1. Todays topics Brief description of Wakamevdcand OpenVNet Dynamic firewall (security groups) Wakamevdc'simplementation using Netfilter OpenVNet's implementation using OpenFlow Stateful firewall implementation in OpenFlow'sstateless world

2. Wakamevdcis: A virtual data centerOpenVNet is: A virtual networking solutionBoth are: Free open source software Decentralised distributed software Written in ruby 3. WakamevdcFrom the user's perspectiveInstance InstanceInstanceWebAPI* Instance = Virtual ServerUserHttpSSH 4. Wakamevdcunder the hoodInstanceInstanceInstanceHVAInstanceInstanceInstanceHVAAMQPDcmgr(Data Center Manager)WebAPIhttp* HVA = Hypervisor Agent 5. OpenVNetThe concept of virtual networksNIC NIC NIC NIC NICVirtual network 1 Virtual network 2 Virtual network 3Physical network 6. OpenVNet uses OpenFlow All network devices in the world work bymatching packets against flow tables OpenFlow is a protocol that can dynamicallyalter flow tables Network device vendors can implementOpenFlow 7. OpenFlow SwitchNetwork SwitchOpenFlowControllerOpenFlow ImplementationFlow tablesPort Port Port PortSSLNIC NIC NIC NICNetwork traffic 8. OpenVNet under the hoodvnicvnicvnicVNA0mqVnmgr(virtual network manager)WebAPIhttpOpenFlowcontrollerBridge(Open vSwitch)vnicvnicvnicVNAOpenFlowcontrollerBridge(Open vSwitch)* VNA = Virtual Network Agent 9. Security Groups Security groups are implemented in bothWakamevdcand OpenVNet Security groups have 3 features: Isolation Rules Reference 10. Isolation All network traffic between instances is blocked Network traffic between instances can beallowed by putting them in a security grouptogether 11. Isolation Technically vnics are put in groups, not instances. A vnic can be in many groups at one time. A group can have many vnics in it at one time.Instance InstanceInstancevnicvnic vnicvnicvnicInstanceOK OKOKBlocked*vnic = virtual network interface card 12. Rules All incoming network traffic to instances isblocked Incoming network traffic on specific ports canbe allowed by user defined rules in securitygroups 13. Rules Rules are applied to all vnics in the groupExample: tcp:22,22,ip4:0.0.0.0icmp:1,1,ip4:192.168.0.0/16vnic vnicInstancevnicInstanceDestination:Tcp Port 22Destination:Tcp Port 80 14. Reference A reference rule is a type of rule Instead of an ip address, you can write anothersecurity group's unique id in a rule The rule is applied to all vnics in the referencedgroup 15. Reference Example: Security group 'sgdbsrv'has this rule:tcp:3306,3306,sgdbclntsInstance vnicvnic Instancevnic Instancevnic Instancesgdbsrvsgdbclnts* All arrows represent tcp requests on port 3306 16. Wakamevdc'simplementationHVANetfilterNetfilterDcmgr(Data Center Manager)WebAPIhttpInstanceVnicFirewallInstanceVnicFirewallInstanceVnicFirewallInstanceVnicVnicNetfilterNetfilter NetfilterBridgePhysical nic Physical nicPhysical nicPhysical nicManagement line(AMQP)Public lineNetfilter = iptables/ebtables 17. OpenVNet's implementationVNAvnmgr(virtual network manager)WebAPIhttpVnic VnicBridgeVnicFlowsPhysical nic Physical nicVnicFlows FlowsVnicFlows FlowsPhysical nicPhysical nicManagement line(0mq)Public line 18. Difference between implementationsWakamevdc: L3 filtering using iptables L2 filtering using ebtablesOpenVNet: L3 filtering using OpenFlow L2 filtering not needed because of the nature of virtualnetworks A basic form of connection tracking was neededdue to OpenFlow's stateless nature 19. Stateless vs Stateful What does that even mean? Stateful firewalls are aware of connections Stateless firewalls are not Linux Netfilter is stateful OpenFlow is stateless 20. Stateless complicates thingssgserver:tcp:80:0.0.0.0/0sgclient:n/asgclientsgserverWeb client Vnic Vnic Web server 21. Stateless complicates thingssgserver:tcp:80:0.0.0.0/0sgclient:n/ahttp request sgservertcp src port: 4567, tcp dst port: 80sgclientWeb client Vnic Vnic Web server 22. Stateless complicates thingssgserver:tcp:80:0.0.0.0/0sgclient:n/asgclientsgserverhttp responseWeb client Vnic Web server Vnic tcp src port: 80, tcp dst port: 4567 Security group 'sgclient'is not opening up port 4567 The stateless firewall is not aware that a connectionon that port has been opened. 23. Let's quickly refresh our memory ofhow OpenFlow worksNetwork SwitchOpenFlowControllerOpenFlow ImplementationFlow tablesPort Port Port PortSSLNIC NIC NIC NIC 24. Solving the stateless issue Add another flow table to the firewall The filter table handles security groups The connection table handles connectionsFilter tableMatches flow?noyesConnection tableMatches flow?noyesAccept packetDroppacket 25. Solving the stateless issueBut didn't you say OpenFlow is stateless?Just what is in that connection table?Matches flow?noyesFilter tableConnection tableMatches flow?noyesAccept packetDroppacket 26. Closer look at OpenVNet's innardssgserver:tcp:80:0.0.0.0/0sgclient:n/aOpen vSwitchOutgoingconnectionlistener tablesgclientWeb client Vnic Vnic Web serverFilter tablesgserverConnection tableOpenFlow controller(vna)sgclient'srules are implemented in the filter table 27. Outgoing packet goes into controllerOpen vSwitchOutgoingconnectionlistener tableWeb client Vnic Vnic Web serverFilter tablesgserverConnection tableOpenFlow controller(vna)http requestsrc ip: src tcp port: 4567dst ip: dst tcp port: 80sgclient 28. Controller adds flows Controller reads ip addresses and tcp ports from the packet Controller determines connection information from this and adds new flowsOpen vSwitchOutgoingconnectionlistener tableWeb client Vnic Vnic Web serverFilter tablesgserverConnection tableOpenFlow controller(vna)new flownew flowsgclient 29. What flows are added at this point? Outgoing connection listener table: A flow that prevents further packets of thisconnection from going into the controller Connection table: A flow that allows incoming packets on thisconnection to pass through the firewall 30. The outgoing packet continues Controller sends the outgoing packet back out to continue its journeythrough the networkOpen vSwitchOutgoingconnectionlistener tableWeb client Vnic Vnic Web serverFilter tablesgserverConnection tableOpenFlow controller(vna)http requestsgclient 31. The response comes backThe response comes in and: is not accepted in the filter table and moves on to the connection table is accepted in the connection tableOpen vSwitchOutgoingconnectionlistener tableWeb client Vnic Vnic Web serverFilter tablesgserverConnection tableOpenFlow controller(vna)http responsesgclient 32. Some remarks Only the first packet of a connection goes intothe controller Unlike Netfilter, Open vSwitch does not noticewhen a tcp connection closes! The connection flows are deleted when nopacket matches them for a while 33. Thanks for your attention Want to try running Wakamevdcin VirtualBox?Go to http://wakameusersgroup.org and click on demoimage Any questions?