tired of iptables based security groups
play

Tired of iptables based security groups? Here's how to gain - PowerPoint PPT Presentation

Sep 16, 2023 •91 likes •397 views

Tired of iptables based security groups? Here's how to gain tremendous speed with Open vSwitch instead! Who we are? Jakub Libosvar Software Engineer at Red Hat libosvar@redhat.com Rodolfo Alonso Software Engineer

  1. Tired of iptables based security groups? Here's how to gain tremendous speed with Open vSwitch instead!

  2. Who we are? Jakub Libosvar Software Engineer at Red Hat libosvar@redhat.com Rodolfo Alonso Software Engineer rodolfo.alonso.hernandez@intel.com 2/29

  3. Index • Security groups overview • How OVS based firewall drivers work • Handy tools 3/29

  4. How Neutron Security Groups works Client Web server Application server Database server Web SG App SG Database SG 4/29

  5. iptables hybrid firewall driver (I) qvbfa00f53b-48 (veth) tapfa00f53b-48 (tun) qvb427c97a6-d4 (veth) tap427c97a6-d4 (tun) MTU 1450 MTU 1450 MTU 1450 MTU 1450 fe80::b456:b7ff:fef3:1cce/64 fe80::fc16:3eff:fe45:b407/64 fe80::f410:70ff:fea9:891e/64 fe80::fc16:3eff:fec5:e381/64 qvofa00f53b-48 (veth) qvo427c97a6-d4 (veth) qbrfa00f53b-48 (bridge) qbr427c97a6-d4 (bridge) MTU 1450 MTU 1450 MTU 1450 MTU 1450 fe80::9cc6:7bff:feb6:b758/64 fe80::c45:71ff:fe3f:717c/64 tag 1 tag 1 br-int (openvswitch) MTU 1450 5/29

  6. iptables hybrid firewall driver (II) tape800225d-3e (tun) tapda36ad27-40 (tun) MTU 1450 MTU 1450 fe80::fc16:3eff:fe37:1f31/64 fe80::fc16:3eff:fe9e:491e/64 tag 1 tag 1 br-int (openvswitch) MTU 1450 6/29

  7. Firewall dissection: evolution (I) Packet filtering : static rules, based on source and destination address, protocol and port 7/29

  8. Firewall dissection: evolution (II) Stateful packet inspection : connection tracking and recording this state Source: http://www.iptables.info/en/connection-state.html 8/29

  9. Firewall dissection: evolution (III) Application firewalls : full OSI stack inspection, DPI systems Source: http://opennetsummit.org/ 9/29

  10. Firewall dissection: sections Allow network discovery : ARP/ND messages Allow network services : DHCP, ICMP, IGMP (or MLD using ICMPv6) Prevent ARP spoofing : filtering by MAC address DHCP snooping : filtering by protocol and port Manage connection tracking : TCP, UDP Manage user rules 10/29

  11. Firewall implementation: OpenFlow “learn action” (I) OpenFlow “learn action” : allow to create a new rule when a packet hits a previous one Used to track incoming connections inside the switch and allow the traffic replied going back to the source of the communication IN PORT = 5 VLAN = 1410 DST MAC = ca:fe:ca:fe:ca:fe VLAN = 1410 SRC MAC = 00:11:22:33:44:55 DST MAC = 00:11:22:33:44:55 PROTOCOL = ipv4, TCP SRC MAC = ca:fe:ca:fe:ca:fe DST IP: 192.168.1.1 PROTOCOL = ipv4, TCP SRC IP: 192.168.1.100 DST IP: 192.168.1.100 DST PORT: 2000 SRC IP: 192.168.1.1 SRC PORT: 5000 DST PORT: 5000 ACTIONS = learn(dst_mac=SRC_MAC, SRC PORT: 2000 src_mac=DST_MAC, src_ip=DST_IP, ACTIONS = normal dst_ip=SRC_IP, src_port=DST_PORT, dst_port=SRC_PORT, proto=PROTO, vlan=VLAN, actions=normal) 11/29

  12. Firewall implementation: OpenFlow “learn action” (II) Flow path description: • Zero table : MAC and in_port matching, VLAN management, ARP/ND • Traffic selection : service rules, multicast management, traffic selection • Input traffic : traffic coming into the OVS • Output traffic : traffic going out the OVS into a VM • External output traffic : traffic going out the OVS, external destination (physical, external or tunnel bridge) INPUT TRAFFIC TRAFFIC ZERO TABLE SELECTION EXTERNAL OUTPUT OUTPUT TRAFFIC TRAFFIC 12/29

  13. Firewall implementation: OpenFlow “learn action” ( III) 1000 users, OVS 2.4 MB/bytes per packet 1,400 1,200 1,000 800 600 400 200 0 0 200 400 600 800 1000 1200 1400 1600 OVS 2.4, no firewall OVS 2.4, iptables OVS 2.4, "learn action" 13/29

  14. Firewall implementation: OpenFlow “learn action” ( IV) 1000 users, OVS 2.4 DPDK MB/bytes per packet 10,000 9,000 8,000 7,000 6,000 5,000 4,000 3,000 2,000 1,000 0 0 200 400 600 800 1000 1200 1400 1600 OVS 2.4, iptables DPDK, no firewall, OVS 2.4 DPDK, "learn action" implementation, OVS 2.4 14/29

  15. Firewall implementation: connection tracking (I) Instance B Instance A Integration bridge Base table Egress base Egress rules Egress accepted Ingress base Ingress rules Switch 15/29

  16. Firewall implementation: connection tracking (II) Instance A Instance B Integration bridge Base table Egress base Egress rules Egress accepted Ingress base Ingress rules Switch 16/29

  17. Firewall implementation: connection tracking (III) Instance B Instance A Integration bridge Base table Egress base Egress rules Egress accepted Ingress base Ingress rules 17/29 Switch

  18. Firewall implementation: connection tracking (IV) Instance B Instance A Integration bridge Base table Egress base Egress rules Egress accepted Ingress base Ingress rules 18/29 Switch

  19. Firewall implementation: connection tracking (V) Egress rules priority=70,ct_state=+est-rel-rpl,icmp,reg5=0x1,dl_src=fa:16:3e:a4:22:10 actions=resubmit(,73) priority=70,ct_state=+new-est,icmp,reg5=0x1,dl_src=fa:16:3e:a4:22:10 actions=resubmit(,73) priority=50,ct_state=+inv+trk actions=drop priority=50,ct_mark=0x1,reg5=0x1 actions=drop priority=50,ct_state=+est-rel+rpl,ct_zone=644,ct_mark=0,reg5=0x1 actions=NORMAL priority=50,ct_state=-new-est+rel-inv,ct_zone=644,ct_mark=0,reg5=0x1 actions=NORMAL priority=40,ct_state=-est,reg5=0x1 actions=drop priority=40,ct_state=+est,reg5=0x1 actions=ct(commit,zone=NXM_NX_REG6[0..15],exec(load:0x1- >NXM_NX_CT_MARK[])) priority=0 actions=drop 19/29

  20. Firewall implementation: connection tracking (VI) Egress accepted table=73, priority=100,dl_dst=fa:16:3e:a4:22:10 actions=load:0x1->NXM_NX_REG5[],resubmit(,81) table=73, priority=90,ct_state=+new-est,reg5=0x1 actions=ct(commit,zone=NXM_NX_REG6[0..15]), NORMAL table=73, priority=80,reg5=0x1 actions=NORMAL table=73, priority=0 actions=drop 20/29

  21. Firewall implementation: connection tracking (VII) 1000 users, OVS 2.5 MB/bytes per packet 1,600 1,400 1,200 1,000 800 600 400 200 0 0 200 400 600 800 1000 1200 1400 1600 OVS 2.4, iptables OVS 2.5, conntrack 21/29

  22. Handy tools and commands: ovs-vsctl (I) show : prints a brief overview of the database contents root@compute:~# ovs-vsctl show c0a5a68d-2236-409c-9721-4382c4d7825d Bridge "br-eth4" Port "eth4" Interface "eth4" Port "phy-br-eth4" Interface "phy-br-eth4" type: patch options: {peer="int-br-eth4"} Bridge br-int fail_mode: secure Port "tapdf053558-6f" tag: 1 Interface "tapdf053558-6f" Port "int-br-eth4" Interface "int-br-eth4" type: patch options: {peer="phy-br-eth4"} Port br-int Interface br-int type: internal ovs_version: "2.5.90" 22/29

  23. Handy tools and commands: ovs-vsctl (II) add-br bridge : creates a new bridge del-br bridge : deletes the bridge list-ports bridge : list all ports within bridge root@compute:~# ovs-vsctl list-ports br-int int-br-eth4 qr-fa59f34c-4a qr-fc4cbc61-38 tap423ef4df-75 tapdf053558-6f 23/29

  24. Handy tools and commands: ovs-ofctl dump-flows bridge [flows] : prints to the console all flow entries in switch's tables that match “flows” root@computer:~# ovs-ofctl dump-flows br-int NXST_FLOW reply (xid=0x4): cookie=0xaa8bf9e1635b7423, duration=502959.645s, table=0, n_packets=5824755, n_bytes=454330890, idle_age=65534, hard_age=65534, priority=2,in_port=1 actions=drop cookie=0xaa8bf9e1635b7423, duration=500106.686s, table=0, n_packets=7509495125, n_bytes=5044309725863, idle_age=43, hard_age=65534, priority=100,in_port=5 actions=load:0x5- >NXM_NX_REG5[],load:0xfff->NXM_NX_REG6[],resubmit(,71) cookie=0xaa8bf9e1635b7423, duration=500106.686s, table=0, n_packets=11131317812, n_bytes=7510404375704, idle_age=47, hard_age=65534, priority=90,dl_dst=fa:16:3e:54:b6:ad actions=load:0x5->NXM_NX_REG5[],load:0xfff->NXM_NX_REG6[],resubmit(,81) cookie=0xaa8bf9e1635b7423, duration=502955.155s, table=0, n_packets=0, n_bytes=0, idle_age=65534, hard_age=65534, priority=3,in_port=1,dl_vlan=1404 actions=mod_vlan_vid:1,NORMAL cookie=0xaa8bf9e1635b7423, duration=502970.137s, table=0, n_packets=7790, n_bytes=918512, idle_age=43, hard_age=65534, priority=0 actions=NORMAL 24/29

  25. Handy tools and commands: ovs-appctl (I) dpctl/dump-flows : prints the dataplane active flows root@compute:~# ovs-appctl -t /usr/var/run/openvswitch/ovs-vswitchd.24766.ctl dpctl/dump-flows system@ovs-system recirc_id(0xb92),in_port(7),ct_state(+new-est-rel-rpl),eth(dst=fa:16:3e:54:b6:ad), eth_type(0x8100),vlan(vid=1404,pcp=0),encap(eth_type(0x0800),ipv4(proto=17,frag=no),udp(dst=5000/ 0xfffe)), packets:9765, bytes:4960620, used:3.452s, actions:ct(commit,zone=4095),pop_vlan,8 recirc_id(0),in_port(8),ct_state(-trk),eth(src=fa:16:3e:54:b6:ad),eth_type(0x0800), ipv4(src=10.0.0.3,proto=17,frag=no), udp(src=4096/0xf000), packets:506822, bytes:255438288, used:0.000s, actions:ct(zone=4095),recirc(0xb93) 25/29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

NAT & IPTables NAT & IPTables NAT & IPTables From ACCEPT to MASQUERADE From ACCEPT

NAT & IPTables NAT & IPTables NAT & IPTables From ACCEPT to MASQUERADE From ACCEPT

NAT & IPTables NAT & IPTables NAT & IPTables From ACCEPT to MASQUERADE From ACCEPT to MASQUERADE Tim(othy) Clark (eclipse) Tim(othy) Clark (eclipse) NAT IPv4 Hack One external IP for a whole network Used commonly

732 views • 13 slides
netfilter/iptables training Nov 05/06/07, 2007 Day 1 by Harald Welte

netfilter/iptables training Nov 05/06/07, 2007 Day 1 by Harald Welte

netfilter/iptables training Nov 05/06/07, 2007 Day 1 by Harald Welte <laforge@netfilter.org> 1 netfilter/iptables tutorial Contents Day 1 Introduction Highly Scalable Linux Network Stack Netfilter Hooks Packet selection based on IP

342 views • 20 slides
Firewalls with iptables Linux Sirindhorn International Institute of Technology Thammasat

Firewalls with iptables Linux Sirindhorn International Institute of Technology Thammasat

Linux Firewalls with iptables Concepts Examples Firewalls with iptables Linux Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 14 October 2013 Common/Reports/iptables-introduction.tex, r715

469 views • 14 slides
Some SSH tips & tricks you may enjoy (plus, iptables) D. H. van Dok (Nikhef) 2014-05-19

Some SSH tips & tricks you may enjoy (plus, iptables) D. H. van Dok (Nikhef) 2014-05-19

Some SSH tips & tricks you may enjoy (plus, iptables) D. H. van Dok (Nikhef) 2014-05-19 getting the most (security) out of your openssh The users perspective: least amount of hassle tradeoff between anxiety, angst and

559 views • 19 slides
Talks outline iptables versus ipchains The goal (or: my goal) The packets way through

Talks outline iptables versus ipchains The goal (or: my goal) The packets way through

IP Masquerading using iptables Eli Billauer eli billauer@yahoo.com IP Masquerading using iptables p.1 Talks outline iptables versus ipchains The goal (or: my goal) The packets way through iptables Classic masquerading (SNAT)

785 views • 31 slides
The Story of a Tired Old Bathroom Once Once up upon on a time, time, th there ere was sad

The Story of a Tired Old Bathroom Once Once up upon on a time, time, th there ere was sad

Residential Bathroom $25,000$50,000 Actual Project Cost: 48,500.00 A River Runs Through It The Story of a Tired Old Bathroom Once Once up upon on a time, time, th there ere was sad was sad, ti , tired red old old bath

621 views • 29 slides
Come to me, all who are tired from carrying heavy loads, and I will give you rest. Matthew

Come to me, all who are tired from carrying heavy loads, and I will give you rest. Matthew

Come to me, all who are tired from carrying heavy loads, and I will give you rest. Matthew 11:8 Are you tired? Worn out? Burned out on religion? Come to me. Get away with me and youll recover your life. Ill show you how to take

487 views • 21 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 6 Firewalls & VPNs Topics Firewall Fundamentals Case study: Linux iptables

778 views • 46 slides
Tired or Wired? What You Need T o Know About Your Thyroid Function or If My Lab T ests are

Tired or Wired? What You Need T o Know About Your Thyroid Function or If My Lab T ests are

Tired or Wired? What You Need T o Know About Your Thyroid Function or If My Lab T ests are Normal.. Why Do I Feel So Bad, Sad, and Tired??? Can You See/Feel the Difference? Conclusion A Happy Thyroid Is NOT the same as Euthyroid

817 views • 57 slides
Project 4 - Linux iptables CSE497b - Spring 2007 Introduction Computer and Network Security

Project 4 - Linux iptables CSE497b - Spring 2007 Introduction Computer and Network Security

Project 4 - Linux iptables CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/ CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Project

481 views • 15 slides
the perfect vacation Are you tired ? Worn out ? . . . . . Come to me . Get away with me and

the perfect vacation Are you tired ? Worn out ? . . . . . Come to me . Get away with me and

the perfect vacation Are you tired ? Worn out ? . . . . . Come to me . Get away with me and you ll recover your life . I ll show you how to take a real rest . Walk with me and work with me watch how I do it . Learn the unforced

101 views • 6 slides
DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat

DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat

DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat RMLL Montpellier, July 2014 1/36 Email: brouer@redhat.com / netoptimizer@brouer.com / hawk@kernel.org DDoS protection using Netfilter/iptables

822 views • 38 slides
RES212 Lab #2 Netfilter/iptables Firewall The goal of this lab is to let you become acquainted

RES212 Lab #2 Netfilter/iptables Firewall The goal of this lab is to let you become acquainted

https://res212.telecom-paristech.fr TP02v1 2018/05/31 RES212 Lab #2 Netfilter/iptables Firewall The goal of this lab is to let you become acquainted with the design, configuration and testing of firewalls. Given the limited amount of time,

736 views • 14 slides
Reflections on data plane performance, iptables and ipsets Neil Jerram Metaswitch &

Reflections on data plane performance, iptables and ipsets Neil Jerram Metaswitch &

Reflections on data plane performance, iptables and ipsets Neil Jerram Metaswitch & Project Calico @neiljerram www.projectcalico.org Who am I? Free software hacker since 1990s ; line+.el ; ; version 1.1 ; ; This has not (yet)

534 views • 24 slides
Cyber@UC Meeting 72 Firewalls/IPTables If Youre New! Join our Slack: cyberatuc.slack.com

Cyber@UC Meeting 72 Firewalls/IPTables If Youre New! Join our Slack: cyberatuc.slack.com

Cyber@UC Meeting 72 Firewalls/IPTables If Youre New! Join our Slack: cyberatuc.slack.com Check out our website: cyberatuc.org SIGN IN! (Slackbot will post the link in #general every Wed@6:30) Feel free to get involved with

737 views • 27 slides
From the Ground Up Security DNS-based Security of the

From the Ground Up Security DNS-based Security of the

From the Ground Up Security DNS-based Security of the Internet Infrastructure Benno Overeinder NLnet Labs http://www.nlnetlabs.nl/ INTRO NLnet

795 views • 28 slides
Transparent migration of virtual Transparent migration of virtual infrastructures in large

Transparent migration of virtual Transparent migration of virtual infrastructures in large

Transparent migration of virtual Transparent migration of virtual infrastructures in large datacenters for infrastructures in large datacenters for Cloud Computing Cloud Computing Workshop on Management of Cloud Systems ( Workshop on

489 views • 23 slides
First Quarter 2020 Results Presentation April 30, 2020 Forward-Looking Information

First Quarter 2020 Results Presentation April 30, 2020 Forward-Looking Information

First Quarter 2020 Results Presentation April 30, 2020 Forward-Looking Information FORWARD-LOOKING INFORMATION This document contains forward-looking information (forward-looking statements). Words such as "may", "can",

389 views • 38 slides
IPvlan Eric Dumazet (edumazet@google.com) Mahesh Bandewar (maheshb@google.com) Proceedings of

IPvlan Eric Dumazet (edumazet@google.com) Mahesh Bandewar (maheshb@google.com) Proceedings of

IPvlan Eric Dumazet (edumazet@google.com) Mahesh Bandewar (maheshb@google.com) Proceedings of netdev 0.1, Feb 14-17, 2015, Ottawa, On, Canada IPvlan (instead of MACvlan) : Why? Switches may apply policies to disable CAM-table overflow

687 views • 9 slides
MOC/PSSR Management of Change/Pre-Startup Safety Review Providing Solutions. Simplifying

MOC/PSSR Management of Change/Pre-Startup Safety Review Providing Solutions. Simplifying

Providing Solutions. Simplifying Regulation. MOC/PSSR Management of Change/Pre-Startup Safety Review Providing Solutions. Simplifying Regulation. Whats the goal? To change the process in a safe manner and update the RMP/PSM/CalARP Program

538 views • 23 slides
SCAS Enga SCAS Engagement Upda gement Update te 9 Agenda Item 26. Agenda ARP update

SCAS Enga SCAS Engagement Upda gement Update te 9 Agenda Item 26. Agenda ARP update

SCAS Enga SCAS Engagement Upda gement Update te 9 Agenda Item 26. Agenda ARP update Performance Lord Carter Review CQC 10 Urgent Care Pathways ARP PRINCIPLES What does ATs What does the need to consider patient need?

908 views • 36 slides
Game Concept Build the game Battleship on embedded hardware Build the game Battleship

Game Concept Build the game Battleship on embedded hardware Build the game Battleship

Battleship Marc Howard, Dan Aprahamian Apoorva Gade, Shihab Hamati Game Concept Build the game Battleship on embedded hardware Build the game Battleship on a computer Get the two versions of the game to communicate via Ethernet

437 views • 14 slides
Practical Exploitation on System Vulnerability of ProtoGENI Dawei Li Advisor: Dr. Xiaoyan Hong

Practical Exploitation on System Vulnerability of ProtoGENI Dawei Li Advisor: Dr. Xiaoyan Hong

3/31/2011 Practical Exploitation on System Vulnerability of ProtoGENI Dawei Li Advisor: Dr. Xiaoyan Hong University of Alabama Goal: perform ProtoGENI experiments to find vulnerabilities; to suggest prevention approach vulnerabilities; to

96 views • 5 slides
PRIMARILY RESIDENTIAL DEVELOPMENT Approved office development New offices in the mixed- use

PRIMARILY RESIDENTIAL DEVELOPMENT Approved office development New offices in the mixed- use

TOWER 4 TOWER 2 RESIDENTIAL RESIDENTIAL 120,000 sq. ft. 275,000 sq. ft. TOWER 1 TOWER 5 RESIDENTIAL RESIDENTIAL 165,000 sq. ft. 130,000 sq. ft. HOTEL 150,000 sq.ft PROJECT VISION The proposed redevelopment of Eau Claire Market is a

258 views • 10 slides

More recommend