Quantum firewall as a service open stack havana design summit, portland 2013
1. Quantum -
Firewall As A Service
Havana Design Summit, Portland, April 2013
Big Switch Networks (Sumit
Naiksatam, Kanzhe Jiang,
KC Wang, Mike Cohen)
Pay Pal (Vinay Bannai,
Anand Palanisamy)
VMware (Serge Maskalik,
Kai-Wei, Aaron Rosen,
Sachin Thakkar, Salvatore
Orlando)
Palo Alto Networks (Marc
Benoit)
Checkpoint (Tamir Zegman,
Bob Hinden)
Dell (Rajesh Mohan)
Red Hat (Gary Kotton) NTT (Nachi Ueno) Cisco (Sirdar Kandaswamy,
Dan Florea)
Design doc: https://docs.google.com/document/d/1PJaKvsX2MzMRlLGfR0fBkrMraHYF0flvl0sqyZ704tA/edit
Session Etherpad: https://etherpad.openstack.org/Quantum_Firewall_As_A_Service
2. Goal and Guiding Principles
● Offer rich security features of Firewalls to Quantum
users
● Tenant facing abstractions - users consume
services through a logical Firewall instance
● Will hide implementation and device management
details from the users
● No assumptions about virtual or physical Firewalls
● Adhere to established audit workflows, avoid
reinventing accepted definitions/conventions
● Model for a reasonable common denominator, allow
for extensions
5. Use Cases
- Multi-tier
- Firewalls fronting load balancers
- Perimeter Firewall
- Security Groups
- Need a unified way to define security
- Auditing
- Logging
- Firewall state enforcement
6. Resource Model
Firewalls - A logical instance of a firewall
embodying a Firewall Policy
Firewall Policies - An ordered collection of
Firewall Rules
Firewall Rules - N-tuple that generically models
firewall rules
7. Entity Relationship
One Firewall -> One Firewall Policy
One Firewall Policy -> Many Firewall Rules
One Firewall Policy -> Many Firewalls (policies
can be reused)
One Firewall Rule -> Many Firewall Policies
(rules can be reused)
1
8. Workflow
Firewall Rules are defined and Firewall Policy
is composed
Firewall Policy is audited (audit process in not
modeled here)
Tenant creates Firewall instance using Firewall
Policy
11. Firewall Rules - Attributes
Core attributes: id, name, description, source,
destination, action, service, action
Extension candidates: user, firewall service
profile, logging, zones
Source and destination can point to raw IP
addresses or grouping/dynamic/placeholder
objects
12. Firewall Policies - Attributes
Core attributes: id, name, description, firewall
rules, audited, shared
Firewall rules: an ordered list of firewall rules
13. Firewall Instances - Attributes
Core attributes: id, name, description, firewall
policy id, service type
Extension candidates: firewall rules blob
14. Dynamic and Grouping Objects
● Allow placeholders to be inserted into
firewall rules
● Avoids having to audit firewall policies for
dynamic tenant attributes
● Potentially avoids rules sprawl
● Commonly used for source and destination
fields
16. Firewall Service attachment
● Service has one or more interfaces
(number of interfaces depend on the service
type)
● Each interface plugs into a Quantum port
● Plugging operations is performed by an
interface driver
(interface driver is specific to the Firewall
technology)
17. Firewall Service Instances
Base Service Definition:
- service type
- ingress/egress ports
Firewall Service
Service Type:
- one of [LB, FW, ...]
- service insertion type [L2,
L3, BITW, Tap]
- vendor
Firewall Instances
1
*
18. Havana Roadmap
● API, Resource and DB model
implementation: https://blueprints.launchpad.
net/quantum/+spec/quantum-fwaas
● Plugin integration
● Base firewall implementation/libraries
● CLI Support
● Horizon Support