[openstack-dev] [Neutron][FWaaS]Firewall Web Services Research Thesis Applicability to the OpenStack Project

Mike Grima mike.r.grima at gmail.com
Sun May 11 20:31:06 UTC 2014


Sumit,

I have very briefly looked at the Neutron Group Policy documentation.  I have a few questions and points:

1.)  My Firewall Web Server component shares some similar functionality with regards to Firewall rules.  In my system, the policies are composed of several firewall commands (actual iptables commands), and they can be applied to any VM on the system (KVM host).  

2.) From the brief overview of the documentation, it was not clear if you guys have a priority-based list.  For such a list, you would want rules made by the customer at the lowest priority, and rules by the “infra admin” to be the highest priority, with the ability to over-write the rules of the customer (in this system, the customer is _not_ always right).

2a.) I have a system of command ordering/priority implemented in that commands within each policy are ordered.  Policies themselves are not ordered, and policies in my system should be atomic to avoid collisions.  Policies have an implicit order such that the commands of the policy can pick their location in the iptables chain.  It’s a quick and possibly simple way to implement policy priority.  As an example, policies and rules created by a vulnerability scanner after detecting a vulnerability would take precedence over other “colliding” policies, since those rules would make use of iptables commands with the '-I 1’ flags.  This places those iptables rules at the top of the chain.  Other, non-priority policies make use of ‘-A’ switches to simply append the firewall rules to the end of the appropriate chain.  This is actually demonstrated in vulnerability scanning videos I posted earlier.

3.) How are the Group Policy rules exposed?  Do you presently have web services available for other systems to alter policies?  For example, in my thesis, I have the video (referenced in my first post) where I have OpenVAS detect the Heartbleed vulnerability, and then use the exposed web services to automatically generate a rule to close off the port on the vulnerable VM via the host.

3a.) Going along with the previous question, what is the relationship between the Neutron Group Policy and FWaaS?  Does FWaaS expose the Group Policy capabilities, or does FWaaS simply provide firewall capabilities outside the purview of group policies?  Does the GP module depend on FWaaS?  

4.) From the brief documentation I read for FWaaS, my research appears to be a mixture of both components.  This includes the exposure of firewall capabilities, and the arrangement of firewall rules classified as policies designed to control certain behaviors, albeit at the firewall level only.  My research does not address the overall networking of the infrastructure, such as the establishment of routes, virtual bridges, etc.

5.) Slide 16 in the Neutron Group Policy presentation is definitely one of the main advantages to both of our approaches, and one of the main focal points of my thesis.

Thank You,

Mike




More information about the OpenStack-dev mailing list