SlideShare une entreprise Scribd logo

Openstack Quantum Security Groups Session

Télécharger en tant que PPTX, PDF
David Lapsley
David Lapsley

Presentation on Quantum Security Groups Proposal given at Folsom Design Summit, San Francisco, CA April 2012.

TechnologieActualités & PolitiqueBusiness
1  sur  23
Quantum Security Groups Session Dave Lapsley @davlaps http://slidesha.re/HQvDTk http://etherpad.openstack.org/quantum-folsom
Session Goals • Introduction to Nova Security Groups • Proposal: – Move Security Groups from Nova to Quantum • Discussion: – Provider Firewalling – Access Control Lists – Other
Proposal: move Security Groups from Nova to Quantum Naturally fit within network API Allow plugins to implement them in a compatible way
Features and Use Cases
Nova Security Groups • Collection of network access rules that specify what traffic is allowed to ingress a VM • Associated with a VM at startup – If Security Group not specified, VM belongs to default Security Group which allows traffic from all other members of the group • A VM can be associated with many Security Groups • Security Rule specifies: – Source of traffic (IP subnet in CIDR notation, or another security group) – Protocol (TCP, UDP, ICMP) – Destination port on VM
Security Group Command Line EC2 Openstack Nova euca-add-group secgroup-add-group-rule euca-authorize secgroup-add-rule euca-delete-group secgroup-create euca-describe-group secgroup-delete euca-describe-groups secgroup-delete-group-rule secgroup-delete-rule secgroup-list secgroup-list-rules
Example Openstack EC2 $ nova secgroup-create mygroup description $ euca-add-group -d description mygroup +---------+-------------+ | Name | Description | GROUP mygroup description +---------+-------------+ | mygroup | description | $ euca-authorize -P tcp -s 192.168.1.0/24 -p 22 mygroup +---------+-------------+ GROUP mygroup $ nova secgroup-add-rule mygroup tcp 22 22 192.168.1.0/24 +-------------+-----------+---------+----------------+--------------+ PERMISSION mygroup ALLOWS tcp 22 22 FROM CIDR | IP Protocol | From Port | To Port | IP Range | Source Group | 192.168.1.0/24 +-------------+-----------+---------+----------------+--------------+ | tcp | 22 | 22 | 192.168.1.0/24 | | $ euca-authorize -P tcp -s 192.168.1.0/24 -p 3306 mygroup +-------------+-----------+---------+----------------+--------------+ GROUP mygroup $ nova secgroup-add-rule mygroup tcp 3306 3306 192.168.1.0/24 +-------------+-----------+---------+----------------+--------------+ PERMISSION mygroup ALLOWS tcp 3306 3306 FROM CIDR | IP Protocol | From Port | To Port | IP Range | Source Group | 192.168.1.0/24 +-------------+-----------+---------+----------------+--------------+ | tcp | 3306 | 3306 | 192.168.1.0/24 | | $ euca-describe-groups +-------------+-----------+---------+----------------+--------------+ $ nova boot --flavor 1 –image f16f1d2d-71d6-41b7-98a5-319f142d61f5 -- GROUP 550d88112b9048fd931f1c66b2c7a932 default default security_groups mygroup server1 GROUP 550d88112b9048fd931f1c66b2c7a932 mygroup description +------------------------+--------------------------------------+ PERMISSION 550d88112b9048fd931f1c66b2c7a932 mygroup ALLOWS | OS-DCF:diskConfig | MANUAL | tcp 22 22 | OS-EXT-STS:power_state | 0 | | OS-EXT-STS:task_state | scheduling | FROM CIDR 192.168.1.0/24 | OS-EXT-STS:vm_state | building | PERMISSION 550d88112b9048fd931f1c66b2c7a932 mygroup ALLOWS | accessIPv4 | | | accessIPv6 | | tcp 3306 | adminPass | 2QCHvG7fJ6Pc | 3306 FROM CIDR 192.168.1.0/24 | config_drive | | | created | 2012-04-17T11:11:07Z | $ euca-run-instances tty -g mygroup | flavor | m1.tiny | | hostId | | RESERVATION r-eezz74kc 550d88112b9048fd931f1c66b2c7a932 | id | 6d6bb47e-a356-4724-b48e-c248fceb1513 | mygroup | image | cirros-0.3.0-x86_64-blank | | key_name | | INSTANCE i-00000001 ami-00000001 server-1 server-1 | metadata | {} | pending 0 | name | server1 | m1.small 2012-04-17T05:51:30.000Z unknown zone aki- | progress | 0 | | status | BUILD | 00000002 | tenant_id | 63c4cab49c8b449191d9ea5cfce0f928 | ari-00000003 | updated | 2012-04-17T11:11:08Z | | user_id | d4dc81acfd604f72a56a70879fe565ad | +------------------------+--------------------------------------+
Current Security Group Model • Features: – Per-Virtual Machine Security Group association – Network egress filtering (network to VM) – Matching on Source subnet, Protocol, and Destination Port Range
Use Case: Distributed Firewall (current features)
Use Case: Distributed Firewall (current features)
Use Case: Distributed Firewall (current features)
Security Group API Verb URI Description GET v1.1/{tenant_id}/os-security-groups List security groups POST v1.1/{tenant_id}/os-security-groups Create a new security group GET v1.1/{tenant_id}/os-security- Get specific security group groups/{security_group_id} DELETE v1.1/{tenant_id}/os-security- Delete security group groups/{security_group_id} POST v1.1/{tenant_id}/os-security-group-rules Create security group rules DELETE v1.1/{tenant_id}/os-security-group- Delete security group rule rules/{security_group_rule_id} GET v1.1/{tenant_id}/servers/{server_id}/os- List security groups for a security-groups specific server
Proposed Security Group Model • Features: – Per-Port Security Group association – Network egress/ingress filtering • Similar to AWS VPC – Matching on Source subnet, Protocol, and Destination Port Range in both directions – Stateful egress filtering – Default deny except when no ingress rules, then accept all on ingress – IPv6 Support
Use Case: Distributed Firewall (proposed features)
Proposed Security Group API Verb URI Description GET v1.1/{tenant_id}/os-security-groups List security groups POST v1.1/{tenant_id}/os-security-groups Create a new security group* GET v1.1/{tenant_id}/os-security- Get specific security group groups/{security_group_id} DELETE v1.1/{tenant_id}/os-security- Delete security group groups/{security_group_id} PUT v1.1/{tenant_id}/os-security- Update security group* groups/{security_group_id} PUT v1.1/{tenant_id}/os-security- Associate port with groups/{security_group_id}/associate_port security group PUT v1.1/{tenant_id}/os-security- Dissociate port from groups/{security_group_id}/dissociate_port security group GET v1.1/{tenant_id}/os-security- List security groups for groups/list_for_port specified port
Architecture
Pre-Essex Architecture
Essex Architecture
Folsom Architecture?
Other Features
Provider Firewalling • Need to have security groups that are modifiable by tenants • Desirable to have security groups that are only modifiable by service providers – E.g. preventing a tenant from sending SMTP traffic – Blocking all incoming traffic on a known trojan port • Not ideal fit for security group
Access Control Lists • Current security group model is somewhat limited • Would be nice to have a more generic ACL capability • Features: – Ingress/Egress filtering – Port-based association – More sophisticated matching – Allow/deny – Combination of ACLs
Comments, Questions, Suggestions? @davlaps

Recommandé

Integrating OpenStack To Existing Infrastructure
Integrating OpenStack To Existing InfrastructureIntegrating OpenStack To Existing Infrastructure
Integrating OpenStack To Existing InfrastructureHui Cheng
 
Training open stack networking -neutron
Training open stack networking -neutronTraining open stack networking -neutron
Training open stack networking -neutronHaifeng Yan (颜海峰)
 
Open stack networking_101_update_2014
Open stack networking_101_update_2014Open stack networking_101_update_2014
Open stack networking_101_update_2014yfauser
 
OpenStack Neutron behind the Scenes
OpenStack Neutron behind the ScenesOpenStack Neutron behind the Scenes
OpenStack Neutron behind the ScenesAnil Bidari ( CEO , Cloud Enabled)
 
Neutron behind the scenes
Neutron behind the scenesNeutron behind the scenes
Neutron behind the scenesinbroker
 
Is OpenStack Neutron production ready for large scale deployments?
Is OpenStack Neutron production ready for large scale deployments?Is OpenStack Neutron production ready for large scale deployments?
Is OpenStack Neutron production ready for large scale deployments?Елена Ежова
 
OpenStack Neutron Tutorial
OpenStack Neutron TutorialOpenStack Neutron Tutorial
OpenStack Neutron Tutorialmestery
 
Network virtualization with open stack quantum
Network virtualization with open stack quantumNetwork virtualization with open stack quantum
Network virtualization with open stack quantumMiguel Lavalle
 

Recommandé

Integrating OpenStack To Existing Infrastructure
Integrating OpenStack To Existing InfrastructureIntegrating OpenStack To Existing Infrastructure
Integrating OpenStack To Existing InfrastructureHui Cheng
 
Training open stack networking -neutron
Training open stack networking -neutronTraining open stack networking -neutron
Training open stack networking -neutronHaifeng Yan (颜海峰)
 
Open stack networking_101_update_2014
Open stack networking_101_update_2014Open stack networking_101_update_2014
Open stack networking_101_update_2014yfauser
 
OpenStack Neutron behind the Scenes
OpenStack Neutron behind the ScenesOpenStack Neutron behind the Scenes
OpenStack Neutron behind the ScenesAnil Bidari ( CEO , Cloud Enabled)
 
Neutron behind the scenes
Neutron behind the scenesNeutron behind the scenes
Neutron behind the scenesinbroker
 
Is OpenStack Neutron production ready for large scale deployments?
Is OpenStack Neutron production ready for large scale deployments?Is OpenStack Neutron production ready for large scale deployments?
Is OpenStack Neutron production ready for large scale deployments?Елена Ежова
 
OpenStack Neutron Tutorial
OpenStack Neutron TutorialOpenStack Neutron Tutorial
OpenStack Neutron Tutorialmestery
 
Network virtualization with open stack quantum
Network virtualization with open stack quantumNetwork virtualization with open stack quantum
Network virtualization with open stack quantumMiguel Lavalle
 
neutron_icehouse_update
neutron_icehouse_updateneutron_icehouse_update
neutron_icehouse_updateAkihiro Motoki
 
OpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN Controller
OpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN ControllerOpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN Controller
OpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN ControllerYongyoon Shin
 
Open stack networking_101_update_2014-os-meetups
Open stack networking_101_update_2014-os-meetupsOpen stack networking_101_update_2014-os-meetups
Open stack networking_101_update_2014-os-meetupsyfauser
 
OpenStack Networking and Automation
OpenStack Networking and AutomationOpenStack Networking and Automation
OpenStack Networking and AutomationAdam Johnson
 
Whats new in neutron for open stack havana
Whats new in neutron for open stack havanaWhats new in neutron for open stack havana
Whats new in neutron for open stack havanaKamesh Pemmaraju
 
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack NetworkingONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networkingmarkmcclain
 
Open daylight and Openstack
Open daylight and OpenstackOpen daylight and Openstack
Open daylight and OpenstackDave Neary
 
Openstack Networking Internals - first part
Openstack Networking Internals - first partOpenstack Networking Internals - first part
Openstack Networking Internals - first partlilliput12
 
Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1Yongyoon Shin
 
OpenStack networking (Neutron)
OpenStack networking (Neutron) OpenStack networking (Neutron)
OpenStack networking (Neutron) CREATE-NET
 
An Introduction to OpenStack Networking
An Introduction to OpenStack NetworkingAn Introduction to OpenStack Networking
An Introduction to OpenStack NetworkingScott Lowe
 
Open stack networking vlan, gre
Open stack networking vlan, greOpen stack networking vlan, gre
Open stack networking vlan, greSim Janghoon
 
Linux Tag 2014 OpenStack Networking
Linux Tag 2014 OpenStack NetworkingLinux Tag 2014 OpenStack Networking
Linux Tag 2014 OpenStack Networkingyfauser
 
OpenStack networking - Neutron deep dive with PLUMgrid
OpenStack networking - Neutron deep dive with PLUMgridOpenStack networking - Neutron deep dive with PLUMgrid
OpenStack networking - Neutron deep dive with PLUMgridKamesh Pemmaraju
 
OpenStack DVR_What is DVR?
OpenStack DVR_What is DVR?OpenStack DVR_What is DVR?
OpenStack DVR_What is DVR?Yongyoon Shin
 
Open stack advanced_part
Open stack advanced_partOpen stack advanced_part
Open stack advanced_partlilliput12
 
Introduction to Software Defined Networking and OpenStack Neutron
Introduction to Software Defined Networking and OpenStack NeutronIntroduction to Software Defined Networking and OpenStack Neutron
Introduction to Software Defined Networking and OpenStack NeutronSana Khan
 
"One network to rule them all" - OpenStack Summit Austin 2016
"One network to rule them all" - OpenStack Summit Austin 2016"One network to rule them all" - OpenStack Summit Austin 2016
"One network to rule them all" - OpenStack Summit Austin 2016Phil Estes
 
Open stack networking_101_part-1
Open stack networking_101_part-1Open stack networking_101_part-1
Open stack networking_101_part-1yfauser
 
OpenStack Neutron's Distributed Virtual Router
OpenStack Neutron's Distributed Virtual RouterOpenStack Neutron's Distributed Virtual Router
OpenStack Neutron's Distributed Virtual Routercarlbaldwin
 
Unleashing the Power of Fabric Orchestrating New Performance Features for SR-...
Unleashing the Power of Fabric Orchestrating New Performance Features for SR-...Unleashing the Power of Fabric Orchestrating New Performance Features for SR-...
Unleashing the Power of Fabric Orchestrating New Performance Features for SR-...Liz Warner
 
(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014
(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014
(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014Amazon Web Services
 

Contenu connexe

Tendances

neutron_icehouse_update
neutron_icehouse_updateneutron_icehouse_update
neutron_icehouse_updateAkihiro Motoki
 
OpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN Controller
OpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN ControllerOpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN Controller
OpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN ControllerYongyoon Shin
 
Open stack networking_101_update_2014-os-meetups
Open stack networking_101_update_2014-os-meetupsOpen stack networking_101_update_2014-os-meetups
Open stack networking_101_update_2014-os-meetupsyfauser
 
OpenStack Networking and Automation
OpenStack Networking and AutomationOpenStack Networking and Automation
OpenStack Networking and AutomationAdam Johnson
 
Whats new in neutron for open stack havana
Whats new in neutron for open stack havanaWhats new in neutron for open stack havana
Whats new in neutron for open stack havanaKamesh Pemmaraju
 
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack NetworkingONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networkingmarkmcclain
 
Open daylight and Openstack
Open daylight and OpenstackOpen daylight and Openstack
Open daylight and OpenstackDave Neary
 
Openstack Networking Internals - first part
Openstack Networking Internals - first partOpenstack Networking Internals - first part
Openstack Networking Internals - first partlilliput12
 
Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1Yongyoon Shin
 
OpenStack networking (Neutron)
OpenStack networking (Neutron) OpenStack networking (Neutron)
OpenStack networking (Neutron) CREATE-NET
 
An Introduction to OpenStack Networking
An Introduction to OpenStack NetworkingAn Introduction to OpenStack Networking
An Introduction to OpenStack NetworkingScott Lowe
 
Open stack networking vlan, gre
Open stack networking vlan, greOpen stack networking vlan, gre
Open stack networking vlan, greSim Janghoon
 
Linux Tag 2014 OpenStack Networking
Linux Tag 2014 OpenStack NetworkingLinux Tag 2014 OpenStack Networking
Linux Tag 2014 OpenStack Networkingyfauser
 
OpenStack networking - Neutron deep dive with PLUMgrid
OpenStack networking - Neutron deep dive with PLUMgridOpenStack networking - Neutron deep dive with PLUMgrid
OpenStack networking - Neutron deep dive with PLUMgridKamesh Pemmaraju
 
OpenStack DVR_What is DVR?
OpenStack DVR_What is DVR?OpenStack DVR_What is DVR?
OpenStack DVR_What is DVR?Yongyoon Shin
 
Open stack advanced_part
Open stack advanced_partOpen stack advanced_part
Open stack advanced_partlilliput12
 
Introduction to Software Defined Networking and OpenStack Neutron
Introduction to Software Defined Networking and OpenStack NeutronIntroduction to Software Defined Networking and OpenStack Neutron
Introduction to Software Defined Networking and OpenStack NeutronSana Khan
 
"One network to rule them all" - OpenStack Summit Austin 2016
"One network to rule them all" - OpenStack Summit Austin 2016"One network to rule them all" - OpenStack Summit Austin 2016
"One network to rule them all" - OpenStack Summit Austin 2016Phil Estes
 
Open stack networking_101_part-1
Open stack networking_101_part-1Open stack networking_101_part-1
Open stack networking_101_part-1yfauser
 
OpenStack Neutron's Distributed Virtual Router
OpenStack Neutron's Distributed Virtual RouterOpenStack Neutron's Distributed Virtual Router
OpenStack Neutron's Distributed Virtual Routercarlbaldwin
 

Tendances (20)

neutron_icehouse_update
neutron_icehouse_updateneutron_icehouse_update
neutron_icehouse_update
 
OpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN Controller
OpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN ControllerOpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN Controller
OpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN Controller
 
Open stack networking_101_update_2014-os-meetups
Open stack networking_101_update_2014-os-meetupsOpen stack networking_101_update_2014-os-meetups
Open stack networking_101_update_2014-os-meetups
 
OpenStack Networking and Automation
OpenStack Networking and AutomationOpenStack Networking and Automation
OpenStack Networking and Automation
 
Whats new in neutron for open stack havana
Whats new in neutron for open stack havanaWhats new in neutron for open stack havana
Whats new in neutron for open stack havana
 
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack NetworkingONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
 
Open daylight and Openstack
Open daylight and OpenstackOpen daylight and Openstack
Open daylight and Openstack
 
Openstack Networking Internals - first part
Openstack Networking Internals - first partOpenstack Networking Internals - first part
Openstack Networking Internals - first part
 
Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1
 
OpenStack networking (Neutron)
OpenStack networking (Neutron) OpenStack networking (Neutron)
OpenStack networking (Neutron)
 
An Introduction to OpenStack Networking
An Introduction to OpenStack NetworkingAn Introduction to OpenStack Networking
An Introduction to OpenStack Networking
 
Open stack networking vlan, gre
Open stack networking vlan, greOpen stack networking vlan, gre
Open stack networking vlan, gre
 
Linux Tag 2014 OpenStack Networking
Linux Tag 2014 OpenStack NetworkingLinux Tag 2014 OpenStack Networking
Linux Tag 2014 OpenStack Networking
 
OpenStack networking - Neutron deep dive with PLUMgrid
OpenStack networking - Neutron deep dive with PLUMgridOpenStack networking - Neutron deep dive with PLUMgrid
OpenStack networking - Neutron deep dive with PLUMgrid
 
OpenStack DVR_What is DVR?
OpenStack DVR_What is DVR?OpenStack DVR_What is DVR?
OpenStack DVR_What is DVR?
 
Open stack advanced_part
Open stack advanced_partOpen stack advanced_part
Open stack advanced_part
 
Introduction to Software Defined Networking and OpenStack Neutron
Introduction to Software Defined Networking and OpenStack NeutronIntroduction to Software Defined Networking and OpenStack Neutron
Introduction to Software Defined Networking and OpenStack Neutron
 
"One network to rule them all" - OpenStack Summit Austin 2016
"One network to rule them all" - OpenStack Summit Austin 2016"One network to rule them all" - OpenStack Summit Austin 2016
"One network to rule them all" - OpenStack Summit Austin 2016
 
Open stack networking_101_part-1
Open stack networking_101_part-1Open stack networking_101_part-1
Open stack networking_101_part-1
 
OpenStack Neutron's Distributed Virtual Router
OpenStack Neutron's Distributed Virtual RouterOpenStack Neutron's Distributed Virtual Router
OpenStack Neutron's Distributed Virtual Router
 

Similaire à Openstack Quantum Security Groups Session

Unleashing the Power of Fabric Orchestrating New Performance Features for SR-...
Unleashing the Power of Fabric Orchestrating New Performance Features for SR-...Unleashing the Power of Fabric Orchestrating New Performance Features for SR-...
Unleashing the Power of Fabric Orchestrating New Performance Features for SR-...Liz Warner
 
(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014
(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014
(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014Amazon Web Services
 
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법Open Source Consulting
 
Open stack pike-devstack-tutorial
Open stack pike-devstack-tutorialOpen stack pike-devstack-tutorial
Open stack pike-devstack-tutorialEueung Mulyana
 
Private cloud networking_cloudstack_days_austin
Private cloud networking_cloudstack_days_austinPrivate cloud networking_cloudstack_days_austin
Private cloud networking_cloudstack_days_austinChiradeep Vittal
 
Couch to OpenStack: Cinder - August 6, 2013
Couch to OpenStack: Cinder - August 6, 2013Couch to OpenStack: Cinder - August 6, 2013
Couch to OpenStack: Cinder - August 6, 2013Trevor Roberts Jr.
 
Couch to OpenStack: Neutron (Quantum) - August 13, 2013 Featuring Sean Winn
Couch to OpenStack: Neutron (Quantum) - August 13, 2013 Featuring Sean WinnCouch to OpenStack: Neutron (Quantum) - August 13, 2013 Featuring Sean Winn
Couch to OpenStack: Neutron (Quantum) - August 13, 2013 Featuring Sean WinnTrevor Roberts Jr.
 
OpenStack API's and WSGI
OpenStack API's and WSGIOpenStack API's and WSGI
OpenStack API's and WSGIMike Pittaro
 
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteCloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteOWASP Kyiv
 
(NET301) New Capabilities for Amazon Virtual Private Cloud
(NET301) New Capabilities for Amazon Virtual Private Cloud(NET301) New Capabilities for Amazon Virtual Private Cloud
(NET301) New Capabilities for Amazon Virtual Private CloudAmazon Web Services
 
Percona Live UK 2014 Part III
Percona Live UK 2014 Part IIIPercona Live UK 2014 Part III
Percona Live UK 2014 Part IIIAlkin Tezuysal
 
Common schema my sql uc 2012
Common schema my sql uc 2012Common schema my sql uc 2012
Common schema my sql uc 2012Roland Bouman
 
Common schema my sql uc 2012
Common schema my sql uc 2012Common schema my sql uc 2012
Common schema my sql uc 2012Roland Bouman
 
Passwordless login with unix auth_socket
Passwordless login with unix auth_socketPasswordless login with unix auth_socket
Passwordless login with unix auth_socketOtto Kekäläinen
 
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...Jisc
 
How to build and run oci containers
How to build and run oci containersHow to build and run oci containers
How to build and run oci containersSpyros Trigazis
 
Routed Provider Networks on OpenStack
Routed Provider Networks on OpenStack Routed Provider Networks on OpenStack
Routed Provider Networks on OpenStack Romana Project
 
ProxySQL & PXC(Query routing and Failover Test)
ProxySQL & PXC(Query routing and Failover Test)ProxySQL & PXC(Query routing and Failover Test)
ProxySQL & PXC(Query routing and Failover Test)YoungHeon (Roy) Kim
 
Compute 101 - OpenStack Summit Vancouver 2015
Compute 101 - OpenStack Summit Vancouver 2015Compute 101 - OpenStack Summit Vancouver 2015
Compute 101 - OpenStack Summit Vancouver 2015Stephen Gordon
 

Similaire à Openstack Quantum Security Groups Session (20)

Unleashing the Power of Fabric Orchestrating New Performance Features for SR-...
Unleashing the Power of Fabric Orchestrating New Performance Features for SR-...Unleashing the Power of Fabric Orchestrating New Performance Features for SR-...
Unleashing the Power of Fabric Orchestrating New Performance Features for SR-...
 
(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014
(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014
(ARC401) Black-Belt Networking for the Cloud Ninja | AWS re:Invent 2014
 
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
 
Open stack pike-devstack-tutorial
Open stack pike-devstack-tutorialOpen stack pike-devstack-tutorial
Open stack pike-devstack-tutorial
 
Private cloud networking_cloudstack_days_austin
Private cloud networking_cloudstack_days_austinPrivate cloud networking_cloudstack_days_austin
Private cloud networking_cloudstack_days_austin
 
Couch to OpenStack: Cinder - August 6, 2013
Couch to OpenStack: Cinder - August 6, 2013Couch to OpenStack: Cinder - August 6, 2013
Couch to OpenStack: Cinder - August 6, 2013
 
Couch to OpenStack: Neutron (Quantum) - August 13, 2013 Featuring Sean Winn
Couch to OpenStack: Neutron (Quantum) - August 13, 2013 Featuring Sean WinnCouch to OpenStack: Neutron (Quantum) - August 13, 2013 Featuring Sean Winn
Couch to OpenStack: Neutron (Quantum) - August 13, 2013 Featuring Sean Winn
 
OpenStack API's and WSGI
OpenStack API's and WSGIOpenStack API's and WSGI
OpenStack API's and WSGI
 
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteCloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
 
(NET301) New Capabilities for Amazon Virtual Private Cloud
(NET301) New Capabilities for Amazon Virtual Private Cloud(NET301) New Capabilities for Amazon Virtual Private Cloud
(NET301) New Capabilities for Amazon Virtual Private Cloud
 
Percona Live UK 2014 Part III
Percona Live UK 2014 Part IIIPercona Live UK 2014 Part III
Percona Live UK 2014 Part III
 
C&C Botnet Factory
C&C Botnet FactoryC&C Botnet Factory
C&C Botnet Factory
 
Common schema my sql uc 2012
Common schema my sql uc 2012Common schema my sql uc 2012
Common schema my sql uc 2012
 
Common schema my sql uc 2012
Common schema my sql uc 2012Common schema my sql uc 2012
Common schema my sql uc 2012
 
Passwordless login with unix auth_socket
Passwordless login with unix auth_socketPasswordless login with unix auth_socket
Passwordless login with unix auth_socket
 
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
 
How to build and run oci containers
How to build and run oci containersHow to build and run oci containers
How to build and run oci containers
 
Routed Provider Networks on OpenStack
Routed Provider Networks on OpenStack Routed Provider Networks on OpenStack
Routed Provider Networks on OpenStack
 
ProxySQL & PXC(Query routing and Failover Test)
ProxySQL & PXC(Query routing and Failover Test)ProxySQL & PXC(Query routing and Failover Test)
ProxySQL & PXC(Query routing and Failover Test)
 
Compute 101 - OpenStack Summit Vancouver 2015
Compute 101 - OpenStack Summit Vancouver 2015Compute 101 - OpenStack Summit Vancouver 2015
Compute 101 - OpenStack Summit Vancouver 2015
 

Plus de David Lapsley

Learn you some Ansible for great good!
Learn you some Ansible for great good!Learn you some Ansible for great good!
Learn you some Ansible for great good!David Lapsley
 
VXLAN Distributed Service Node
VXLAN Distributed Service NodeVXLAN Distributed Service Node
VXLAN Distributed Service NodeDavid Lapsley
 
Empowering Admins by taking away root (Improving platform visibility in Horizon)
Empowering Admins by taking away root (Improving platform visibility in Horizon)Empowering Admins by taking away root (Improving platform visibility in Horizon)
Empowering Admins by taking away root (Improving platform visibility in Horizon)David Lapsley
 
Real-time Statistics with Horizon
Real-time Statistics with HorizonReal-time Statistics with Horizon
Real-time Statistics with HorizonDavid Lapsley
 
Client-side Rendering with AngularJS
Client-side Rendering with AngularJSClient-side Rendering with AngularJS
Client-side Rendering with AngularJSDavid Lapsley
 
20141002 delapsley-socalangularjs-final
20141002 delapsley-socalangularjs-final20141002 delapsley-socalangularjs-final
20141002 delapsley-socalangularjs-finalDavid Lapsley
 
20141001 delapsley-oc-openstack-final
20141001 delapsley-oc-openstack-final20141001 delapsley-oc-openstack-final
20141001 delapsley-oc-openstack-finalDavid Lapsley
 
20140821 delapsley-cloudopen-public
20140821 delapsley-cloudopen-public20140821 delapsley-cloudopen-public
20140821 delapsley-cloudopen-publicDavid Lapsley
 
OpenStack Horizon: Controlling the Cloud using Django
OpenStack Horizon: Controlling the Cloud using DjangoOpenStack Horizon: Controlling the Cloud using Django
OpenStack Horizon: Controlling the Cloud using DjangoDavid Lapsley
 
Openstack Quantum + Devstack Tutorial
Openstack Quantum + Devstack TutorialOpenstack Quantum + Devstack Tutorial
Openstack Quantum + Devstack TutorialDavid Lapsley
 
Openstack Nova and Quantum
Openstack Nova and QuantumOpenstack Nova and Quantum
Openstack Nova and QuantumDavid Lapsley
 

Plus de David Lapsley (11)

Learn you some Ansible for great good!
Learn you some Ansible for great good!Learn you some Ansible for great good!
Learn you some Ansible for great good!
 
VXLAN Distributed Service Node
VXLAN Distributed Service NodeVXLAN Distributed Service Node
VXLAN Distributed Service Node
 
Empowering Admins by taking away root (Improving platform visibility in Horizon)
Empowering Admins by taking away root (Improving platform visibility in Horizon)Empowering Admins by taking away root (Improving platform visibility in Horizon)
Empowering Admins by taking away root (Improving platform visibility in Horizon)
 
Real-time Statistics with Horizon
Real-time Statistics with HorizonReal-time Statistics with Horizon
Real-time Statistics with Horizon
 
Client-side Rendering with AngularJS
Client-side Rendering with AngularJSClient-side Rendering with AngularJS
Client-side Rendering with AngularJS
 
20141002 delapsley-socalangularjs-final
20141002 delapsley-socalangularjs-final20141002 delapsley-socalangularjs-final
20141002 delapsley-socalangularjs-final
 
20141001 delapsley-oc-openstack-final
20141001 delapsley-oc-openstack-final20141001 delapsley-oc-openstack-final
20141001 delapsley-oc-openstack-final
 
20140821 delapsley-cloudopen-public
20140821 delapsley-cloudopen-public20140821 delapsley-cloudopen-public
20140821 delapsley-cloudopen-public
 
OpenStack Horizon: Controlling the Cloud using Django
OpenStack Horizon: Controlling the Cloud using DjangoOpenStack Horizon: Controlling the Cloud using Django
OpenStack Horizon: Controlling the Cloud using Django
 
Openstack Quantum + Devstack Tutorial
Openstack Quantum + Devstack TutorialOpenstack Quantum + Devstack Tutorial
Openstack Quantum + Devstack Tutorial
 
Openstack Nova and Quantum
Openstack Nova and QuantumOpenstack Nova and Quantum
Openstack Nova and Quantum
 

Dernier

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 

Dernier (20)

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 

Openstack Quantum Security Groups Session

  • 1. Quantum Security Groups Session Dave Lapsley @davlaps http://slidesha.re/HQvDTk http://etherpad.openstack.org/quantum-folsom
  • 2. Session Goals • Introduction to Nova Security Groups • Proposal: – Move Security Groups from Nova to Quantum • Discussion: – Provider Firewalling – Access Control Lists – Other
  • 3. Proposal: move Security Groups from Nova to Quantum Naturally fit within network API Allow plugins to implement them in a compatible way
  • 5. Nova Security Groups • Collection of network access rules that specify what traffic is allowed to ingress a VM • Associated with a VM at startup – If Security Group not specified, VM belongs to default Security Group which allows traffic from all other members of the group • A VM can be associated with many Security Groups • Security Rule specifies: – Source of traffic (IP subnet in CIDR notation, or another security group) – Protocol (TCP, UDP, ICMP) – Destination port on VM
  • 6. Security Group Command Line EC2 Openstack Nova euca-add-group secgroup-add-group-rule euca-authorize secgroup-add-rule euca-delete-group secgroup-create euca-describe-group secgroup-delete euca-describe-groups secgroup-delete-group-rule secgroup-delete-rule secgroup-list secgroup-list-rules
  • 7. Example Openstack EC2 $ nova secgroup-create mygroup description $ euca-add-group -d description mygroup +---------+-------------+ | Name | Description | GROUP mygroup description +---------+-------------+ | mygroup | description | $ euca-authorize -P tcp -s 192.168.1.0/24 -p 22 mygroup +---------+-------------+ GROUP mygroup $ nova secgroup-add-rule mygroup tcp 22 22 192.168.1.0/24 +-------------+-----------+---------+----------------+--------------+ PERMISSION mygroup ALLOWS tcp 22 22 FROM CIDR | IP Protocol | From Port | To Port | IP Range | Source Group | 192.168.1.0/24 +-------------+-----------+---------+----------------+--------------+ | tcp | 22 | 22 | 192.168.1.0/24 | | $ euca-authorize -P tcp -s 192.168.1.0/24 -p 3306 mygroup +-------------+-----------+---------+----------------+--------------+ GROUP mygroup $ nova secgroup-add-rule mygroup tcp 3306 3306 192.168.1.0/24 +-------------+-----------+---------+----------------+--------------+ PERMISSION mygroup ALLOWS tcp 3306 3306 FROM CIDR | IP Protocol | From Port | To Port | IP Range | Source Group | 192.168.1.0/24 +-------------+-----------+---------+----------------+--------------+ | tcp | 3306 | 3306 | 192.168.1.0/24 | | $ euca-describe-groups +-------------+-----------+---------+----------------+--------------+ $ nova boot --flavor 1 –image f16f1d2d-71d6-41b7-98a5-319f142d61f5 -- GROUP 550d88112b9048fd931f1c66b2c7a932 default default security_groups mygroup server1 GROUP 550d88112b9048fd931f1c66b2c7a932 mygroup description +------------------------+--------------------------------------+ PERMISSION 550d88112b9048fd931f1c66b2c7a932 mygroup ALLOWS | OS-DCF:diskConfig | MANUAL | tcp 22 22 | OS-EXT-STS:power_state | 0 | | OS-EXT-STS:task_state | scheduling | FROM CIDR 192.168.1.0/24 | OS-EXT-STS:vm_state | building | PERMISSION 550d88112b9048fd931f1c66b2c7a932 mygroup ALLOWS | accessIPv4 | | | accessIPv6 | | tcp 3306 | adminPass | 2QCHvG7fJ6Pc | 3306 FROM CIDR 192.168.1.0/24 | config_drive | | | created | 2012-04-17T11:11:07Z | $ euca-run-instances tty -g mygroup | flavor | m1.tiny | | hostId | | RESERVATION r-eezz74kc 550d88112b9048fd931f1c66b2c7a932 | id | 6d6bb47e-a356-4724-b48e-c248fceb1513 | mygroup | image | cirros-0.3.0-x86_64-blank | | key_name | | INSTANCE i-00000001 ami-00000001 server-1 server-1 | metadata | {} | pending 0 | name | server1 | m1.small 2012-04-17T05:51:30.000Z unknown zone aki- | progress | 0 | | status | BUILD | 00000002 | tenant_id | 63c4cab49c8b449191d9ea5cfce0f928 | ari-00000003 | updated | 2012-04-17T11:11:08Z | | user_id | d4dc81acfd604f72a56a70879fe565ad | +------------------------+--------------------------------------+
  • 8. Current Security Group Model • Features: – Per-Virtual Machine Security Group association – Network egress filtering (network to VM) – Matching on Source subnet, Protocol, and Destination Port Range
  • 9. Use Case: Distributed Firewall (current features)
  • 10. Use Case: Distributed Firewall (current features)
  • 11. Use Case: Distributed Firewall (current features)
  • 12. Security Group API Verb URI Description GET v1.1/{tenant_id}/os-security-groups List security groups POST v1.1/{tenant_id}/os-security-groups Create a new security group GET v1.1/{tenant_id}/os-security- Get specific security group groups/{security_group_id} DELETE v1.1/{tenant_id}/os-security- Delete security group groups/{security_group_id} POST v1.1/{tenant_id}/os-security-group-rules Create security group rules DELETE v1.1/{tenant_id}/os-security-group- Delete security group rule rules/{security_group_rule_id} GET v1.1/{tenant_id}/servers/{server_id}/os- List security groups for a security-groups specific server
  • 13. Proposed Security Group Model • Features: – Per-Port Security Group association – Network egress/ingress filtering • Similar to AWS VPC – Matching on Source subnet, Protocol, and Destination Port Range in both directions – Stateful egress filtering – Default deny except when no ingress rules, then accept all on ingress – IPv6 Support
  • 14. Use Case: Distributed Firewall (proposed features)
  • 15. Proposed Security Group API Verb URI Description GET v1.1/{tenant_id}/os-security-groups List security groups POST v1.1/{tenant_id}/os-security-groups Create a new security group* GET v1.1/{tenant_id}/os-security- Get specific security group groups/{security_group_id} DELETE v1.1/{tenant_id}/os-security- Delete security group groups/{security_group_id} PUT v1.1/{tenant_id}/os-security- Update security group* groups/{security_group_id} PUT v1.1/{tenant_id}/os-security- Associate port with groups/{security_group_id}/associate_port security group PUT v1.1/{tenant_id}/os-security- Dissociate port from groups/{security_group_id}/dissociate_port security group GET v1.1/{tenant_id}/os-security- List security groups for groups/list_for_port specified port
  • 21. Provider Firewalling • Need to have security groups that are modifiable by tenants • Desirable to have security groups that are only modifiable by service providers – E.g. preventing a tenant from sending SMTP traffic – Blocking all incoming traffic on a known trojan port • Not ideal fit for security group
  • 22. Access Control Lists • Current security group model is somewhat limited • Would be nice to have a more generic ACL capability • Features: – Ingress/Egress filtering – Port-based association – More sophisticated matching – Allow/deny – Combination of ACLs
  • 23. Comments, Questions, Suggestions? @davlaps