Presentation is loading. Please wait.

Presentation is loading. Please wait.

FWaaS German EichbergerSridar KandaswamyVishwanath Jayaraman.

Published byBethany Warren Modified over 9 years ago

Similar presentations

Presentation on theme: "FWaaS German EichbergerSridar KandaswamyVishwanath Jayaraman."— Presentation transcript:

1 FWaaS German EichbergerSridar KandaswamyVishwanath Jayaraman

2 Let’s get this started Introduction Team Motivation Objectives for Today There is no demo at the end Core dump of what the team has been doing Connect with deployers and users Roadmap

3 Where is FWaaS today ? Support for Perimeter N – S Firewalling Issues on DVR interaction for E – W traffic so not applied on namespaces for E – W. Firewall can be associated with Router(s). In retrospect, applying on Router interfaces makes more sense. Not on VM Ports for Firewalling VM – VM traffic Intersect with Security Groups – there is some ongoing discussion. No support to plug in to Service Chains, Containers, Provider Nets …

4 API Evolution Unified model to apply at different points in the network (Router Port, VM Port) Managing interplay between admin enforcement and user defined rules Grouping mechanisms (Address groups/Port Groups) SG intersect

5 DVR interaction E-W Firewalling Model is Routing on the local Node and bridge on the Remote. We have an asymmetric scenario and issues with connection tracking on iptables implementation. Options to go thru on the IR on the remote or other models that can impose a performance cost when FWaaS is configured. Still early and in discussions with DVR team.

6 Where some clarity is emerging Moving from Routers to Router interfaces for perimeter use cases Grouping models Service Groups Zones

7 Zone Based Firewalls Ordinary Firewalls: Ordinary firewall rule sets are applied on per-interface basis Acts as a packet filter for the interface. Zone Based firewall Interfaces are grouped into security zones Each interface in a zone has the same security level Packet-filtering policies are applied to traffic flowing between zones. Traffic flowing between interfaces that lie in same zone is not filtered

8 Zone Based Firewalls Additional points related to Zone Based Firewall By default, all traffic coming into router and originating from router is allowed An interface can be associated with only one zone An interface that belongs to a zone cannot have a per-interface firewall rule set applied to it and conversely Traffic between interfaces that do not belong to any zone flows unfiltered, and per-interface firewall rule sets can be applied to those interfaces.

9 Some other generic cleanup that is needed L3 Agent interactions for Observer hierarchy More Test Coverage + move test in tree FWaaS Gate setup

10 Trello Board https://trello.com/b/TIWf4dBJ/fwaas-usecase-categorization

11 Component Design API server (FWaaS) API server (SG) FWaaS Backend Packet Filtering (e.g dropping, rejecting, etc.) Plugin FW insertion Plugin Packet Capture Plugin http://tinyurl.com/fwaas-component

12 FWaaS Api deprecated in Liberty This doesn’t mean it’s going away immediately But signals that this is being changed in the next cycle Likely some Backward compatibility

13 Roadmap MitakaNO Enhance test coverage API redesign ●Port based ●Can augment SecurityGroups ●IPTables based reference implementation ●Service Groups Improve reference implementation ●Scalability ●HA Zones ●SFC support ●Common classifiers ●Common backend for SG and FWaaS ●Pay off tech debt

14 How to contribute ●Get a good irc client. You’ll need it ○Join #openstack-fwaas and introduce yourself :-) ●Attend the weekly IRC meetings ○Wednesdays 18:30 UTC alternating with Thursdays 0:00 UTC ○Agenda: https://wiki.openstack.org/wiki/Meetings/FWaaShttps://wiki.openstack.org/wiki/Meetings/FWaaS ●File a bug/RfE for your idea - Then add it to the agenda… ○It’s ok to only have a rough sketch of the idea and this is actually encouraged in the RfE ●Sign the Contributor’s license agreement (CLA) ○Developer Certificate of Origin has been discussed as replacing the CLA ●Get familiar with Gerrit. Code review, write code, write documentation, help... ●Attend the midcycle!

15 Q&A Questions?

Download ppt "FWaaS German EichbergerSridar KandaswamyVishwanath Jayaraman."

Similar presentations

Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.

Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.
1 Routing and Remote Access Service (Week 15, Friday 4/21/2006) © Abdou Illia, Spring 2006.

1 Routing and Remote Access Service (Week 15, Friday 4/21/2006) © Abdou Illia, Spring 2006.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Omniran-13-0019-00-0000 1 OmniRAN Wi-Fi Hotspot Roaming Use Case Date: 2013-03-17 Authors: NameAffiliationPhone Max RiegelNSN+49 173 293

Omniran OmniRAN Wi-Fi Hotspot Roaming Use Case Date: Authors: NameAffiliationPhone Max RiegelNSN
Ethernet and switches selected topics 1. Agenda Scaling ethernet infrastructure VLANs 2.

Ethernet and switches selected topics 1. Agenda Scaling ethernet infrastructure VLANs 2.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.

Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.

Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Technical Training: DAP-1360 Wireless N Access Point DAP-1360.

Technical Training: DAP-1360 Wireless N Access Point DAP-1360.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 10: Remote Access.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 10: Remote Access.
Omniran-13-0019-01-0000 1 OmniRAN Wi-Fi Hotspot Roaming Use Case Date: 2013-03-17 Authors: NameAffiliationPhone Max RiegelNSN+49 173 293

Omniran OmniRAN Wi-Fi Hotspot Roaming Use Case Date: Authors: NameAffiliationPhone Max RiegelNSN
Networking Components

Networking Components
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau (20086034) Lee Shirly (20095815) Ong Ivy (20095040)

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )

Similar presentations

Ads by Google