What Firewall Technology Is Offered in OpenStack Zed?
OpenStack Zed is the latest OpenStack release (so far) announced in October 2022. OpenStack is a private cloud operating system that controls large pools of computing, networking and storage resources across data centers. It is managed through a web-based dashboard, which users can use to configure their private cloud resources.
OpenStack Zed includes an open source Firewall-as-a-Service (FWaaS) solution, created by RackSpace and NASA in 2010. It is now a flagship project of the OpenInfra Foundation and is shipped together with the OpenStack Neutron project to provide network security for OpenStack deployments.
What Is Firewall as a Service (FWaaS)?
With the widespread migration to the cloud, the growing use of mobile devices, and the transition to remote work, the traditional network perimeter is breaking down. Many organizations have achieved network security by defending the network perimeter, while inherently trusting entities inside the secure perimeter. This approach is not appropriate for modern networks and leaves organizations vulnerable to threats.
The evolution of network security requires new solutions, and one of them is FWaaS, which moves network firewall functions to the cloud instead of deploying the firewall in front of the traditional network perimeter. Leveraging cloud computing can provide organizations with many financial, network performance and security benefits.
FWaaS moves next-generation firewall (NGFW) capabilities to the cloud and makes it possible to deploy FWaaS close to the assets it needs to protect. By decoupling security functions from the physical infrastructure, organizations can securely connect remote mobile workers and offices to modern enterprise networks, whether applications reside on-premises or in the cloud. Another major benefit is the ability to achieve microsegmentation for sensitive resources or workloads.
Why Do Businesses Need FWaaS?
FWaaS enables organizations to fully or partially shift their security inspection processes to the cloud. Here are the main benefits of making this shift:
- Service level agreements (SLAs)—cloud providers provide various SLAs that define the features you get per subscription or account. The SLA provides a guarantee that the provider will satisfy certain business requirements.
- Affordable costs—FWaaS typically offer on-demand and flexible pricing models that eliminate the need to invest in high capital expenditure (CapEx) costs and various operational costs.
- Less maintenance—the as-a-Service model ensures the provider handles updates and adjustments to the infrastructure and any service it manages, freeing up organizations to spend time and efforts on mission-critical pursuits.
- Scalability—FWaaS connects an organization’s distributed users and sites to a single global firewall. It employs a central application-aware policy that enables organizations to scale cloud security better.
- Suitable for all business sizes—FWaaS vendors provide employees with access to resources that protect various devices, making FWaaS suitable for all business sizes.
- Enables SASE—FWaaS provides NGFW functionality without the overhead associated with setting up local wide-area network (WAN) infrastructure, making it a key component of a secure access service edge (SASE) architecture.
OpenStack FWaaS Features
Neutron, the OpenStack networking as a service project, includes a Firewall-as-a-Service (FWaaS) plugin that enforces a firewall on OpenStack objects like projects, router ports and routers.
Core FWaaS concepts
The core concepts of the OpenStack firewall are:
- Firewall rule—specifies what action (allow or deny) the firewall should take when traffic matches a set of properties, such as port ranges, protocols or IP addresses.
- Firewall policy—an ordered set of rules. You can publish policies to share across projects.
Firewalls can be implemented in various ways depending on the driver you use. For example:
- The iptables driver uses iptable rules to implement a firewall
- The OpenVSwitch driver uses flow entries in flow tables to implement firewall rules
- Cisco firewall drivers are available for NSX appliances
What is new in FWaaS v2
FWaaS v1 has been deprecated and replaced by v2. In v2, the concept of a firewall has been replaced by a firewall group, indicating that a firewall requires two policies: an egress policy and an ingress policy. Firewall groups are applied at the port level, not the router level and you can specify which router ports to protect.
New features in FWaaS 2 can be summarized as follows:
- Level 3 firewalling for routers is not supported by default, but you can enable it by applying a firewall group to all ports in a certain router.
- Supports Level 3 firewalling for router ports
- Supports Level 2 firewalling (i.e., VM ports)
- Provides a command line interface (CLI)
- Supports the OpenStack Horizon dashboard
Enabling and Configuring Zed Firewall
Enable FWaaS v2
To enable the FWaaS v2 plugin in OpenStack, you will need to follow these steps:
- Install the necessary software dependencies. You will need to install the neutron-fwaas and neutron-fwaas-dashboard packages and any other dependencies required for your specific OpenStack deployment.
- Enable the FWaaS v2 plugin in the OpenStack configuration file. This typically involves adding the following lines to the neutron.conf file:
[fwaas] driver = neutron_fwaas.services.firewall.drivers.linux.iptables_fwaas.IptablesFwaasDriver enabled = True
- Restart the OpenStack Neutron service. You will need to restart the Neutron service for the changes to take effect.
- Configure the FWaaS v2 plugin in the OpenStack dashboard. You will need to log in to the OpenStack dashboard and navigate to the Network > Firewalls tab. From here, you can configure the FWaaS v2 plugin and create firewall rules as needed.
Note that these steps may vary depending on your specific OpenStack deployment and the version of the FWaaS plugin you are using. It is also a good idea to refer to the OpenStack documentation for detailed instructions on configuring and using the FWaaS plugin.
Configure Firewall-as-a-Service v2
To configure FWaaS v2 in OpenStack, you will need to create firewall rules, firewall policies and firewall groups. Here is an overview of each of these components:
- A firewall rule defines the action to take when a packet matches specific criteria. For example, you could create a firewall rule to allow or deny traffic based on the source or destination IP address, port number or protocol. Each firewall rule consists of a set of conditions (e.g., source IP address) and an action (e.g., allow or deny).
- A firewall policy is a collection of firewall rules that are applied together. You can create multiple firewall policies to cover different scenarios and apply them to different resources as needed.
- A firewall group is a logical grouping of firewall policies that are applied to a specific set of resources, such as a particular network or subnet. You can create multiple firewall groups and apply them to different resources as needed.
To create a firewall rule, policy and group in OpenStack, you will need to log in to the OpenStack dashboard and navigate to the Network > Firewalls tab. From here, you can use the available options to create and configure each of these components.
In this article, I explained the basics of FWaaS and introduced the open source FWaaS solution, packaged as part of OpenStack Neutron. The new OpenStack Zed includes a new version of this solution—FWaaS v2.
I showed a simple three-step process for configuring FWaaS v2 and starting to create a secure perimeter for your workloads:
- Define firewall rules
- Create a firewall policy using the command:
openstack firewall group policy create
- Create a firewall group to implement the policy using the command:
openstack firewall group create
I hope this will be useful as you level up the network security of your OpenStack Kubernetes clusters.