Ask Your Question
3

Does Neutron provide an application layer firewall?

asked 2014-04-15 10:19:04 -0500

ogzy gravatar image

updated 2014-04-19 01:37:19 -0500

darragh-oreilly gravatar image

I am working on a service structure that i plan to run on openstack. It is designed as a prevention mechanism so the traffic will flow through the servers that i installed. I want this service assignable per-tenant. Documentation says that it is possible to define per-tenant routers. I wonder whether i can define a security-router, and deploy my service so as to any defined tenant will use this router and the service automatically, and the web request for ex (can be some other application layer protocol) will go through the defined servers for being analyzed before reaching to the tenant's machine.

Or some other solution is also welcomed.

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted
2

answered 2014-04-19 01:30:43 -0500

darragh-oreilly gravatar image

updated 2014-04-22 07:10:27 -0500

For the per-tenant router use-case, Neutron provides an API that allows tenants to create and manage their own routers. It also provides an L3-agent that implements the API using the Linux network stack.

I believe you are looking to coerce all tenant traffic to flow through a service VM (Nova managed instance?) that runs some application layer security stuff and is possibly managed by the admin and transparent to the tenants? OpenStack and Neutron does not provide anything like this today, but there is this blueprint. Also there is a tread about "Service VMs" and Neutron here.

edit flag offensive delete link more

Comments

Hence we need to use SDN over Openstack.

SGPJ gravatar imageSGPJ ( 2014-04-19 08:44:41 -0500 )edit

I don't see a SDN connection here. Currently I'm not aware of an implementation for the question - SDN based or otherwise - in OpenStack today.

darragh-oreilly gravatar imagedarragh-oreilly ( 2014-04-20 09:17:08 -0500 )edit

I wonder whether there is a sample work that i can investigate.

ogzy gravatar imageogzy ( 2014-04-21 01:00:40 -0500 )edit
1

answered 2014-04-18 12:24:24 -0500

SGPJ gravatar image

updated 2014-04-18 12:26:14 -0500

Yes, It is possible with advance solution. You may need to use SDN (Software Defined Networking) to achieve this. You can program SDN controller to direct traffic (flows) to defined servers first (for analysis) and then re-route same packets to actual destination.

Also there are many SDN that can be integrated with Openstack.

Thanks.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-04-15 10:19:04 -0500

Seen: 405 times

Last updated: Apr 22 '14