[openstack-dev] [Neutron] DVR SNAT shortcut

Carl Baldwin carl at ecbaldwin.net
Sat Jun 28 19:26:58 UTC 2014


Paul,

Is there a blueprint filed on the subject of logging?  This really
doesn't have anything to do with DVR.  The current solution has no
logging either.

Carl

On Thu, Jun 26, 2014 at 5:41 AM, CARVER, PAUL <pc2929 at att.com> wrote:
>
>
>
>
>
>
> -------- Original message --------
> From: Yi Sun <beyounn at gmail.com>
> Date:
> To: openstack-dev at lists.openstack.org
> Subject: Re: [openstack-dev] [Neutron] DVR SNAT shortcut
>
>
>
>
> Yi wrote:
> +1, I had another email to discuss about FW (FWaaS) and DVR integration.
> Traditionally, we run firewall with router so that firewall can use route
> and NAT info from router. since DVR is asymmetric when handling traffic, it
> is hard to run stateful firewall on top of DVR just like a traditional
> firewall does . When the NAT is in the picture, the situation can be even
> worse.
> Yi
>
>
>
> Don't forget logging either. In any security concious environment ,
> particularly any place with legal/regulatory/contractual audit requirements
> a firewall that doesn't keep full logs of all dropped and passed sessions is
> worthless.
>
> Stateless packet dropping doesn't help at all when conducting forensics on
> an attack that is already known to have occured.
>
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>



More information about the OpenStack-dev mailing list