Download Micro-segmentation Feature Brief

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
Document related concepts

Virtual work wikipedia , lookup

Transcript 
Technical Solution Brief
Micro-segmentation for OpenStack Clouds
Powered by PLUMgrid Open Networking Suite
What is Micro-segmentation?
Micro-segmentation is the ability to create arbitrary logical security segments (down to the individual workload granularity)
and apply policies to/among each segment.
Traditional perimeter security proves inefficient (and fundamentally broken) in a heavy East-West traffic type of environment
like most cloud deployments and it provides no internal security, no protection to/from individual workloads and is quite hard
to automate.
Software Defined Networks, with the presence of a software data plane in each compute node, enable a new distributed
security enforcement model.
Micro-segmentation hence provides:
•• workloads isolation both at the virtual and physical level (whether for compliance or simple separation of environments
like DevTest)
•• segmentation of portions of the same logical tenant infrastructure (e.g web, app, DB tier) without having to rely on
external security appliances
•• automation of definition of security segments and enforcement of policies
Micro-segmentation does not preclude the ability to use the distributed security framework in conjunction with the insertion
and chaining of service appliances leveraging the stronger insertion model enabled by micro-segmentation and the multitenant context that is carried to the appliance itself.
What This Does for OpenStack Users?
Micro-segmentation provides users of an OpenStack cloud a simple to automate, persistent and ubiquitous security framework
that can be easily extended and customized to satisfy application needs. A cloud environment needs the ability to define
policies outside of network constructs (IP addresses) or infrastructure specific policies (mapping to a L2 segment) and instead
to be more aware of specific applications and its dynamic, high-density nature.
www.plumgrid.com
PPS224_v1.0_0316
1/6
©2016 PLUMgrid, Inc. All rights reserved.
Technical Solution Brief
How is PLUMgrid Implementing This in OpenStack?
PLUMgrid brings highly-scalable and distributed micro-segmentation to OpenStack environments through the following
components.
Securing Virtual Network Infrastructure
Management Plane
Control Plane
Data Plane
Virtual Domains
Service VDs
Security Policies
Service Insertion
Virtual Domains
A Virtual Domain provides a per-tenant logical data center. This is the foundational building block of the multi-tenancy and
isolation of workloads among each other and from the physical infrastructure.
Virtual Domains for Projects
Virtual Domains map to the networking of a project within OpenStack. This creates complete network isolation between
tenants as well as implicit isolation of unconnected workloads entities (e.g. a VM is isolated from everything till it gets properly
classified into a project/network).
Project Creation
When a project is created with OpenStack a corresponding Virtual Domain is created by PLUMgrid. Virtual Domains are
rendered within the kernel of any hosts where workloads that belong to that Virtual Domain are present.
Virtual Domain
> keystone tenant-create --name demo --description
“Demo Tenant”
> keystone user-create --name demo --tenant demo
--pass demouser --email [email protected]
www.plumgrid.com
PPS224_v1.0_0316
2/6
©2016 PLUMgrid, Inc. All rights reserved.
Technical Solution Brief
Bridge — A virtual isolated network / subnet
After a Virtual Domain / Project is setup we proceed to create a network which will provide L2 connectivity to workloads. On
the PLUMgrid side this corresponds to a bridge, a virtual switch VNF to which workloads can be connected. In addition to the
bridge VNF a DHCP VNF, which maps to the subnet in OpenStack, is typically created.
Virtual Domain
demo-subnet
> neutron net-create demo-net
> neutron subnet-create demo-net --name demo-subnet
--gateway 192.168.1.1 192.168.1.0/24
demo-net
Classification
Workloads can now be created and attached to this bridge / network. If a virtual interface is not attached to a bridge no
communication is possible. Once a virtual interface is associated with a bridge a virtual port is created and all packets are
subject to a security policy which maps to security groups in OpenStack. Classification associates a workload virtual interface
to a specific bridge.
Security Policies / Edge Policy Enforcement Points
All packets traversing the Virtual Domain through a workload virtual interface or crossing between Virtual Domains are subject
to security policy on the PLUMgrid side. Security policies map to security groups in OpenStack. These security policies are
implemented as distributed network function within the IO Visor kernel modules of every host where the workloads for a
Virtual Domain are present.
Virtual Domain
demo-subnet
> nova boot --flavor m1.tiny --image cirros0.3.4-x86_64 --nic net-id=demo-net --security-group
default demo-instance1
demo-net
Classification
Security Policy
Isolation between VMs here is complete and security groups are applied to each workload virtual interface.
Virtual Domain
www.plumgrid.com
PPS224_v1.0_0316
demo-subnet
demo-subnet-2
demo-net
demo-net-2
3/6
©2016 PLUMgrid, Inc. All rights reserved.
Technical Solution Brief
Service Virtual Domains
A Service Virtual Domain is a concept unique to PLUMgrid. It’s a logical Virtual Domain owned and managed by the cloud
operator and can be used for applying common security services and policies for east-west traffic across multiple tenants and
to/from the external world.
The external network uses a service Virtual Domain to map connectivity from the physical external networks to the tenant
Virtual Domains. This allows tenants to use a shared network to map external networks and IP addresses back to the tenant
Virtual Domain while maintaining tenant isolation up to the external network.
Service Virtual Domain
External Network
Tenant 1 VD
Tenant 2 VD
In this example the NAT VNF is being used to translate from the tenant private virtual network to a shared network routable IP.
The basic default security policies are displayed here to show where policy enforcement takes place.
Security Policies
PLUMgrid security groups and policies can be applied on a wide range of parameters on ingress and egress traffic of users, VMs,
containers, applications and more. Security policies can be defined and applied dynamically, per tenant, to ensure customized
protection.
Security policies map to security groups in OpenStack. When a workload is created in OpenStack along with its corresponding
virtual interface the default security group in OpenStack is applied. These policies are implemented within the IO Visor kernel
module and are a property of the virtual interface which will follow the workload around regardless of which compute node it
is running on. PLUMgrid security policies have capabilities (e.g., reverse flow) which security groups within OpenStack Neutron
API have not yet implemented. Security policy can also be applied to intra-Virtual Domain links in addition to workload virtual
interfaces. Since security policy is defined in groups a large number of virtual interfaces can be easily covered by a single group
policy.
www.plumgrid.com
PPS224_v1.0_0316
4/6
©2016 PLUMgrid, Inc. All rights reserved.
Technical Solution Brief
Shared Internet
Operator Domain
Shared Management
Operator Domain
Tenant Virtual Domain
An example of security groups between Virtual Domains and on all VM interfaces.
Service Insertion
PLUMgrid’s Service Insertion Architecture helps with seamless insertion of 3rd party network security components, such as F5,
Palo Alto Networks and Check Point, as Firewall as a service in a tenant Virtual Domain.
Service Insertion in the simplest form is a workload VM with at least two interfaces on two separate networks. The workload
creates a link between these two networks. Security groups can still be applied if needed. Both free/open and commercial VMs
have been used to implement routers, firewalls, load balancers within and between Virtual Domains.
Service Virtual Domain
External Network
Tenant 1 VD
Tenant 2 VD
Virtual Domain
Virtual Domain
External Appliance
www.plumgrid.com
PPS224_v1.0_0316
External Appliance
5/6
©2016 PLUMgrid, Inc. All rights reserved.
Technical Solution Brief
Service Insertion also facilitates the insertion of external physical appliances. Typically these are firewalls and load balancers.
A secondary Virtual Domain is created to capture the external ports which connect the Virtual Domain into the physical
appliance via the gateway. Certain mappings such as the physical to virtual connections between external VLANs and the
gateways and the service and external appliance Virtual Domains are under the control of the cloud operator via a combination
of OpenStack and PLUMgrid APIs. The connectors on the tenant Virtual Domain are under the tenant’s control. This allows an
operator to setup the physical appliances and their connections to the gateways to permit tenants to consume the external
physical appliance.
How is This Different From the OpenStack Implementation?
▶▶ PLUMgrid’s micro-segmentation is based on a fully-distributed solution that enforces security at the ingress and egress of
the cloud infrastructure (e.g. in the kernel of each hypervisor).
▶▶ Isolation is intrinsic to the Virtual Domain creation and onboarding of VMs into it. Isolation is implicit within the Virtual
Domain as well as between tenants.
▶▶ Packets are never punted to user space slow path nor to a central network node to enforce security. The security VNF is
entirely in the dataplane in the kernel IO Visor and fully distributed.
▶▶ Security policies are not IP, nor topology based and follow the VMs throughout a mobility event.
▶▶ The solution is based on IO Visor, not on IP tables (which leads to better scalability properties).
▷▷ Other solutions end up “compiling” security policies into ACL or flow-based entries. State explodes very quickly.
▷▷ With IO Visor there is no rule compilation, no new flow redirects, no flow setup overhead.
▶▶ PLUMgrid provides the ability to also establish and enforce security policies at the Service Virtual Domain level.
PLUMgrid is a leader of secure and scalable software-defined networking (SDN) solutions for OpenStack® clouds.
To learn more about PLUMgrid visit: http://www.plumgrid.com/contact-us/
www.plumgrid.com
PPS224_v1.0_0316
6/6
©2016 PLUMgrid, Inc. All rights reserved.
Related documents
BUILDING A CLOUD INFRASTRUCTURE WITH OPEN SOURCE SOFTWARE Nimal Ratnayake
BUILDING A CLOUD INFRASTRUCTURE WITH OPEN SOURCE SOFTWARE Nimal Ratnayake
usatlas-ahm-openstack-apr-2014 - Indico
usatlas-ahm-openstack-apr-2014 - Indico
Cloud-native design principles
Cloud-native design principles
Tesora is Now a Part of Stratoscale | Stratoscale
Tesora is Now a Part of Stratoscale | Stratoscale
Nokia CloudBand Infrastructure Software
Nokia CloudBand Infrastructure Software
5314 49 Avenue (LD0067410)
5314 49 Avenue (LD0067410)
Cloud Computing-OpenStack-Lecture 7
Cloud Computing-OpenStack-Lecture 7
zerostack_for_vsphere_users-solutions
zerostack_for_vsphere_users-solutions
Building Open Source-Based Cloud Solutions with OpenDaylight
Building Open Source-Based Cloud Solutions with OpenDaylight
How to install TERENA Trusted Cloud Drive 1 Introduction
How to install TERENA Trusted Cloud Drive 1 Introduction
openstack au coeur de la transformation nfv - OpenStack-fr
openstack au coeur de la transformation nfv - OpenStack-fr
Cloud Management Software/Platforms
Cloud Management Software/Platforms
Brocade Orchestration and MANO Strategy * Kick Off
Brocade Orchestration and MANO Strategy * Kick Off
CLOUDBAND WITH OPENSTACK AS NFV PLATFORM
CLOUDBAND WITH OPENSTACK AS NFV PLATFORM