integrating network virtualization security in openstack deployments.pdf
DESCRIPTION
trueTRANSCRIPT
Pere Monclus Oct 18th, 2012
The Role of Networking in building Secure Public/Private Clouds
2
Networking Dilemma
Provide Connectivity (default open)
Prevent Unwanted Connectivity (default closed)
A matter of Policy
QoS ∞ QoS QoS
3
Why so hard? (part 1)
Midsize Enterprise Network diagram (Cisco Safe guides)
WHERE to apply Security Policies is harder than Connectivity
4
The approach to Security
Designing Network Security • Adding Security as a self contained element
Designing Secure Networks • Incorporate Security from the beginning
Network Security is a System !!
5
Why so hard? (part 2)
Business Needs
Risk Analysis
Security Policies
Security System
The problem doesn’t start at Network Security …
… often is expected to be solved by a Network Service
6
And… what about Cloud?
Business Needs
Risk Analysis
Security Policies
Security System
Business Needs
Risk Analysis
Security Policies
Security System
Business Needs
Risk Analysis
Security Policies
Security System
Tenant 1 Tenant 2 Tenant 3
Business Needs
Risk Analysis
Security Policies
Security System
Public / Private Cloud provider
Users / Tenants Infrastructure Guarantees
Superset of requirements
7
Cloud Provider: Tenant Isolation
Tenant 1
Tenant 2
Tenant 3
Cloud Provider
Isolation Multitenancy Self Provisioning Cloud Services
Provider Control
Infrastructure Internet
8
Tenant: Networking Application Isolation
10.0.1.0/24 10.0.2.0/24
VM VM VM VM
Inbound/Outbound policies
Interface attached network security policies
Services: FW, VPN, IPS, UTM, … (pics!)
Is this the right model in a virtual world?
9
What is Isolation? What SLA are we willing to sign up to?
• Subnet separation?
• Security rules?
• Security services (FW/IPS/UTM/…)
• Tenant Inbound/Outbound enforcement?
• …
• Network separation? Physical? Virtual?
• Transit Policies?
• Data Leakage?
• Physical Placement?
• Traffic confidentiality?
• ...
Tenant owns?
Provider owns?
• Enforcement points? • Common/Separate? • New types
• How to merge policies? • Policy definition vs. Policy Rendering? • Proper workflows
10
Security Life Cycle
What about?
• System Monitoring and Maintenance
• Compliance Checks
• Incident Response
• Forensics / Visibility / Analysis tools
Who owns that?
How do we cross from Provider to Tenant and we still provide simple operational models?
11
Network security and OpenStack
12
OpenStack Quantum Model
Network Node(s)
Compute Node(s) Cloud Controller Node
Management Network
Data Network
Quantum server
quantum-*-plugin-agent
quantum-*-plugin-agent
quantum-l3-agent
quantum-dhcp-agent
Physical Network Virtual Network
* from Quantum Admin guide
Compute
Storage
Networking
Network Controller
13
OpenStack Network Types
Virtual Network
Physical Network
Virtual Ports (VMs)
Physical Ports (Servers)
VLANs
Linux Bridges
Local Network
Overlays
Flat Network
Provider Networks
Tenant Networks
Tenant Networks
14
Spoofing/MiM v2.0 (Provider Worries)
Can I compromise/impersonate a VM/Server/Port?
• How to prevent the provisioning of a rogue Server
• How to prevent the provisioning of a rogue VM
• How to prevent the provisioning of a rogue Port / Taps
But… if it happens:
• How to prevent the ‘connectivity’ of a rogue Server / VM / Port to a physical or logical network
* Not to enter into discussions about securing the Cloud Controller
15
Application Policy Management (Tenant Worries)
In a Virtual environment:
• Policy definition
• Policy Rendering
• Policy Enforcement
• Security Services Offering (Virtual Appliances)
16
Identity and Location to the rescue
Understanding the linkage between Physical and Virtual
Understanding the linkage between Identity and Address
17
Multisite Clouds
Physical/Virtual and Identity/Address expand across Datacenters
18
• Service Insertion (Choke points at the Operator and Tenant level) • Physical Appliances • Virtual Appliances • Distributed Appliances
• New policy capabilities • Applied at the VM ifc level (definition-rendering problem) • Identity based
• Proper articulation of Virtual/Physical bindings
• Cloud Controller workflows for security
• Discussion on where to apply/attach global policies
• What SLAs and Certifications will the Tenants expect?
Possible steps to integrate Security in OpenStack
19
Conclusion
• No easy answer to Security
• Blurring the line between Virtual and Physical networks brings many additional challenges and OPPORTUNITIES
• Centralized control structures are more vulnerable. Need proper workflows.
• Incorporate Security from early stages, it is difficult to bolt it in