Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Technical Solution Brief Micro-segmentation for OpenStack Clouds Powered by PLUMgrid Open Networking Suite What is Micro-segmentation? Micro-segmentation is the ability to create arbitrary logical security segments (down to the individual workload granularity) and apply policies to/among each segment. Traditional perimeter security proves inefficient (and fundamentally broken) in a heavy East-West traffic type of environment like most cloud deployments and it provides no internal security, no protection to/from individual workloads and is quite hard to automate. Software Defined Networks, with the presence of a software data plane in each compute node, enable a new distributed security enforcement model. Micro-segmentation hence provides: •• workloads isolation both at the virtual and physical level (whether for compliance or simple separation of environments like DevTest) •• segmentation of portions of the same logical tenant infrastructure (e.g web, app, DB tier) without having to rely on external security appliances •• automation of definition of security segments and enforcement of policies Micro-segmentation does not preclude the ability to use the distributed security framework in conjunction with the insertion and chaining of service appliances leveraging the stronger insertion model enabled by micro-segmentation and the multitenant context that is carried to the appliance itself. What This Does for OpenStack Users? Micro-segmentation provides users of an OpenStack cloud a simple to automate, persistent and ubiquitous security framework that can be easily extended and customized to satisfy application needs. A cloud environment needs the ability to define policies outside of network constructs (IP addresses) or infrastructure specific policies (mapping to a L2 segment) and instead to be more aware of specific applications and its dynamic, high-density nature. www.plumgrid.com PPS224_v1.0_0316 1/6 ©2016 PLUMgrid, Inc. All rights reserved. Technical Solution Brief How is PLUMgrid Implementing This in OpenStack? PLUMgrid brings highly-scalable and distributed micro-segmentation to OpenStack environments through the following components. Securing Virtual Network Infrastructure Management Plane Control Plane Data Plane Virtual Domains Service VDs Security Policies Service Insertion Virtual Domains A Virtual Domain provides a per-tenant logical data center. This is the foundational building block of the multi-tenancy and isolation of workloads among each other and from the physical infrastructure. Virtual Domains for Projects Virtual Domains map to the networking of a project within OpenStack. This creates complete network isolation between tenants as well as implicit isolation of unconnected workloads entities (e.g. a VM is isolated from everything till it gets properly classified into a project/network). Project Creation When a project is created with OpenStack a corresponding Virtual Domain is created by PLUMgrid. Virtual Domains are rendered within the kernel of any hosts where workloads that belong to that Virtual Domain are present. Virtual Domain > keystone tenant-create --name demo --description “Demo Tenant” > keystone user-create --name demo --tenant demo --pass demouser --email [email protected] www.plumgrid.com PPS224_v1.0_0316 2/6 ©2016 PLUMgrid, Inc. All rights reserved. Technical Solution Brief Bridge — A virtual isolated network / subnet After a Virtual Domain / Project is setup we proceed to create a network which will provide L2 connectivity to workloads. On the PLUMgrid side this corresponds to a bridge, a virtual switch VNF to which workloads can be connected. In addition to the bridge VNF a DHCP VNF, which maps to the subnet in OpenStack, is typically created. Virtual Domain demo-subnet > neutron net-create demo-net > neutron subnet-create demo-net --name demo-subnet --gateway 192.168.1.1 192.168.1.0/24 demo-net Classification Workloads can now be created and attached to this bridge / network. If a virtual interface is not attached to a bridge no communication is possible. Once a virtual interface is associated with a bridge a virtual port is created and all packets are subject to a security policy which maps to security groups in OpenStack. Classification associates a workload virtual interface to a specific bridge. Security Policies / Edge Policy Enforcement Points All packets traversing the Virtual Domain through a workload virtual interface or crossing between Virtual Domains are subject to security policy on the PLUMgrid side. Security policies map to security groups in OpenStack. These security policies are implemented as distributed network function within the IO Visor kernel modules of every host where the workloads for a Virtual Domain are present. Virtual Domain demo-subnet > nova boot --flavor m1.tiny --image cirros0.3.4-x86_64 --nic net-id=demo-net --security-group default demo-instance1 demo-net Classification Security Policy Isolation between VMs here is complete and security groups are applied to each workload virtual interface. Virtual Domain www.plumgrid.com PPS224_v1.0_0316 demo-subnet demo-subnet-2 demo-net demo-net-2 3/6 ©2016 PLUMgrid, Inc. All rights reserved. Technical Solution Brief Service Virtual Domains A Service Virtual Domain is a concept unique to PLUMgrid. It’s a logical Virtual Domain owned and managed by the cloud operator and can be used for applying common security services and policies for east-west traffic across multiple tenants and to/from the external world. The external network uses a service Virtual Domain to map connectivity from the physical external networks to the tenant Virtual Domains. This allows tenants to use a shared network to map external networks and IP addresses back to the tenant Virtual Domain while maintaining tenant isolation up to the external network. Service Virtual Domain External Network Tenant 1 VD Tenant 2 VD In this example the NAT VNF is being used to translate from the tenant private virtual network to a shared network routable IP. The basic default security policies are displayed here to show where policy enforcement takes place. Security Policies PLUMgrid security groups and policies can be applied on a wide range of parameters on ingress and egress traffic of users, VMs, containers, applications and more. Security policies can be defined and applied dynamically, per tenant, to ensure customized protection. Security policies map to security groups in OpenStack. When a workload is created in OpenStack along with its corresponding virtual interface the default security group in OpenStack is applied. These policies are implemented within the IO Visor kernel module and are a property of the virtual interface which will follow the workload around regardless of which compute node it is running on. PLUMgrid security policies have capabilities (e.g., reverse flow) which security groups within OpenStack Neutron API have not yet implemented. Security policy can also be applied to intra-Virtual Domain links in addition to workload virtual interfaces. Since security policy is defined in groups a large number of virtual interfaces can be easily covered by a single group policy. www.plumgrid.com PPS224_v1.0_0316 4/6 ©2016 PLUMgrid, Inc. All rights reserved. Technical Solution Brief Shared Internet Operator Domain Shared Management Operator Domain Tenant Virtual Domain An example of security groups between Virtual Domains and on all VM interfaces. Service Insertion PLUMgrid’s Service Insertion Architecture helps with seamless insertion of 3rd party network security components, such as F5, Palo Alto Networks and Check Point, as Firewall as a service in a tenant Virtual Domain. Service Insertion in the simplest form is a workload VM with at least two interfaces on two separate networks. The workload creates a link between these two networks. Security groups can still be applied if needed. Both free/open and commercial VMs have been used to implement routers, firewalls, load balancers within and between Virtual Domains. Service Virtual Domain External Network Tenant 1 VD Tenant 2 VD Virtual Domain Virtual Domain External Appliance www.plumgrid.com PPS224_v1.0_0316 External Appliance 5/6 ©2016 PLUMgrid, Inc. All rights reserved. Technical Solution Brief Service Insertion also facilitates the insertion of external physical appliances. Typically these are firewalls and load balancers. A secondary Virtual Domain is created to capture the external ports which connect the Virtual Domain into the physical appliance via the gateway. Certain mappings such as the physical to virtual connections between external VLANs and the gateways and the service and external appliance Virtual Domains are under the control of the cloud operator via a combination of OpenStack and PLUMgrid APIs. The connectors on the tenant Virtual Domain are under the tenant’s control. This allows an operator to setup the physical appliances and their connections to the gateways to permit tenants to consume the external physical appliance. How is This Different From the OpenStack Implementation? ▶▶ PLUMgrid’s micro-segmentation is based on a fully-distributed solution that enforces security at the ingress and egress of the cloud infrastructure (e.g. in the kernel of each hypervisor). ▶▶ Isolation is intrinsic to the Virtual Domain creation and onboarding of VMs into it. Isolation is implicit within the Virtual Domain as well as between tenants. ▶▶ Packets are never punted to user space slow path nor to a central network node to enforce security. The security VNF is entirely in the dataplane in the kernel IO Visor and fully distributed. ▶▶ Security policies are not IP, nor topology based and follow the VMs throughout a mobility event. ▶▶ The solution is based on IO Visor, not on IP tables (which leads to better scalability properties). ▷▷ Other solutions end up “compiling” security policies into ACL or flow-based entries. State explodes very quickly. ▷▷ With IO Visor there is no rule compilation, no new flow redirects, no flow setup overhead. ▶▶ PLUMgrid provides the ability to also establish and enforce security policies at the Service Virtual Domain level. PLUMgrid is a leader of secure and scalable software-defined networking (SDN) solutions for OpenStack® clouds. To learn more about PLUMgrid visit: http://www.plumgrid.com/contact-us/ www.plumgrid.com PPS224_v1.0_0316 6/6 ©2016 PLUMgrid, Inc. All rights reserved.