Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Software-Defined Networking (SDN) with OpenStack

You're reading from   Software-Defined Networking (SDN) with OpenStack Leverage the best SDN technologies for your OpenStack-based cloud infrastructure

Arrow left icon
Product type Paperback
Published in Oct 2016
Publisher
ISBN-13 9781786465993
Length 216 pages
Edition 1st Edition
Arrow right icon
Authors (2):
Arrow left icon
Sriram Subramanian Sriram Subramanian
Author Profile Icon Sriram Subramanian
Sriram Subramanian
Sreenivas Voruganti Sreenivas Voruganti
Author Profile Icon Sreenivas Voruganti
Sreenivas Voruganti
Arrow right icon
View More author details
Toc

Table of Contents (11) Chapters Close

Preface 1. OpenStack Networking in a Nutshell FREE CHAPTER 2. Introduction to Software-Defined Networking 3. SDN Protocols 4. SDN Networking with Open vSwitch 5. Getting Started with OpenDaylight 6. Using OpenDaylight with OpenStack 7. Getting Started with OpenContrail 8. OpenContrail Networking with OpenStack 9. Open Network Operating System (ONOS) 10. OVN and Open vSwitch Enhancements

Securing network traffic in OpenStack

The security of network traffic is critical, and OpenStack supports two mechanisms to secure network traffic. Security Groups allow traffic within a tenant's network to be secured. Linux iptables on the compute nodes are used to implement OpenStack security groups.

The traffic that goes outside of a tenant's network, to another network or the Internet, is secured using the OpenStack firewall service functionality. Like routing, firewall is a service with Neutron. The firewall service also uses iptables, but the scope of iptables is limited to the OpenStack router used as part of the firewall service.

The following diagram describes at a high level how iptables are used to secure network traffic:

Securing network traffic in OpenStack

In this network diagram, the VM instances are connected to the Virtual Switch using tap-interface. The security group's rules to allow or deny data traffic are mapped to iptables rules on the compute nodes. The iptables rules operate on these tap-interface to ensure that traffic is allowed or blocked as per the configured rules.

Using security groups to secure traffic within a network

In order to secure traffic going from one VM to another within a given network, we must create a security group. The command to create a security group is as follows:

Using security groups to secure traffic within a network

The next step is to create one or more rules within the security group. As an example, let us create a rule which allows only UDP, incoming traffic on port 8080 from any source IP address:

Using security groups to secure traffic within a network

The final step is to associate this security group and the rules to a virtual machine instance. We will use the nova boot command for this:

Using security groups to secure traffic within a network

Once the virtual machine instance has a security group associated with it, the incoming traffic will be monitored and depending upon the rules inside the security group, data traffic may be blocked or permitted to reach the virtual machine.

Tip

It is possible to block ingress or egress traffic using security groups.

Using firewall service to secure traffic

We have seen that security groups provide a fine grain control over what traffic is allowed to and from a virtual machine instance. Another layer of security supported by OpenStack is Firewall as a Service (FWaaS). FWaaS enforces security at the router level, whereas security groups enforce security at a virtual-machine-interface level.

The main use case of FWaaS is to protect all virtual machine instances within a network from threats and attacks from outside the network. This could be virtual machines part of another network in the same OpenStack cloud or some entity in the Internet trying to perform an unauthorized access.

Let's now see how FWaaS is used in OpenStack. In FWaaS, a set of firewall rules is grouped into a firewall policy and then a firewall is created that implements one policy at a time. This firewall is then associated to a router.

A firewall rule can be created using the neutron firewall-rule-create command, as follows:

Using firewall service to secure traffic

This rule blocks the ICMP protocol so applications such as Ping will be blocked by the firewall. The next step is to create a firewall policy. In real-world scenarios, the security administrators will define several rules and consolidate them under a single policy. For example, all rules that block various types of traffic can be combined into a single policy. The command to create a firewall policy is as follows:

Using firewall service to secure traffic

The final step is to create a firewall and associate it with a router. The command to do this is as follows:

Using firewall service to secure traffic

In the preceding command, we did not specify any routers and the OpenStack behavior is to associate the firewall (and in turn the policy and rules) to all the routers available for that tenant. The neutron firewall-create command supports an option to pick a specific router as well.

You have been reading a chapter from
Software-Defined Networking (SDN) with OpenStack
Published in: Oct 2016
Publisher:
ISBN-13: 9781786465993
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime