[Openstack-operators] VPNaaS and FWaaS
Matt Jarvis
matt.jarvis at datacentred.co.uk
Tue May 10 08:18:06 UTC 2016
We see FWaaS generally being used by customers with larger deployments,
where they want overall firewall rules at the boundary as well as security
groups. Since my original post on this thread, I went to look at the
numbers - it's actually being used more widely than I originally thought on
our platform, including many of our largest customers.
On 10 May 2016 at 09:03, Mariano Cunietti <mcunietti at enter.it> wrote:
> Hi Kyle,
>
> > I know there are operators relying on these functions, particularly in
> the
> > public cloud space in Europe, so this would impact those people. I also
> know
> > this list doesn't necessarily reach all of them either, so I will try and
> > reach out by other means as well, but it would be very useful to try and
> get
> > a clearer picture of how many people are using VPNaaS and FWaaS. If you
> are,
> > could you please respond to this thread ?
>
>
> We are using VPNaaS and FWaaS on entercloudsuite.com, on Juno.
> With VPNaaS it basically works (or: works basically) but there are some
> issues with the configuration of MTU and some other server side
> configurations that drop some client connections. I can can provide more
> details if you want on a private thread.
> With FWaaS we are providing it but we also deprecate it; moreover, it’s
> generating a lot of confusion and overlap with Security Groups
>
>
> >
> I'm actually really surprised that people are *using* FWaaS. It's been
> marked experimental for over 3 years now, and it only recently in
> Liberty received work which made it somewhat useful, which was the
> ability to apply a firewall on a specific Neutron router rather than
> all tenant routers. FWaaS in production sounds pretty risky to me, but
> I supposed that our fault for not being clear on it's readiness.
>
>
> Agree, but the words EXPERIMENTAL and NOT PRODUCTION READY are pretty
> visible in the documentation.
> So, not your fault at all
>
>
> > If we have metrics that a constituent part of the user community need
> these
> > functions, then we can try and find a way to help the Neutron team to
> cover
> > the resourcing gaps.
> >
> If people are using these, IMHO that's another reason to keep them
> around. I've already said that we have at least one large user of VPN,
> so that project will continue to be worked on even if it's removed
> from Neutron.
>
>
> Here’s what WE’D LOVE to have:
>
> - VPNaaS
> - IDS or some TAPaaS to redirect router traffic to a tenant’s instance
> (remember we all sell instances)
> - IPS, that is the ability not only to eavesdrop but also to drop
> traffic using Snort or better Suricata + ELK (
> https://github.com/StamusNetworks/SELKS/blob/master/README.rst)
> - FWaaS meant as multiple firewall “flavors”. Lots of customers ask
> for PFSense or their own Linux/FreeBSD solution
> - Network analytics in general (with InfluxDB or Monasca)
>
> Thanks
>
> Mariano
>
>
>
--
DataCentred Limited registered in England and Wales no. 05611763
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20160510/7f11a4cd/attachment.html>
More information about the OpenStack-operators
mailing list