Data Center Technologists
Showing results for 
Search instead for 
Do you mean 

SRX and OpenStack: Neutron Firewall Plugin

by Juniper Employee ‎04-21-2015 11:05 PM - edited ‎07-06-2015 01:38 AM

Juniper's OpenStack Firewall Service plugin will enable perimeter firewall protection for OpenStack networks to configure security policies on Juniper’s SRX and vSRX devices.

 

OpenStack networks can be secured in two ways:

  • Security Groups
  • Firewalls

The security groups provide security between the east to west traffic or Intra VLAN traffic. Firewalls on the other hand add perimeter firewall protection to OpenStack networks and help in securing the North to South traffic such as Inter VLAN and Edge traffic.

 

Juniper's Firewall-as-a-Service (FWaaS) plugin builds on top of Juniper’s ML2 and L3 plugins. It enables Neutron to configure firewall rules and policies on SRX/vSRX devices. In OpenStack, one firewall can be created per tenant and can be assigned one security policy at a given point of time. A security policy is a collection of firewall rules. The below pictures illustrates this relationship:

 

Firewall Rule: Defines the source address & port(s), destination address & port(s), protocol and the action to be taken on the matching traffic.

Firewall Policy: is a collection of firewall rules.

Firewall: The construct representing a firewall device

 

The below picture will be used as a reference topology for this blog to explain the various concepts of FWaaS and how Juniper’s plugin configures the network at the various levels.

 

 

In this topology, the connection between Switches 1 & 2 to the aggregation switch and the connection between the aggregation switch and the SRX are trunk links preconfigured to carry all VLAN members.

 

Let’s take a scenario where an OpenStack tenant has a virtual network topology created as shown in the table below:

Network

Subnet

Assigned VLAN

VM Name

VM IP

Hypervisor

Switch

 

Switch Port

Thirty

30.1.0.0/24

1000

VM-30

30.1.0.7/24

Hypervisor 2

QFX 5100 Switch 1

ge-0/0/20

Forty

40.1.0.0/24

1001

VM-40

40.1.0.5/24

Hypervisor 6

QFX 5100 Switch 2

ge-0/0/30

 

When the VMs are spawned on a network, the ML2 plugin will configure the corresponding VLANs on the trunk ports connecting the hypervisors to the switches 1 & 2.

 

The tenant can create a router next and add the gateways IP addresses from the networks Thirty and Forty to it. At this point, Juniper’s L3 plugin creates a routing instance (vRouter) on the SRX and generates IFLs on ge-0/0/10 of SRX for each VLAN and adds them to the router. For the initial version of FWaaS plugin implementation, the SRX acts as both a router as well as a firewall in the topology. The below picture captures the resulting OpenStack topology:

 

 

Once the router is created the tenant can create an OpenStack firewall and start adding security policy rules to it. This is the point at which Juniper’s FWaaS plugin steps in. Let’s take the case where the tenant wants to enable ICMP traffic from VM-30 à VM-40 but drop any other traffic.

 

Using OpenStack Horizon, first create a firewall rule which allows ICMP traffic from VM-30 to VM-40. Then create a firewall policy and assign the rule to it. Finally, create a firewall and assign the firewall policy to it.

 

Note: It is a good practice to set the default policy on the SRX to deny all traffic.

 

The following table captures the configuration that is done at each stage of the flow:

Device

Operation

ML2 Plugin (VLAN Type driver)

QFX 5100 Switch #1

Assign VLAN 1000 to port ge-0/0/20 as a VLAN member

QFX 5100 Switch #2

Assign VLAN 1001 to port ge-0/0/30 as a VLAN member

L3 Service Plugin

SRX/vSRX

Create a Routing Instance (RI)

SRX/vSRX

Create IFLs corresponding to the two subnets and add them to the RI

Firewall Service Plugin (FWaaS)

SRX/vSRX

Create a Zone for each router belonging to the tenant.

SRX/vSRX

Add the gateway IFLS associated with each router to its corresponding Zone

SRX/vSRX

Segregate the Firewall rules to their corresponding routers by evaluating their definition

SRX/vSRX

Push the firewall rules on to their corresponding router zone

 

To see the sample config that got pushed to the SRX/vSRX device click here

 

Juniper’s FWaaS plugin brings the power of high performance, low latency and highly scalable data center security to the OpenStack virtual networks. It supports both physical and virtual form factors of SRX. Tenants can create and enable perimeter firewall protection for their OpenStack networks right from the OpenStack UI. In the initial release, OpenStack releases Icehouse, Juno and Kilo will be supported by the plugin.

 

Download

You can download the plugin here

 

References

Comments
by edgar.magana@workday.com
on ‎04-29-2015 08:19 AM

Wouldn't be better just to use OpenContrail Policy Groups? This configuration looks functional but highly complicated, you need anyway a distributed switch/router at the host level. 

by nzsasaki@nissho-ele.co.jp
on ‎04-29-2015 05:35 PM

Hi 

 

It's good news for us.

Could you tell me how can we get this plugin software? 

I could not find at software download URL.

http://www.juniper.net/support/downloads/


Nozomi 

by Juniper Employee
on ‎05-04-2015 11:39 PM

@edga.magana

This solution is for customers having only OpenStack as the controller and want to use Juniper's SRX as the firewall.

by Ramesh_NG
on ‎06-01-2015 04:21 AM
hi Sharath, Where we can get this plugin for SRX? Do you have any deployment examples?
by Juniper Employee
on ‎07-06-2015 01:37 AM

The plugin has got released and can be downloaded @ http://www.juniper.net/support/downloads/?p=qpluginopen#sw

Announcements
Juniper TechCafe Ask the Author
About the Author
  • Anil Lohiya is a Principal Engineer in the Campus and Data Center Business unit in Juniper Networks. In his current role, he is leading some of the SDN and Network Virtualization initiatives.
  • I am an Engineer with expertise in Data Packet Forwarding, Software Design & Programming with major domain expertise in QoS (Quality of Services). I have worked across the domains in Data communications field. I love water and am a good swimmer too.
  • Jai Kumar is a DE with Juniper Networks. He is one of the key architects of QFabric. He is also an author and architect of OpenFlow support on MX platforms, Open Convergence Framework (OCF) for converged wireless and wired networks, MPLS in data centers and Juniper Cloud Analytics Engine (an Open Analytics Platform). He holds 18 patents on various technologies.
  • Remarkably organized stardust. https://google.com/+JamesKelly
  • I have been in the networking industry for over 35 years: PBXs, SNA, Muxes, ATM, routers, switches, optical - I've seen it all. Twelve years in the US, over 25 in Europe, at companies like AT&T, IBM, Bay Networks, Nortel Networks and Dimension Data. Since 2007 I have been at Juniper, focusing on solutions and services: solving business problems via products and projects. Our market is characterized by amazing technological innovations, but technology is no use if you cannot get it to work and keep it working. That is why services are so exciting: this is where the technology moves out of the glossy brochures and into the real world! Follow me on Twitter: @JoeAtJuniper For more about me, go to my LinkedIn profile: http://fr.linkedin.com/pub/joe-robertson/0/4a/34a
  • Jonathan Davidson is executive vice president and general manager, Juniper Development and Innovation (JDI). In this role, he is responsible for driving strategy, development, and business growth for Juniper's entire portfolio including routing, switching, and security, as well as for the ongoing evolution of silicon technology and the Junos operating system. Prior to his current position, Davidson was senior vice president and general manager for Juniper’s Security, Switching and Solutions Business Unit (S3BU). In this role, he was responsible for leading innovation, growth and product development in data center, campus, branch, and cloud. Davidson joined Juniper in 2010 as vice president, Product Line Management for the Edge and Aggregation Business Unit where he was responsible for the product lifecycle management, strategy, implementation, solutions and go-to-market activity for a range of leading edge routing product families, such as the E, M and MX Series. Before joining Juniper, Davidson had a 15-year career in various leadership positions at Cisco.
  • Ken Briley is Data Center TME at Juniper Networks focused on Juniper switching product lines. Prior to Juniper Networks, Ken worked at Cumulus Networks as a TME supporting the dis-aggregation movement and before that he spent 15 years at Cisco Systems working in various roles: Technical Support, Technical Marketing Engineer, Network Consulting Engineer and Product Management. Ken has an MS in Electrical Engineering and is CCIE # 9754.
  • Lakshmi Namboori is a Senior Product Line Manager with Juniper Networks and focuses on datacenter switching portfolio and fabric architectures. Lead product manager for optical solutions and strategy and Enterprise solutions. She is certified in switching and routing technologies. She is CCIE # 15656. She held various roles in Cisco for 9 years before moving to Juniper. She is passionate about networking industry and her work.
  • Michael Pergament, JNCIE-SP #510, JNCIE-ENT #23, JNCIP-SEC
  • Raj is a Sr. Cloud Technology Architect with Juniper Networks and focuses on technologies such as VMware, SDN, and OpenStack etc.
  • Rakesh Dubey is the engineering head for Campus and Data Center business unit at Juniper Networks. He has been with Juniper for past six years leading multiple switching products.
  • Sarath Chandra Mekala is a staff engineer with Juniper networks and focuses on implementing Juniper's Openstack Neutron plugins in the areas of Switching, Routing, Firewall and VPN. He is an official contributor to Openstack Neutron FWaaS v2.
  • Sriram is a Sr. Manager in the Campus and Datacenter Business Unit. He is part of the Network Director team and focuses on technologies such as VMware integration, OpenStack etc.