Congress A System For Declaring, Auditing, and Enforcing Policy In - - PowerPoint PPT Presentation

congress
SMART_READER_LITE
LIVE PREVIEW

Congress A System For Declaring, Auditing, and Enforcing Policy In - - PowerPoint PPT Presentation

Jan 06, 2024 151 likes •348 views

Congress A System For Declaring, Auditing, and Enforcing Policy In Heterogeneous Cloud Environments Peter Balland Tim Hinrichs OpenStack Summit, May 2014 The Policy Problem Organizational Business Contracts Rules Industrial Application

slide-1
SLIDE 1

Congress

A System For Declaring, Auditing, and Enforcing Policy In Heterogeneous Cloud Environments

Peter Balland Tim Hinrichs OpenStack Summit, May 2014

slide-2
SLIDE 2

The Policy Problem

2

Governmental Legislation Industrial Regulations Organizational Contracts Privacy Promises Business Rules Application Requirements

slide-3
SLIDE 3

IT Policy Use Cases

  • Network Access Control

– Allow/deny/waypoint flows using (i) attributes of source/destination users/hosts (e.g. for hosts

whether mobile, last-connection), (ii) payload, (iii) risk score.

– Load-balance flows to server A to servers B, C, D, E, and F.

  • Application (multiple VMs) Configuration

– Allow/deny network-attachments of VMs based on attributes of VM/tenant. – Parameterize application templates, e.g. when an app is deployed for testing/dev, there should be

1 WS/1 DB/1 App. For deployment, there are many more of each kind of VM.

  • Application Deployment Location

– Applications that manage data from Singapore (Japan, Turkey) must be located in a data center

that physically resides within

  • Host Management

– Intrusion prevention systems should be applied to high-risk hosts

3

slide-4
SLIDE 4

Existing Approach: Multiple Touch Points

4

Governmental Legislation Industrial Regulations Organizational Contracts Privacy Promises Business Rules Application Requirements

slide-5
SLIDE 5

Congress Policy Framework

5

Policy (Congress)

AVaaS Networking Compute Storage FWaaS

slide-6
SLIDE 6

Any Cloud Service

6

Congress

User Dept Age Pete Finance 30 Tim Engineering 32 Martin Finance 33 Pierre Sales 31 User Dept Age Pete Finance 30 Tim Engineering 32 Martin Finance 33 Pierre Sales 31 User Dept Age Pete Finance 30 Tim Engineering 32 Martin Finance 33 Pierre Sales 31 User Dept Age Pete Finance 30 Tim Engineering 32 Martin Finance 33 Pierre Sales 31 User Dept Age Pete Finance 30 Tim Engineering 32 Martin Finance 33 Pierre Sales 31 User Dept Age Pete Finance 30 Tim Engineering 32 Martin Finance 33 Pierre Sales 31 User Dept Age Pete Finance 30 Tim Engineering 32 Martin Finance 33 Pierre Sales 31 User Dept Age Pete Finance 30 Tim Engineering 32 Martin Finance 33 Pierre Sales 31 User Dept Age Pete Finance 30 Tim Engineering 32 Martin Finance 33 Pierre Sales 31 User Dept Age Pete Finance 30 Tim Engineering 32 Martin Finance 33 Pierre Sales 31
slide-7
SLIDE 7

ID Results Time VM1 Infected 01:13:56 VM2 Clean 18:23:05 VM3 Infected 07:13:09 VM4 Clean 20:21:17 Net Switch Ports Net1 Switch1 2 Net1 Switch2 30 Net2 Switch3 Net3 Switch4 10 VM Memory CPU VM1 32GB 4 VM2 64GB 8 VM3 32GB 12 VM4 128GB 8 Disk Capacity Used Disk1 1TB 501GB Disk2 2TB 237GB Disk3 8TB 6.1TB Disk4 4TB 3.2TB

Any Policy

7

… … …

Permitted Actions create_vm(…) delete_vm(…) move_vm(…)

Errors VM1 Router2 Router3

Actions to Execute disconnect_network(…)

Cloud Service Tables Reserved Tables

slide-8
SLIDE 8

Monitoring and Enforcement

8

Permitted Actions create_vm(…) delete_vm(…) move_vm(…)

Errors VM1 Router2 Router3

Actions to Execute disconnect_network(…)

Permitted Actions Prohibited States Actions to Execute

  • 2. Prevent

Violations

  • 1. Monitor

Violations

  • 3. Correct

Violations

slide-9
SLIDE 9

Congress Policy Grammar

  • <policy> ::= <rule>*
  • <rule> ::= <atom> COLONMINUS <literal> (COMMA <literal>)*
  • <literal> ::= <atom>
  • <literal> ::= NOT <atom>
  • <atom> ::= TABLENAME LPAREN <term> (COMMA <term>)* RPAREN
  • <term> ::= INTEGER | FLOAT | STRING | VARIABLE

9

slide-10
SLIDE 10

Example

  • Policy:

– Every network attached to a VM must be a public network or a private network owned

by someone in the same group as the VM owner.

  • Cloud Services:

– Nova: a manager for VMs – Neutron: a manager for virtual networks – LDAP: manager for group-membership

  • Enforcement:

– Monitoring: check if all deployed VMs obey this policy. – Preventative: before Nova deploys VM, ask Congress if within policy. – Corrective: when LDAP group membership changes, correct violations

10

slide-11
SLIDE 11

Prohibited States Policy

11

// prohibited states error(vm) :- nova:virtual_machine(vm), nova:network(vm, network), not neutron:public_network(network), neutron:owner(network, netowner), nova:owner(vm, vmowner), not same_group(netowner, vmowner) // which users are members of the same group same_group(user1, user2) :- ldap:group(user1, group), ldap:group(user2, group)

slide-12
SLIDE 12

Example Cloud State (No Violations)

12

Net_private Network Owner Net_private Martin VM1 User Group Pete Congress Tim Congress Martin Congress Pierre Congress Neutron:owner LDAP:group Net_public VM2 VM3 Network Net_public Neutron:public VM Owner VM1 Tim VM2 Pete VM3 Pierre Nova:owner Error <no rows>

slide-13
SLIDE 13

Example Cloud State (1 Violation)

13

Net_private Network Owner Net_private Martin VM1 User Group Pete Congress Tim Congress Martin Congress Pierre Congress Neutron:owner LDAP:group Net_public VM2 VM3 Network Net_public Neutron:public VM Owner VM1 Tim VM2 Pete VM3 Pierre Nova:owner Error VM1

slide-14
SLIDE 14

Congress + OpenStack

  • Fills a business need of implementers and operators
  • Prohibit vendor lock-in
  • Congress integration across projects facilitates greater inter-component

communication and extensibility

14

slide-15
SLIDE 15

Status and Roadmap

  • Basic Policy language implementation (datalog evaluation, optimization, etc.)
  • Architecture and API (formalize data models and implement event loop, APIs)
  • Enhanced Policy language
  • Policy structure (multi-tenancy, multi-stakeholder)
  • Enforcement (action execution, component sub-policy interaction)
  • Libraries (data-source drivers, HIPPA (etc.) encoding)
  • Policy Analysis (loop & redundancy detection, impact analysis)
  • Dashboard

15

slide-16
SLIDE 16

How To Help

  • Open Source Community Design Session

– Room B405

  • IRC Meetings

– Bi-weekly on Tuesdays (e.g. May 20, 2014) at 1700 UTC

  • openstack-dev mailing list

16

slide-17
SLIDE 17

References

  • Congress Wiki

– https://wiki.openstack.org/wiki/Congress

  • On Policy in the Data Center

– http://networkheresy.com/2014/04/22/on-policy-in-the-data-center-the-policy-problem/

  • Stackforge Repo:

– https://github.com/stackforge/congress

17

slide-18
SLIDE 18

Monday

VMware Demo 1:00-1:15 pm, Demo Theater Enterprise Grade Scheduling 4:40-5:20 pm, B206 Bridging The Gap: OpenStack For VMware Administrators 5:30-6:10 pm, B206 Software Defined Networking Performance And Architecture Evaluation 5:30-6:10 pm, B103 Presented by Symantec & Mirantis

Learn more about VMware + OpenStack at the following sessions:

Tuesday

Scaling Neutron For Large Deployments 4:40-5:20 pm, B101 Presented by eBay & PayPal Open vSwitch And The Intelligent Edge 5:30-6:10 pm, B206

Wednesday

VMware + OpenStack: Accelerating OpenStack In The Enterprise 1:50-2:30 pm, B313 Deep-dive Demo for OpenStack On VMware 2:40-3:20 pm, B313 OpenStack Distribution Support For vSphere + NSX 3:30-4:10 pm, B313 Congress: A System For Declaring, Auditing, and Enforcing Policy In Heterogeneous Cloud Environments 4:30-5:10 pm, B313 VSAN and OpenStack 5:20-6:00 pm, B313

Thursday

Recap: Nova-network Or Neutron For OpenStack Networking? 9:50-10:30 am, B309 Leveraging VMware Technology To Build An Enterprise Grade OpenStack Cloud - It's Not Always About KVM! 2:20-3:00 pm, B101 Presented by iLand

Session by VMware Customers / Partners Session by VMware

Hands-on-Labs

OpenStack on VMware vSphere and NSX Wed, May 14, 3:30-5:30 pm, B313 OpenStack Networking Wed, May 14, 4:30-6:00 pm, B314 The Enterprise-Grade Foundation For Your OpenStack Cloud