FWaaS

German Eichberger Sridar Kandaswamy Vishwanath Jayaraman

Let’s get this started

Introduction

Team

Motivation

Objectives for Today

There is no demo at the end

Core dump of what the team has been doing

Connect with deployers and users

Roadmap

Where is FWaaS today ?

Support for Perimeter N – S Firewalling

Issues on DVR interaction for E – W traffic so not applied on namespaces for E – W.

Firewall can be associated with Router(s).

In retrospect, applying on Router interfaces makes more sense.

Not on VM Ports for Firewalling VM – VM traffic

Intersect with Security Groups – there is some ongoing discussion.

No support to plug in to Service Chains, Containers, Provider Nets …

API Evolution

Unified model to apply at different points in the network (Router Port, VM Port)

Managing interplay between admin enforcement and user defined rules

Grouping mechanisms (Address groups/Port Groups)

SG intersect

DVR interaction E-W Firewalling

Model is Routing on the local Node and bridge on the Remote. We have an asymmetric scenario and issues with connection tracking on iptables implementation.

Options to go thru on the IR on the remote or other models that can impose a performance cost when FWaaS is configured.

Still early and in discussions with DVR team.

Where some clarity is emerging

Moving from Routers to Router interfaces for perimeter use cases

Grouping models

Service Groups

Zones

Zone Based Firewalls

Ordinary Firewalls:

Ordinary firewall rule sets are applied on per-interface basisActs as a packet filter for the interface. Zone Based firewall

Interfaces are grouped into security zonesEach interface in a zone has the same security levelPacket-filtering policies are applied to traffic flowing between zones.Traffic flowing between interfaces that lie in same zone is not filtered

Zone Based Firewalls

Additional points related to Zone Based Firewall

By default, all traffic coming into router and originating from router is allowedAn interface can be associated with only one zoneAn interface that belongs to a zone cannot have a per-interface firewall rule set

applied to it and converselyTraffic between interfaces that do not belong to any zone flows unfiltered, and

per-interface firewall rule sets can be applied to those interfaces.

Some other generic cleanup that is needed

L3 Agent interactions for Observer hierarchy

More Test Coverage + move test in tree

FWaaS Gate setup

Trello Board

https://trello.com/b/TIWf4dBJ/fwaas-usecase-categorization

Component Design

API server(FWaaS)

API server(SG)

FWaaS Backend

Packet Filtering (e.g dropping, rejecting, etc.) Plugin

FW insertion

Plugin

Packet Capture

Plugin

http://tinyurl.com/fwaas-component

FWaaS Api deprecated in Liberty

This doesn’t mean it’s going away immediately

But signals that this is being changed in the next cycle

Likely some Backward compatibility

Roadmap

Mitaka N O

Enhance test coverage API redesign

● Port based● Can augment

SecurityGroups● IPTables based

reference implementation

● Service Groups

Improve reference implementation

● Scalability● HA

Zones

● SFC support● Common classifiers● Common backend for

SG and FWaaS● Pay off tech debt

How to contribute● Get a good irc client. You’ll need it

○ Join #openstack-fwaas and introduce yourself :-)

● Attend the weekly IRC meetings○ Wednesdays 18:30 UTC alternating with Thursdays 0:00 UTC

○ Agenda: https://wiki.openstack.org/wiki/Meetings/FWaaS

● File a bug/RfE for your idea - Then add it to the agenda…○ It’s ok to only have a rough sketch of the idea and this is actually encouraged in the RfE

● Sign the Contributor’s license agreement (CLA)○ Developer Certificate of Origin has been discussed as replacing the CLA

● Get familiar with Gerrit. Code review, write code, write documentation, help...● Attend the midcycle!

Q&A

Questions?