[openstack-dev] [Policy][Group-based-policy] Policy violations investigation

Sumit Naiksatam sumitnaiksatam at gmail.com
Tue Jan 27 18:55:41 UTC 2015

Hi Ariel,

This is indeed one of the use cases that is very relevant to, and can
be supported, with the GBP model. The GBP policy actions provide a way
to “redirect” to a service-instance/chain on matching a traffic
classifier. If you are able to represent the “honeypot” functionality
as a Neutron advanced service, or wrap it in an implemented service,
then you can integrate it with today’s implementation. The GBP team
will be happy to provide you with more information on how you can
propose and implement any changes that you may need to make for this
integration. Also, feel free to catch us in #openstack-gbp and/or
during the GBP weekly IRC meeting [1].


[1] https://wiki.openstack.org/wiki/Meetings/Neutron_Group_Policy

On Tue, Jan 27, 2015 at 8:19 AM, Ariel Zeitlin <ariel.zeitlin at gmail.com> wrote:
> Hi,
> I want to propose an idea of investigation of policy violations (for
> white-list policies defined by GBP) by, for instance, redirecting the
> violating sessions to a HoneyPot.
> Meaning, that if the only communication between Group A and Group B is by
> port 80 (as described in the GPB) then an access to port 22 from Group A to
> Group B will be redirected to and answered by a HoneyPot that will
> investigate the real reason for policy violation, or simply log and drop the
> violating connection attempt.
> In tightly defined policies world as achieved through GBP an attacker trying
> to propagate inside the network is more likely to hit a wall and then
> actually create a "golden lead" for his detection.
> Do you think this concept can/should to be part of GBP and what would be the
> best way to promote it (sorry, I am pretty new to OpenStack and GBP
> specifically).
> Thanks,
> Ariel
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list