quantum firewall as a service open stack havana design summit, portland 2013
DESCRIPTION
TRANSCRIPT
![Page 1: Quantum firewall as a service open stack havana design summit, portland 2013](https://reader034.vdocuments.us/reader034/viewer/2022051817/547c30fcb37959582b8b4f3c/html5/thumbnails/1.jpg)
Quantum -Firewall As A Service
Havana Design Summit, Portland, April 2013
Big Switch Networks (Sumit Naiksatam, Kanzhe Jiang, KC Wang, Mike Cohen)
Pay Pal (Vinay Bannai, Anand Palanisamy)
VMware (Serge Maskalik, Kai-Wei, Aaron Rosen, Sachin Thakkar, Salvatore Orlando)
Palo Alto Networks (Marc Benoit)
Checkpoint (Tamir Zegman, Bob Hinden)
Dell (Rajesh Mohan)
Red Hat (Gary Kotton) NTT (Nachi Ueno) Cisco (Sirdar Kandaswamy, Dan Florea)
Design doc: https://docs.google.com/document/d/1PJaKvsX2MzMRlLGfR0fBkrMraHYF0flvl0sqyZ704tA/editSession Etherpad: https://etherpad.openstack.org/Quantum_Firewall_As_A_Service
![Page 2: Quantum firewall as a service open stack havana design summit, portland 2013](https://reader034.vdocuments.us/reader034/viewer/2022051817/547c30fcb37959582b8b4f3c/html5/thumbnails/2.jpg)
Goal and Guiding Principles
● Offer rich security features of Firewalls to Quantum users
● Tenant facing abstractions - users consume services through a logical Firewall instance
● Will hide implementation and device management details from the users
● No assumptions about virtual or physical Firewalls● Adhere to established audit workflows, avoid
reinventing accepted definitions/conventions● Model for a reasonable common denominator, allow
for extensions
![Page 3: Quantum firewall as a service open stack havana design summit, portland 2013](https://reader034.vdocuments.us/reader034/viewer/2022051817/547c30fcb37959582b8b4f3c/html5/thumbnails/3.jpg)
Use Case
![Page 4: Quantum firewall as a service open stack havana design summit, portland 2013](https://reader034.vdocuments.us/reader034/viewer/2022051817/547c30fcb37959582b8b4f3c/html5/thumbnails/4.jpg)
Web-Tier
Firewall and Load Balancer
Mid-Tier
Firewall and Load Balancer
Data-Tier
Firewall and Load Balancer
Storage
North-South Traffic
East – WestTraffic
![Page 5: Quantum firewall as a service open stack havana design summit, portland 2013](https://reader034.vdocuments.us/reader034/viewer/2022051817/547c30fcb37959582b8b4f3c/html5/thumbnails/5.jpg)
Use Cases
- Multi-tier- Firewalls fronting load balancers- Perimeter Firewall- Security Groups- Need a unified way to define security- Auditing- Logging - Firewall state enforcement
![Page 6: Quantum firewall as a service open stack havana design summit, portland 2013](https://reader034.vdocuments.us/reader034/viewer/2022051817/547c30fcb37959582b8b4f3c/html5/thumbnails/6.jpg)
Resource Model
Firewalls - A logical instance of a firewall embodying a Firewall Policy
Firewall Policies - An ordered collection of Firewall Rules
Firewall Rules - N-tuple that generically models firewall rules
![Page 7: Quantum firewall as a service open stack havana design summit, portland 2013](https://reader034.vdocuments.us/reader034/viewer/2022051817/547c30fcb37959582b8b4f3c/html5/thumbnails/7.jpg)
Entity Relationship
One Firewall -> One Firewall PolicyOne Firewall Policy -> Many Firewall Rules
One Firewall Policy -> Many Firewalls (policies can be reused)One Firewall Rule -> Many Firewall Policies (rules can be reused)
1
![Page 8: Quantum firewall as a service open stack havana design summit, portland 2013](https://reader034.vdocuments.us/reader034/viewer/2022051817/547c30fcb37959582b8b4f3c/html5/thumbnails/8.jpg)
Workflow
Firewall Rules are defined and Firewall Policy is composedFirewall Policy is audited (audit process in not modeled here)Tenant creates Firewall instance using Firewall Policy
![Page 9: Quantum firewall as a service open stack havana design summit, portland 2013](https://reader034.vdocuments.us/reader034/viewer/2022051817/547c30fcb37959582b8b4f3c/html5/thumbnails/9.jpg)
Existing Firewalls
![Page 10: Quantum firewall as a service open stack havana design summit, portland 2013](https://reader034.vdocuments.us/reader034/viewer/2022051817/547c30fcb37959582b8b4f3c/html5/thumbnails/10.jpg)
Resource Model
![Page 11: Quantum firewall as a service open stack havana design summit, portland 2013](https://reader034.vdocuments.us/reader034/viewer/2022051817/547c30fcb37959582b8b4f3c/html5/thumbnails/11.jpg)
Firewall Rules - Attributes
Core attributes: id, name, description, source, destination, action, service, actionExtension candidates: user, firewall service profile, logging, zones
Source and destination can point to raw IP addresses or grouping/dynamic/placeholder objects
![Page 12: Quantum firewall as a service open stack havana design summit, portland 2013](https://reader034.vdocuments.us/reader034/viewer/2022051817/547c30fcb37959582b8b4f3c/html5/thumbnails/12.jpg)
Firewall Policies - Attributes
Core attributes: id, name, description, firewall rules, audited, shared
Firewall rules: an ordered list of firewall rules
![Page 13: Quantum firewall as a service open stack havana design summit, portland 2013](https://reader034.vdocuments.us/reader034/viewer/2022051817/547c30fcb37959582b8b4f3c/html5/thumbnails/13.jpg)
Firewall Instances - Attributes
Core attributes: id, name, description, firewall policy id, service type
Extension candidates: firewall rules blob
![Page 14: Quantum firewall as a service open stack havana design summit, portland 2013](https://reader034.vdocuments.us/reader034/viewer/2022051817/547c30fcb37959582b8b4f3c/html5/thumbnails/14.jpg)
Dynamic and Grouping Objects
● Allow placeholders to be inserted into firewall rules
● Avoids having to audit firewall policies for dynamic tenant attributes
● Potentially avoids rules sprawl● Commonly used for source and destination
fields
![Page 15: Quantum firewall as a service open stack havana design summit, portland 2013](https://reader034.vdocuments.us/reader034/viewer/2022051817/547c30fcb37959582b8b4f3c/html5/thumbnails/15.jpg)
Firewall Insertion Types
Q-Router + Q-
Firewall
Quantum Network
Quantum Network
Q-Router - Quantum Logical Router InstanceQ-Firewall - Quantum Logical Firewall Instance
Bump-in-the-wire insertion
Quantum Network
Quantum Network
Q-Firewall
L2 insertion
L3 insertion
Quantum Network
Quantum Network
Q-Firewall
Quantum Network
![Page 16: Quantum firewall as a service open stack havana design summit, portland 2013](https://reader034.vdocuments.us/reader034/viewer/2022051817/547c30fcb37959582b8b4f3c/html5/thumbnails/16.jpg)
Firewall Service attachment
● Service has one or more interfaces(number of interfaces depend on the service type)● Each interface plugs into a Quantum port● Plugging operations is performed by an
interface driver(interface driver is specific to the Firewall technology)
![Page 17: Quantum firewall as a service open stack havana design summit, portland 2013](https://reader034.vdocuments.us/reader034/viewer/2022051817/547c30fcb37959582b8b4f3c/html5/thumbnails/17.jpg)
Firewall Service Instances
Base Service Definition:- service type- ingress/egress ports
Firewall Service
Service Type:- one of [LB, FW, ...]- service insertion type [L2, L3, BITW, Tap]- vendor
Firewall Instances
1
*
![Page 18: Quantum firewall as a service open stack havana design summit, portland 2013](https://reader034.vdocuments.us/reader034/viewer/2022051817/547c30fcb37959582b8b4f3c/html5/thumbnails/18.jpg)
Havana Roadmap
● API, Resource and DB model implementation: https://blueprints.launchpad.net/quantum/+spec/quantum-fwaas
● Plugin integration● Base firewall implementation/libraries● CLI Support● Horizon Support