hostname: IP}
○ Subnet → {subnet: subnet}
○ Special cases:
■ E.g., “vpn users” → {‘vpn_users’: predefined_subnet}
22. Determining Zone Step 2: Connecting to the FW
from device_connection import JUNOSConnection
Password = “thepassword”
myconn = JUNOSConnection(username, “fw1.grpn”, password)
myconn.Connect()
23. XML parsing
routes = myconn.get_route_information()
Determining Zone Step 3: Route lookup
Screen scraping / regex
> show route
24. Tables/Views Refresher - XML config
hammer@fw1> show security zones untrust | display xml
<rpc-reply xmlns:junos="http://xml.juniper.net/junos/12.3X48/junos">
<zones-information xmlns="http://xml.juniper.net/junos/12.3X48/junos-zones" junos:style="detail">
<zones-security>
<zones-security-zonename>untrust</zones-security-zonename>
<zones-security-interfaces-bound>2</zones-security-interfaces-bound>
<zones-security-interfaces>
<zones-security-interface-name>ae0.0</zones-security-interface-name>
<zones-security-interface-name>ae1.0</zones-security-interface-name>
</zones-security-interfaces>
</zones-security>
</zones-information>
<cli>
<banner></banner>
</cli>
</rpc-reply>
25. Tables/Views Refresher - RPCs
hammer@fw1> show security zones untrust | display xml rpc
<rpc-reply xmlns:junos="http://xml.juniper.net/junos/12.3X48/junos">
<rpc>
<get-zones-information>
<get-zones-named-information>untrust</get-zones-named-information>
</get-zones-information>
</rpc>
<cli>
<banner></banner>
</cli>
</rpc-reply>
27. Tables/Views: Refresher, part 4 - XML sucks
In [25]:
zones.xpath('zones-security[zones-security-zonename]')
Out[25]:
[<Element zones-security at 0x7f10bfa8cb90>,
<Element zones-security at 0x7f10bfa8ca70>,
<Element zones-security at 0x7f10bfb94b90>,
<Element zones-security at 0x7f10bfb94f80>,
<Element zones-security at 0x7f10bfa950e0>,
<Element zones-security at 0x7f10bfa95440>,
<Element zones-security at 0x7f10bfa95f80>]
28. Determining the zone step 4: Get the zone from the interface
In [8]: zones
Out[8]: SecurityZonesTable:fw1.grpn: 8 items
In [9]: zones[1].name
Out[9]: 'trust'
In [10]: zones[1].interfaces
Out[10]: ['ae2.101', 'ae3.101']
In [82]: route_table
Out[82]: junos_route_table:fw1.grpn: 941 items
In [83]: route.destination
Out[83]: u'10.1.37.0'
In [84]: route.prefix_length
Out[84]: 24
In [85]: route.outgoing_interface
Out[85]: u'ae2.101'
29. Flow for getting the zone
RPC calls for
route, zone table
Lookup outgoing
interface in route
view, and find it
in the zone view
Yes
More
hosts? Close connectionNo
Firewall Connection
Object
Some tickets involve
hundreds of lookups,
extremely resource intensive!
30. Optimizing, AKA be nice to your production devices
Firewall
Connection
Object
Close connection
Pull entire
routing and
zone table
Build offline
queryable FW
object with
routing/zone
tables
Build radix
object, tag every
route with zone
info
Route lookup for
10.20.100.1
More
hosts?E.g.,
zone=web
Yes
Maximum of two calls to the FW
regardless of number of hosts
31. Offline SRX object in action
In [18]: srx_obj = srx.BuildSRX(route_table=route_table, zone_table=zone_table)
In [19]: srx_obj.get_ip_zone('8.8.8.8')
Out[19]: 'untrust'
32. Radix Library
In [7]: route =
fw_obj._rtree.search_best('8.8.8.8')
In [8]: route.data
Out[8]:
{'next_hop': u'10.1.1.1',
'outgoing_interface': u'ae2.0',
'zone_name': 'untrust'}
We tag zone into every route as we build the radix table
https://pypi.python.org/pypi/py-radix
33. Step 4 - Do we even need this rule?
create_firewall_rule.py - step 4
36. Show the user
ProdOps Commandline User added a comment - 12/Sep/17 6:05 PM
Group 2: Existing policy for Group 2 matches this configured policy: NETOPS-5281
39. Standardizing address-book entries: After
web-app1.grpn 10.1.1.1/32;
If Host (/32): <dns-entry>, <ip>
db1__1.grpn 172.16.1.10/32;
db1__2.grpn 172.16.1.11/32
If RR DNS: <dns-entry> + __<n>, <ip>
10.32.100.0/24 10.32.100.0/24;
If Subnet: <subnet> <subnet>
address-set src_NETOPS-1234 {
web-app1.grpn
}
address-set dst_NETOPS-1234 {
db1__1.grpn
db1__2.grpn
}
Address set: src or dst + ticket
number
Static exception: address-set vpn_users {..}
40. Standardizing Policies: Before
policy dev-hosts--to--monitoring-rw-vip-sjc {
match {
source-address [ devhosts dev12 prodnet_33 devhosts__new ];
destination-address gdr-sjc1-prod-graph-ro-vip__sjc1;
application monitoring_services;
}
then {
permit;
}
}
41. Standardizing Policies: After
policy NETOPS-7432__2 {
match {
source-address src_NETOPS-7432__2;
destination-address dst_NETOPS-7432__2;
application tcp_10906-10910;
}
then {
permit;
}
}
No more trying
to engineer
context into
configurations!
42. Side benefit of Standardization
● Show policy
● Show source address(es) / sets
● Show destination address(es) / sets
● Show application(s)
● show configuration | match <ticket> | display set
43. Addressbook entry re-use
● It doesn’t exist
○ New address-book entry added
● It exists
○ SRX Ignores it
● It exists and is different:
○ Overwrite with new value
○ (Verify by admin)
50. Firewall Automation Flow, part 1
FW Connection
Object
3x RPC:
routing/zone
/policy
tables
JIRA API
Parse ticket
(netops_jira.py)
into object
Iterate over each
group in the
ticket
create_firewall_ru
le.py
Username,
Ticket #
Determine which
FW to configure
based on
standard
Parse
src/dst
Parsable
Assign to oncall
for manual
processing
Not
parsable
Build offline SRX
(close previous
connection)
Ticket # json
Assign to oncall
Leave in retry
queue
Unable to
determine fw
Connection fail
51. Firewall Automation Flow, part 2
Verify rule
doesn’t already
exist
Build ACL objects
(srx.py library)
Get zone info for
src/dst
Save into
per-colo
dictionary
For each colo,
push all rules to
active/backup
FW
Comment diffs to
ticket + resolve
Comment +
Resolve ticket
Doesn’t
exist
Exists
Offline SRX
Object
More groups in
request?
No
Yes
Process other
groups
56. Firewall Automation: The Service
● Created service code that runs periodically and finds “Approved” Firewall tickets
● The code will run create_firewall_rule.py on those tickets
● Engineers simply need to review the request for sanity/security purposes, and click approve.
● No need to run any script or open up a terminal
● Success = Comment + Resolve
● Fail = Re-assign to pagerduty API
● Only see tickets that require approval or troubleshooting
● Effective SLA: 30 minutes