Uploaded image for project: 'OpenStack Strategy'
  1. OpenStack Strategy
  2. RHOSSTRAT-499

Tech Preview - FWaaS support for RHOSO

XMLWordPrintable

    • Icon: Feature Feature
    • Resolution: Done
    • Icon: Critical Critical
    • rhos-18.0.14 FR 4
    • None
    • Neutron
    • None
    • Important
    • False
    • False
    • Hide

      None

      Show
      None
    • 0
    • 0
    • 0% To Do, 0% In Progress, 100% Done
    • rhos-connectivity-neutron
    • Red Hat OpenStack Services on OpenShift (formerly Red Hat OpenStack Platform)
    • Technology Preview
    • Hide
      .Firewall-as-a-Service (Technology Preview)

      In RHOSO 18.0.14 (Feature Release 4), you can test a technology preview of Firewall-as-a-Service (FWaaS). Do not use technology preview features in production environments.

      As more OpenStack-based clouds are adopted for multi-tenant applications, security remains a top priority. Network-level isolation and traffic control become critical, especially in public or hybrid cloud environments.

      Although security groups provide sufficient capability to specify security policy at a VM instance level or VM port level, it does not have support to specify policy at a network or router port level.

      FWaaS project provides this additional capability to specify the security policies at the router port level and enables specifying multiple policy rules within the same policy group and also supports application of L3 or L2 policy at the router port level.

      FWaaS also provides support for NGFW 3rd party plugins for integration with NGFW vendor solutions enabling firewall capabilities beyond the ACL level. Features and capabilities such as DPI, Malware protection, IPS and IDP.

      To enable the FWaaS service plugin, add `firewall_v2` to `service_plugins` in your control plane Custom Resource (CR) file as shown in the following example. The example includes other example services for context. These are not required for enabling FWaaS.

      To configure the technology preview of FWaaS, add the following settings in your control plane CR:

      ----

      customServiceConfig: |
        [DEFAULT]
        service_plugins = qos,ovn-router,trunk,segments,port_forwarding,log,firewall_v2

        [service_providers]
        service_provider = FIREWALL_V2:fwaas_db:neutron_fwaas.services.firewall.service_drivers.ovn.firewall_l3_driver.OVNFwaasDriver:default
      ----
      For FWaaS usage examples, see "Configure Firewall-as-a-Service v2" in _Firewall-as-a-Service (FWaaS) v3 scenario_ [1].

      [1] https://docs.openstack.org/neutron/latest/admin/fwaas-v2-scenario.html


      Show
      .Firewall-as-a-Service (Technology Preview) In RHOSO 18.0.14 (Feature Release 4), you can test a technology preview of Firewall-as-a-Service (FWaaS). Do not use technology preview features in production environments. As more OpenStack-based clouds are adopted for multi-tenant applications, security remains a top priority. Network-level isolation and traffic control become critical, especially in public or hybrid cloud environments. Although security groups provide sufficient capability to specify security policy at a VM instance level or VM port level, it does not have support to specify policy at a network or router port level. FWaaS project provides this additional capability to specify the security policies at the router port level and enables specifying multiple policy rules within the same policy group and also supports application of L3 or L2 policy at the router port level. FWaaS also provides support for NGFW 3rd party plugins for integration with NGFW vendor solutions enabling firewall capabilities beyond the ACL level. Features and capabilities such as DPI, Malware protection, IPS and IDP. To enable the FWaaS service plugin, add `firewall_v2` to `service_plugins` in your control plane Custom Resource (CR) file as shown in the following example. The example includes other example services for context. These are not required for enabling FWaaS. To configure the technology preview of FWaaS, add the following settings in your control plane CR: ---- customServiceConfig: |   [DEFAULT]   service_plugins = qos,ovn-router,trunk,segments,port_forwarding,log,firewall_v2   [service_providers]   service_provider = FIREWALL_V2:fwaas_db:neutron_fwaas.services.firewall.service_drivers.ovn.firewall_l3_driver.OVNFwaasDriver:default ---- For FWaaS usage examples, see "Configure Firewall-as-a-Service v2" in _Firewall-as-a-Service (FWaaS) v3 scenario_ [1]. [1] https://docs.openstack.org/neutron/latest/admin/fwaas-v2-scenario.html
    • Done

      Feature Overview 

      VPC (Virtual Private Cloud) has emerged as one of the high priority need for cloud service providers. One of the key aspects for VPC is to be able to apply and admin and policy control for a group of resources such that it is scalable across the resources under same isolated admin control. Applying security policy at the network or router port level constitutes an important part of enabling customers/users to achieve VPC equivalence for Openstack deployments. 

      Red Hat Openstack relies primarily on security groups for enabling security rules. Although security groups provide sufficient capability to specify security policy at a VM instance level or VM port level, it does not have support to specify policy at a network or router port level. FWaaS project provides this additional capability to specify the security policies at the router port level and enables specifying multiple policy rules within the same policy group and also supports application of L3 or L2 policy at the router port level. 

      Additionally, FWaaS provides support for NGFW 3rd party plugins such as Juniper sRX, Mcafee and others enabling firewall capabilities beyond the ACL level. Features and capabilities such as DPI, Malware protection, IPS and IDP. [1][2][3]

      Goals

      Support FWaaS for RHOSO 18 to address the gap of specifying security policies at the network or router port level and thus enabling VPC equivalence with RHOSO.

      Multiple cloud service providers have expressed the requirement to support VPC equivalence and is one of the key must-have requirements for adoption of Red Hat Openstack. 

      Requirements 

      Requirement Notes Priority isMVP?
      L3, L2 security policy definition using FWaaS at router port and VM instance level    1 yes
      Validation for Implementation based on OVS Firewall   1 yes
      L3 firewall support *
        • protocol = {TCP. UDP, ICMP, any}
        • action {allow, deny, reject)
        • Ingress/Egress
      		   1 yes
      FWaaS NGFW plugin support   2 yes

       

      Done - Acceptance Criteria

      • Validate the scenarios listed in the requirements section for functional operation
      • Implement automation for regression test suite
      • Assess the performance impact of firewall rules on dataplane forwarding performance wih incremental increase of security rules in same policy group or incremental increase of policy groups
      • Assess stability of the feature support and review level of support for the feature upstream
      • Support for 3rd party NGFW plugin and integration with at least 1 3rd party plugin

      Use Cases 

      • Use of firewall rules at router port level to provide scalable firewall rule definition for group of virtual infrastructure resources thus enabling implementation of logical constructs such as VPC
      • Support NFGW capabilities such as DPI, IPD and IPS at the virtual infrastructure level enabling zero trust architecture
      • Global firewal rules per tenant / project

       

      Documentation Considerations 

      New feature that requires documentation for Networking User Guide as well as release notes.

       

      Background and Strategic Fit 

      Feature / Capability already supported upstream for sometime. The feature/capability addresses a critical gap in ease of implementing VPC equivalent functionality with Openstack for Cloud Service Providers. Multiple requests have been received from current and potential RHOSO customers for VPC support and this feature helps in addressing the need and improve in adoption of RHOSO and improves the overall value proposition of RHOSO for customers. Also, helps in retaining this customers by strengthening the value proposition and addressing a competitive feature gap.

       

      Team Sign Off (Completion while in Planning status)

      • All required Epics (known at the time) are linked to the this Feature
      • All required Stories, Tasks (known at the time) for the most immediate Epics have been created and estimated
      • Add - Reviewers name, Team Name
      • Acceptance == Feature as “Ready” - well understood and scope is clear - Acceptance Criteria (scope) is elaborated, well defined, and understood
      • Note: Only set FixVersion/s: on a Feature if the delivery team agrees they have the capacity and have committed that capability for that milestone
      Reviewed By Team Name Accepted Notes
             
             
             
             

       

       

      References:

      [1] https://wiki.openstack.org/wiki/Neutron/mcafee-ngfw-firewall

      [2] https://docs.openstack.org/mitaka/config-reference/networking/fwaas.html

      [3] https://www.juniper.net/documentation/us/en/software/open-stack/open-stack-quick-reference/topics/task/openstack-neutron-config-fwaas.html

              skaplons@redhat.com Slawomir Kaplonski
              rh-ee-gurpsing Gurpreet Singh
              Gurpreet Singh Gurpreet Singh
              Edu Alcaniz Edu Alcaniz
              rhos-dfg-networking-squad-neutron
              Votes:
              1 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: