Securing network traffic in OpenStack
The security of network traffic is critical, and OpenStack supports two mechanisms to secure network traffic. Security Groups allow traffic within a tenant's network to be secured. Linux iptables on the compute nodes are used to implement OpenStack security groups.
The traffic that goes outside of a tenant's network, to another network or the Internet, is secured using the OpenStack firewall service functionality. Like routing, firewall is a service with Neutron. The firewall service also uses iptables, but the scope of iptables is limited to the OpenStack router used as part of the firewall service.
The following diagram describes at a high level how iptables are used to secure network traffic:
In this network diagram, the VM instances are connected to the Virtual Switch using tap-interface. The security group's rules to allow or deny data traffic are mapped to iptables rules on the compute nodes. The iptables rules operate on these tap-interface to ensure that traffic is allowed or blocked as per the configured rules.
Using security groups to secure traffic within a network
In order to secure traffic going from one VM to another within a given network, we must create a security group. The command to create a security group is as follows:
The next step is to create one or more rules within the security group. As an example, let us create a rule which allows only UDP, incoming traffic on port 8080
from any source IP address:
The final step is to associate this security group and the rules to a virtual machine instance. We will use the nova boot
command for this:
Once the virtual machine instance has a security group associated with it, the incoming traffic will be monitored and depending upon the rules inside the security group, data traffic may be blocked or permitted to reach the virtual machine.
Tip
It is possible to block ingress or egress traffic using security groups.
Using firewall service to secure traffic
We have seen that security groups provide a fine grain control over what traffic is allowed to and from a virtual machine instance. Another layer of security supported by OpenStack is Firewall as a Service (FWaaS). FWaaS enforces security at the router level, whereas security groups enforce security at a virtual-machine-interface level.
The main use case of FWaaS is to protect all virtual machine instances within a network from threats and attacks from outside the network. This could be virtual machines part of another network in the same OpenStack cloud or some entity in the Internet trying to perform an unauthorized access.
Let's now see how FWaaS is used in OpenStack. In FWaaS, a set of firewall rules is grouped into a firewall policy and then a firewall is created that implements one policy at a time. This firewall is then associated to a router.
A firewall rule can be created using the neutron firewall-rule-create
command, as follows:
This rule blocks the ICMP protocol so applications such as Ping
will be blocked by the firewall. The next step is to create a firewall policy. In real-world scenarios, the security administrators will define several rules and consolidate them under a single policy. For example, all rules that block various types of traffic can be combined into a single policy. The command to create a firewall policy is as follows:
The final step is to create a firewall and associate it with a router. The command to do this is as follows:
In the preceding command, we did not specify any routers and the OpenStack behavior is to associate the firewall (and in turn the policy and rules) to all the routers available for that tenant. The neutron firewall-create
command supports an option to pick a specific router as well.