Chapter 3. Securing OpenStack Networking
OpenStack, as any other software, has to assume certain hypothesis as though they were true. This is necessary to develop flexible software in a speedy way. On the other side of the coin, this approach endangers the security of the software. In the case of OpenStack, there is a single hypothesis that can trash your security measurements.
Note
OpenStack fully trusts each node of the cluster.
As we have seen in the Hypervisor breakout section in Chapter 2, OpenStack Security Challenges, this exposes all the data and resources in the cluster in case someone obtains access to a machine in the cluster. The hypervisor breakout is not the only case in which this can happen, and is rare. The most common exploit of that hypothesis is a network attack in which the attacker is able to use an insecure network to gain access to more data than it should.
