Quantum -Firewall As A ServiceHavana Design Summit, Portland, April 2013Big Switch Networks (SumitNaiksatam, Kanzhe Jiang,...
Goal and Guiding Principles● Offer rich security features of Firewalls to Quantumusers● Tenant facing abstractions - users...
Use Case
Web-TierFirewall andLoad BalancerMid-TierFirewall andLoad BalancerData-TierFirewall andLoad BalancerStorageNorth-South Tra...
Use Cases- Multi-tier- Firewalls fronting load balancers- Perimeter Firewall- Security Groups- Need a unified way to defin...
Resource ModelFirewalls - A logical instance of a firewallembodying a Firewall PolicyFirewall Policies - An ordered collec...
Entity RelationshipOne Firewall -> One Firewall PolicyOne Firewall Policy -> Many Firewall RulesOne Firewall Policy -> Man...
WorkflowFirewall Rules are defined and Firewall Policyis composedFirewall Policy is audited (audit process in notmodeled h...
Existing Firewalls
Resource Model
Firewall Rules - AttributesCore attributes: id, name, description, source,destination, action, service, actionExtension ca...
Firewall Policies - AttributesCore attributes: id, name, description, firewallrules, audited, sharedFirewall rules: an ord...
Firewall Instances - AttributesCore attributes: id, name, description, firewallpolicy id, service typeExtension candidates...
Dynamic and Grouping Objects● Allow placeholders to be inserted intofirewall rules● Avoids having to audit firewall polici...
Firewall Insertion TypesQ-Router+ Q-FirewallQuantumNetworkQuantumNetworkQ-Router - Quantum Logical Router InstanceQ-Firewa...
Firewall Service attachment● Service has one or more interfaces(number of interfaces depend on the servicetype)● Each inte...
Firewall Service InstancesBase Service Definition:- service type- ingress/egress portsFirewall ServiceService Type:- one o...
Havana Roadmap● API, Resource and DB modelimplementation: https://blueprints.launchpad.net/quantum/+spec/quantum-fwaas● Pl...
Upcoming SlideShare
Loading in …5
×

Quantum firewall as a service open stack havana design summit, portland 2013

2,752 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,752
On SlideShare
0
From Embeds
0
Number of Embeds
26
Actions
Shares
0
Downloads
74
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Quantum firewall as a service open stack havana design summit, portland 2013

  1. 1. Quantum -Firewall As A ServiceHavana Design Summit, Portland, April 2013Big Switch Networks (SumitNaiksatam, Kanzhe Jiang,KC Wang, Mike Cohen)Pay Pal (Vinay Bannai,Anand Palanisamy)VMware (Serge Maskalik,Kai-Wei, Aaron Rosen,Sachin Thakkar, SalvatoreOrlando)Palo Alto Networks (MarcBenoit)Checkpoint (Tamir Zegman,Bob Hinden)Dell (Rajesh Mohan)Red Hat (Gary Kotton) NTT (Nachi Ueno) Cisco (Sirdar Kandaswamy,Dan Florea)Design doc: https://docs.google.com/document/d/1PJaKvsX2MzMRlLGfR0fBkrMraHYF0flvl0sqyZ704tA/editSession Etherpad: https://etherpad.openstack.org/Quantum_Firewall_As_A_Service
  2. 2. Goal and Guiding Principles● Offer rich security features of Firewalls to Quantumusers● Tenant facing abstractions - users consumeservices through a logical Firewall instance● Will hide implementation and device managementdetails from the users● No assumptions about virtual or physical Firewalls● Adhere to established audit workflows, avoidreinventing accepted definitions/conventions● Model for a reasonable common denominator, allowfor extensions
  3. 3. Use Case
  4. 4. Web-TierFirewall andLoad BalancerMid-TierFirewall andLoad BalancerData-TierFirewall andLoad BalancerStorageNorth-South TrafficEast – WestTraffic
  5. 5. Use Cases- Multi-tier- Firewalls fronting load balancers- Perimeter Firewall- Security Groups- Need a unified way to define security- Auditing- Logging- Firewall state enforcement
  6. 6. Resource ModelFirewalls - A logical instance of a firewallembodying a Firewall PolicyFirewall Policies - An ordered collection ofFirewall RulesFirewall Rules - N-tuple that generically modelsfirewall rules
  7. 7. Entity RelationshipOne Firewall -> One Firewall PolicyOne Firewall Policy -> Many Firewall RulesOne Firewall Policy -> Many Firewalls (policiescan be reused)One Firewall Rule -> Many Firewall Policies(rules can be reused)1
  8. 8. WorkflowFirewall Rules are defined and Firewall Policyis composedFirewall Policy is audited (audit process in notmodeled here)Tenant creates Firewall instance using FirewallPolicy
  9. 9. Existing Firewalls
  10. 10. Resource Model
  11. 11. Firewall Rules - AttributesCore attributes: id, name, description, source,destination, action, service, actionExtension candidates: user, firewall serviceprofile, logging, zonesSource and destination can point to raw IPaddresses or grouping/dynamic/placeholderobjects
  12. 12. Firewall Policies - AttributesCore attributes: id, name, description, firewallrules, audited, sharedFirewall rules: an ordered list of firewall rules
  13. 13. Firewall Instances - AttributesCore attributes: id, name, description, firewallpolicy id, service typeExtension candidates: firewall rules blob
  14. 14. Dynamic and Grouping Objects● Allow placeholders to be inserted intofirewall rules● Avoids having to audit firewall policies fordynamic tenant attributes● Potentially avoids rules sprawl● Commonly used for source and destinationfields
  15. 15. Firewall Insertion TypesQ-Router+ Q-FirewallQuantumNetworkQuantumNetworkQ-Router - Quantum Logical Router InstanceQ-Firewall - Quantum Logical Firewall InstanceBump-in-the-wireinsertionQuantumNetworkQuantumNetworkQ-FirewallL2 insertionL3 insertionQuantumNetworkQuantumNetworkQ-FirewallQuantumNetwork
  16. 16. Firewall Service attachment● Service has one or more interfaces(number of interfaces depend on the servicetype)● Each interface plugs into a Quantum port● Plugging operations is performed by aninterface driver(interface driver is specific to the Firewalltechnology)
  17. 17. Firewall Service InstancesBase Service Definition:- service type- ingress/egress portsFirewall ServiceService Type:- one of [LB, FW, ...]- service insertion type [L2,L3, BITW, Tap]- vendorFirewall Instances1*
  18. 18. Havana Roadmap● API, Resource and DB modelimplementation: https://blueprints.launchpad.net/quantum/+spec/quantum-fwaas● Plugin integration● Base firewall implementation/libraries● CLI Support● Horizon Support

×