This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Quantum -Firewall As A Service
Havana Design Summit, Portland, April 2013
Big Switch Networks (Sumit Naiksatam, Kanzhe Jiang, KC Wang, Mike Cohen)
● Offer rich security features of Firewalls to Quantum users
● Tenant facing abstractions - users consume services through a logical Firewall instance
● Will hide implementation and device management details from the users
● No assumptions about virtual or physical Firewalls● Adhere to established audit workflows, avoid
reinventing accepted definitions/conventions● Model for a reasonable common denominator, allow
for extensions
Use Case
Web-Tier
Firewall and Load Balancer
Mid-Tier
Firewall and Load Balancer
Data-Tier
Firewall and Load Balancer
Storage
North-South Traffic
East – WestTraffic
Use Cases
- Multi-tier- Firewalls fronting load balancers- Perimeter Firewall- Security Groups- Need a unified way to define security- Auditing- Logging - Firewall state enforcement
Resource Model
Firewalls - A logical instance of a firewall embodying a Firewall Policy
Firewall Policies - An ordered collection of Firewall Rules
Firewall Rules - N-tuple that generically models firewall rules
Entity Relationship
One Firewall -> One Firewall PolicyOne Firewall Policy -> Many Firewall Rules
One Firewall Policy -> Many Firewalls (policies can be reused)One Firewall Rule -> Many Firewall Policies (rules can be reused)
1
Workflow
Firewall Rules are defined and Firewall Policy is composedFirewall Policy is audited (audit process in not modeled here)Tenant creates Firewall instance using Firewall Policy
Existing Firewalls
Resource Model
Firewall Rules - Attributes
Core attributes: id, name, description, source, destination, action, service, actionExtension candidates: user, firewall service profile, logging, zones
Source and destination can point to raw IP addresses or grouping/dynamic/placeholder objects
● Service has one or more interfaces(number of interfaces depend on the service type)● Each interface plugs into a Quantum port● Plugging operations is performed by an
interface driver(interface driver is specific to the Firewall technology)
Firewall Service Instances
Base Service Definition:- service type- ingress/egress ports
Firewall Service
Service Type:- one of [LB, FW, ...]- service insertion type [L2, L3, BITW, Tap]- vendor
Firewall Instances
1
*
Havana Roadmap
● API, Resource and DB model implementation: https://blueprints.launchpad.net/quantum/+spec/quantum-fwaas
● Plugin integration● Base firewall implementation/libraries● CLI Support● Horizon Support