tired of iptables based security groups
play

Tired of iptables based security groups? Here's how to gain - PowerPoint PPT Presentation

Sep 16, 2023 •91 likes •397 views

Tired of iptables based security groups? Here's how to gain tremendous speed with Open vSwitch instead! Who we are? Jakub Libosvar Software Engineer at Red Hat libosvar@redhat.com Rodolfo Alonso Software Engineer

  1. Tired of iptables based security groups? Here's how to gain tremendous speed with Open vSwitch instead!

  2. Who we are? Jakub Libosvar Software Engineer at Red Hat libosvar@redhat.com Rodolfo Alonso Software Engineer rodolfo.alonso.hernandez@intel.com 2/29

  3. Index • Security groups overview • How OVS based firewall drivers work • Handy tools 3/29

  4. How Neutron Security Groups works Client Web server Application server Database server Web SG App SG Database SG 4/29

  5. iptables hybrid firewall driver (I) qvbfa00f53b-48 (veth) tapfa00f53b-48 (tun) qvb427c97a6-d4 (veth) tap427c97a6-d4 (tun) MTU 1450 MTU 1450 MTU 1450 MTU 1450 fe80::b456:b7ff:fef3:1cce/64 fe80::fc16:3eff:fe45:b407/64 fe80::f410:70ff:fea9:891e/64 fe80::fc16:3eff:fec5:e381/64 qvofa00f53b-48 (veth) qvo427c97a6-d4 (veth) qbrfa00f53b-48 (bridge) qbr427c97a6-d4 (bridge) MTU 1450 MTU 1450 MTU 1450 MTU 1450 fe80::9cc6:7bff:feb6:b758/64 fe80::c45:71ff:fe3f:717c/64 tag 1 tag 1 br-int (openvswitch) MTU 1450 5/29

  6. iptables hybrid firewall driver (II) tape800225d-3e (tun) tapda36ad27-40 (tun) MTU 1450 MTU 1450 fe80::fc16:3eff:fe37:1f31/64 fe80::fc16:3eff:fe9e:491e/64 tag 1 tag 1 br-int (openvswitch) MTU 1450 6/29

  7. Firewall dissection: evolution (I) Packet filtering : static rules, based on source and destination address, protocol and port 7/29

  8. Firewall dissection: evolution (II) Stateful packet inspection : connection tracking and recording this state Source: http://www.iptables.info/en/connection-state.html 8/29

  9. Firewall dissection: evolution (III) Application firewalls : full OSI stack inspection, DPI systems Source: http://opennetsummit.org/ 9/29

  10. Firewall dissection: sections Allow network discovery : ARP/ND messages Allow network services : DHCP, ICMP, IGMP (or MLD using ICMPv6) Prevent ARP spoofing : filtering by MAC address DHCP snooping : filtering by protocol and port Manage connection tracking : TCP, UDP Manage user rules 10/29

  11. Firewall implementation: OpenFlow “learn action” (I) OpenFlow “learn action” : allow to create a new rule when a packet hits a previous one Used to track incoming connections inside the switch and allow the traffic replied going back to the source of the communication IN PORT = 5 VLAN = 1410 DST MAC = ca:fe:ca:fe:ca:fe VLAN = 1410 SRC MAC = 00:11:22:33:44:55 DST MAC = 00:11:22:33:44:55 PROTOCOL = ipv4, TCP SRC MAC = ca:fe:ca:fe:ca:fe DST IP: 192.168.1.1 PROTOCOL = ipv4, TCP SRC IP: 192.168.1.100 DST IP: 192.168.1.100 DST PORT: 2000 SRC IP: 192.168.1.1 SRC PORT: 5000 DST PORT: 5000 ACTIONS = learn(dst_mac=SRC_MAC, SRC PORT: 2000 src_mac=DST_MAC, src_ip=DST_IP, ACTIONS = normal dst_ip=SRC_IP, src_port=DST_PORT, dst_port=SRC_PORT, proto=PROTO, vlan=VLAN, actions=normal) 11/29

  12. Firewall implementation: OpenFlow “learn action” (II) Flow path description: • Zero table : MAC and in_port matching, VLAN management, ARP/ND • Traffic selection : service rules, multicast management, traffic selection • Input traffic : traffic coming into the OVS • Output traffic : traffic going out the OVS into a VM • External output traffic : traffic going out the OVS, external destination (physical, external or tunnel bridge) INPUT TRAFFIC TRAFFIC ZERO TABLE SELECTION EXTERNAL OUTPUT OUTPUT TRAFFIC TRAFFIC 12/29

  13. Firewall implementation: OpenFlow “learn action” ( III) 1000 users, OVS 2.4 MB/bytes per packet 1,400 1,200 1,000 800 600 400 200 0 0 200 400 600 800 1000 1200 1400 1600 OVS 2.4, no firewall OVS 2.4, iptables OVS 2.4, "learn action" 13/29

  14. Firewall implementation: OpenFlow “learn action” ( IV) 1000 users, OVS 2.4 DPDK MB/bytes per packet 10,000 9,000 8,000 7,000 6,000 5,000 4,000 3,000 2,000 1,000 0 0 200 400 600 800 1000 1200 1400 1600 OVS 2.4, iptables DPDK, no firewall, OVS 2.4 DPDK, "learn action" implementation, OVS 2.4 14/29

  15. Firewall implementation: connection tracking (I) Instance B Instance A Integration bridge Base table Egress base Egress rules Egress accepted Ingress base Ingress rules Switch 15/29

  16. Firewall implementation: connection tracking (II) Instance A Instance B Integration bridge Base table Egress base Egress rules Egress accepted Ingress base Ingress rules Switch 16/29

  17. Firewall implementation: connection tracking (III) Instance B Instance A Integration bridge Base table Egress base Egress rules Egress accepted Ingress base Ingress rules 17/29 Switch

  18. Firewall implementation: connection tracking (IV) Instance B Instance A Integration bridge Base table Egress base Egress rules Egress accepted Ingress base Ingress rules 18/29 Switch

  19. Firewall implementation: connection tracking (V) Egress rules priority=70,ct_state=+est-rel-rpl,icmp,reg5=0x1,dl_src=fa:16:3e:a4:22:10 actions=resubmit(,73) priority=70,ct_state=+new-est,icmp,reg5=0x1,dl_src=fa:16:3e:a4:22:10 actions=resubmit(,73) priority=50,ct_state=+inv+trk actions=drop priority=50,ct_mark=0x1,reg5=0x1 actions=drop priority=50,ct_state=+est-rel+rpl,ct_zone=644,ct_mark=0,reg5=0x1 actions=NORMAL priority=50,ct_state=-new-est+rel-inv,ct_zone=644,ct_mark=0,reg5=0x1 actions=NORMAL priority=40,ct_state=-est,reg5=0x1 actions=drop priority=40,ct_state=+est,reg5=0x1 actions=ct(commit,zone=NXM_NX_REG6[0..15],exec(load:0x1- >NXM_NX_CT_MARK[])) priority=0 actions=drop 19/29

  20. Firewall implementation: connection tracking (VI) Egress accepted table=73, priority=100,dl_dst=fa:16:3e:a4:22:10 actions=load:0x1->NXM_NX_REG5[],resubmit(,81) table=73, priority=90,ct_state=+new-est,reg5=0x1 actions=ct(commit,zone=NXM_NX_REG6[0..15]), NORMAL table=73, priority=80,reg5=0x1 actions=NORMAL table=73, priority=0 actions=drop 20/29

  21. Firewall implementation: connection tracking (VII) 1000 users, OVS 2.5 MB/bytes per packet 1,600 1,400 1,200 1,000 800 600 400 200 0 0 200 400 600 800 1000 1200 1400 1600 OVS 2.4, iptables OVS 2.5, conntrack 21/29

  22. Handy tools and commands: ovs-vsctl (I) show : prints a brief overview of the database contents root@compute:~# ovs-vsctl show c0a5a68d-2236-409c-9721-4382c4d7825d Bridge "br-eth4" Port "eth4" Interface "eth4" Port "phy-br-eth4" Interface "phy-br-eth4" type: patch options: {peer="int-br-eth4"} Bridge br-int fail_mode: secure Port "tapdf053558-6f" tag: 1 Interface "tapdf053558-6f" Port "int-br-eth4" Interface "int-br-eth4" type: patch options: {peer="phy-br-eth4"} Port br-int Interface br-int type: internal ovs_version: "2.5.90" 22/29

  23. Handy tools and commands: ovs-vsctl (II) add-br bridge : creates a new bridge del-br bridge : deletes the bridge list-ports bridge : list all ports within bridge root@compute:~# ovs-vsctl list-ports br-int int-br-eth4 qr-fa59f34c-4a qr-fc4cbc61-38 tap423ef4df-75 tapdf053558-6f 23/29

  24. Handy tools and commands: ovs-ofctl dump-flows bridge [flows] : prints to the console all flow entries in switch's tables that match “flows” root@computer:~# ovs-ofctl dump-flows br-int NXST_FLOW reply (xid=0x4): cookie=0xaa8bf9e1635b7423, duration=502959.645s, table=0, n_packets=5824755, n_bytes=454330890, idle_age=65534, hard_age=65534, priority=2,in_port=1 actions=drop cookie=0xaa8bf9e1635b7423, duration=500106.686s, table=0, n_packets=7509495125, n_bytes=5044309725863, idle_age=43, hard_age=65534, priority=100,in_port=5 actions=load:0x5- >NXM_NX_REG5[],load:0xfff->NXM_NX_REG6[],resubmit(,71) cookie=0xaa8bf9e1635b7423, duration=500106.686s, table=0, n_packets=11131317812, n_bytes=7510404375704, idle_age=47, hard_age=65534, priority=90,dl_dst=fa:16:3e:54:b6:ad actions=load:0x5->NXM_NX_REG5[],load:0xfff->NXM_NX_REG6[],resubmit(,81) cookie=0xaa8bf9e1635b7423, duration=502955.155s, table=0, n_packets=0, n_bytes=0, idle_age=65534, hard_age=65534, priority=3,in_port=1,dl_vlan=1404 actions=mod_vlan_vid:1,NORMAL cookie=0xaa8bf9e1635b7423, duration=502970.137s, table=0, n_packets=7790, n_bytes=918512, idle_age=43, hard_age=65534, priority=0 actions=NORMAL 24/29

  25. Handy tools and commands: ovs-appctl (I) dpctl/dump-flows : prints the dataplane active flows root@compute:~# ovs-appctl -t /usr/var/run/openvswitch/ovs-vswitchd.24766.ctl dpctl/dump-flows system@ovs-system recirc_id(0xb92),in_port(7),ct_state(+new-est-rel-rpl),eth(dst=fa:16:3e:54:b6:ad), eth_type(0x8100),vlan(vid=1404,pcp=0),encap(eth_type(0x0800),ipv4(proto=17,frag=no),udp(dst=5000/ 0xfffe)), packets:9765, bytes:4960620, used:3.452s, actions:ct(commit,zone=4095),pop_vlan,8 recirc_id(0),in_port(8),ct_state(-trk),eth(src=fa:16:3e:54:b6:ad),eth_type(0x0800), ipv4(src=10.0.0.3,proto=17,frag=no), udp(src=4096/0xf000), packets:506822, bytes:255438288, used:0.000s, actions:ct(zone=4095),recirc(0xb93) 25/29

Recommend

NAT & IPTables NAT & IPTables NAT & IPTables From ACCEPT to MASQUERADE From ACCEPT

NAT & IPTables NAT & IPTables NAT & IPTables From ACCEPT to MASQUERADE From ACCEPT

NAT & IPTables NAT & IPTables NAT & IPTables From ACCEPT to MASQUERADE From ACCEPT to MASQUERADE Tim(othy) Clark (eclipse) Tim(othy) Clark (eclipse) NAT IPv4 Hack One external IP for a whole network Used commonly

732 views • 13 slides
netfilter/iptables training Nov 05/06/07, 2007 Day 1 by Harald Welte

netfilter/iptables training Nov 05/06/07, 2007 Day 1 by Harald Welte

netfilter/iptables training Nov 05/06/07, 2007 Day 1 by Harald Welte <laforge@netfilter.org> 1 netfilter/iptables tutorial Contents Day 1 Introduction Highly Scalable Linux Network Stack Netfilter Hooks Packet selection based on IP

342 views • 20 slides
Firewalls with iptables Linux Sirindhorn International Institute of Technology Thammasat

Firewalls with iptables Linux Sirindhorn International Institute of Technology Thammasat

Linux Firewalls with iptables Concepts Examples Firewalls with iptables Linux Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 14 October 2013 Common/Reports/iptables-introduction.tex, r715

470 views • 14 slides
Some SSH tips & tricks you may enjoy (plus, iptables) D. H. van Dok (Nikhef) 2014-05-19

Some SSH tips & tricks you may enjoy (plus, iptables) D. H. van Dok (Nikhef) 2014-05-19

Some SSH tips & tricks you may enjoy (plus, iptables) D. H. van Dok (Nikhef) 2014-05-19 getting the most (security) out of your openssh The users perspective: least amount of hassle tradeoff between anxiety, angst and

559 views • 19 slides
Talks outline iptables versus ipchains The goal (or: my goal) The packets way through

Talks outline iptables versus ipchains The goal (or: my goal) The packets way through

IP Masquerading using iptables Eli Billauer eli billauer@yahoo.com IP Masquerading using iptables p.1 Talks outline iptables versus ipchains The goal (or: my goal) The packets way through iptables Classic masquerading (SNAT)

785 views • 31 slides
The Story of a Tired Old Bathroom Once Once up upon on a time, time, th there ere was sad

The Story of a Tired Old Bathroom Once Once up upon on a time, time, th there ere was sad

Residential Bathroom $25,000$50,000 Actual Project Cost: 48,500.00 A River Runs Through It The Story of a Tired Old Bathroom Once Once up upon on a time, time, th there ere was sad was sad, ti , tired red old old bath

621 views • 29 slides
Come to me, all who are tired from carrying heavy loads, and I will give you rest. Matthew

Come to me, all who are tired from carrying heavy loads, and I will give you rest. Matthew

Come to me, all who are tired from carrying heavy loads, and I will give you rest. Matthew 11:8 Are you tired? Worn out? Burned out on religion? Come to me. Get away with me and youll recover your life. Ill show you how to take

487 views • 21 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 6 Firewalls & VPNs Topics Firewall Fundamentals Case study: Linux iptables

778 views • 46 slides
Tired or Wired? What You Need T o Know About Your Thyroid Function or If My Lab T ests are

Tired or Wired? What You Need T o Know About Your Thyroid Function or If My Lab T ests are

Tired or Wired? What You Need T o Know About Your Thyroid Function or If My Lab T ests are Normal.. Why Do I Feel So Bad, Sad, and Tired??? Can You See/Feel the Difference? Conclusion A Happy Thyroid Is NOT the same as Euthyroid

817 views • 57 slides
Project 4 - Linux iptables CSE497b - Spring 2007 Introduction Computer and Network Security

Project 4 - Linux iptables CSE497b - Spring 2007 Introduction Computer and Network Security

Project 4 - Linux iptables CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/ CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Project

481 views • 15 slides
the perfect vacation Are you tired ? Worn out ? . . . . . Come to me . Get away with me and

the perfect vacation Are you tired ? Worn out ? . . . . . Come to me . Get away with me and

the perfect vacation Are you tired ? Worn out ? . . . . . Come to me . Get away with me and you ll recover your life . I ll show you how to take a real rest . Walk with me and work with me watch how I do it . Learn the unforced

101 views • 6 slides
DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat

DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat

DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat RMLL Montpellier, July 2014 1/36 Email: brouer@redhat.com / netoptimizer@brouer.com / hawk@kernel.org DDoS protection using Netfilter/iptables

822 views • 38 slides
RES212 Lab #2 Netfilter/iptables Firewall The goal of this lab is to let you become acquainted

RES212 Lab #2 Netfilter/iptables Firewall The goal of this lab is to let you become acquainted

https://res212.telecom-paristech.fr TP02v1 2018/05/31 RES212 Lab #2 Netfilter/iptables Firewall The goal of this lab is to let you become acquainted with the design, configuration and testing of firewalls. Given the limited amount of time,

736 views • 14 slides
Reflections on data plane performance, iptables and ipsets Neil Jerram Metaswitch &

Reflections on data plane performance, iptables and ipsets Neil Jerram Metaswitch &

Reflections on data plane performance, iptables and ipsets Neil Jerram Metaswitch & Project Calico @neiljerram www.projectcalico.org Who am I? Free software hacker since 1990s ; line+.el ; ; version 1.1 ; ; This has not (yet)

534 views • 24 slides
Cyber@UC Meeting 72 Firewalls/IPTables If Youre New! Join our Slack: cyberatuc.slack.com

Cyber@UC Meeting 72 Firewalls/IPTables If Youre New! Join our Slack: cyberatuc.slack.com

Cyber@UC Meeting 72 Firewalls/IPTables If Youre New! Join our Slack: cyberatuc.slack.com Check out our website: cyberatuc.org SIGN IN! (Slackbot will post the link in #general every Wed@6:30) Feel free to get involved with

737 views • 27 slides
From the Ground Up Security DNS-based Security of the

From the Ground Up Security DNS-based Security of the

From the Ground Up Security DNS-based Security of the Internet Infrastructure Benno Overeinder NLnet Labs http://www.nlnetlabs.nl/ INTRO NLnet

795 views • 28 slides
Security Security as term, Possible Security violations Authentication Criteria for

Security Security as term, Possible Security violations Authentication Criteria for

BS1 WS19/20 topic-based slides Security Security as term, Possible Security violations Authentication Criteria for Trust in Computer Systems Three hearts of Windows Security DACLs A Look at Security System is secure if

988 views • 20 slides
Course outline 1. Language-Based Security: motivation 2. Language-Based Information-Flow Security:

Course outline 1. Language-Based Security: motivation 2. Language-Based Information-Flow Security:

Course outline 1. Language-Based Security: motivation 2. Language-Based Information-Flow Security: the big picture 3. Dimensions and principles of declassification 4. Dynamic vs. static security enforcement 5. Tracking information flow in web

641 views • 30 slides
Course outline: the four hours 1. Language-Based Security: motivation 2. Language-Based

Course outline: the four hours 1. Language-Based Security: motivation 2. Language-Based

Course outline: the four hours 1. Language-Based Security: motivation 2. Language-Based Information-Flow Security: the big picture 3. Dimensions and principles of declassification 4. Dynamic vs. static security enforcement 1 Dimensions of

449 views • 30 slides
Risk-based Security BARRY KOUNS CEO AT RISK BASED SECURITY Session Overview Warm-up Quiz

Risk-based Security BARRY KOUNS CEO AT RISK BASED SECURITY Session Overview Warm-up Quiz

Risk Assessment the Heart of Risk-based Security BARRY KOUNS CEO AT RISK BASED SECURITY Session Overview Warm-up Quiz Introduction to our security challenge What is Risk-based Security? The language of risk some

787 views • 53 slides
Model-based Security Security: ganzheitliche Engineering Eigenschaft: Jan Jrjens

Model-based Security Security: ganzheitliche Engineering Eigenschaft: Jan Jrjens

2 Herausforderung: Security Model-based Security Security: ganzheitliche Engineering Eigenschaft: Jan Jrjens Sicherheits-Mechanismen umgehen statt brechen. Sichere Systems aus Computing Department unsicheren Komponenten ? The

314 views • 6 slides
Security Presentation 1 School-based Security Staffing Security assistants are assigned to

Security Presentation 1 School-based Security Staffing Security assistants are assigned to

MCPS School Safety and Security Presentation 1 School-based Security Staffing Security assistants are assigned to every secondary school. Security team leaders are assigned to every high school and work often with feeder schools.

583 views • 27 slides
Security Presentation 1 School-based Security Staffing Security assistants are assigned to

Security Presentation 1 School-based Security Staffing Security assistants are assigned to

MCPS School Safety and Security Presentation 1 School-based Security Staffing Security assistants are assigned to every secondary school. Security team leaders are assigned to every high school and work often with feeder schools.

436 views • 12 slides
ANGUILLA SOCIAL SECURITY BOARD COVERAGE OF DIFFICULT-TO-COVER-GROUPS COVERAGE OF THE SYSTEM The

ANGUILLA SOCIAL SECURITY BOARD COVERAGE OF DIFFICULT-TO-COVER-GROUPS COVERAGE OF THE SYSTEM The

ANGUILLA SOCIAL SECURITY BOARD COVERAGE OF DIFFICULT-TO-COVER-GROUPS COVERAGE OF THE SYSTEM The Anguilla Social Security Board was established under the Social Security Act 1980, on November 3 rd , by Mr. James Ronald Webster the then Honorable

907 views • 8 slides

More recommend