[openstack-dev] [Neutron] DVR SNAT shortcut

CARVER, PAUL pc2929 at att.com
Thu Jun 26 11:41:20 UTC 2014







-------- Original message --------
From: Yi Sun <beyounn at gmail.com>
Date:
To: openstack-dev at lists.openstack.org
Subject: Re: [openstack-dev] [Neutron] DVR SNAT shortcut




Yi wrote:
+1, I had another email to discuss about FW (FWaaS) and DVR integration. Traditionally, we run firewall with router so that firewall can use route and NAT info from router. since DVR is asymmetric when handling traffic, it is hard to run stateful firewall on top of DVR just like a traditional firewall does . When the NAT is in the picture, the situation can be even worse.
Yi


Don't forget logging either. In any security concious environment , particularly any place with legal/regulatory/contractual audit requirements a firewall that doesn't keep full logs of all dropped and passed sessions is worthless.

Stateless packet dropping doesn't help at all when conducting forensics on an attack that is already known to have occured.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140626/365ccbba/attachment.html>


More information about the OpenStack-dev mailing list