OpenStack Summit October 2015 Tokyo

OpenStack based private cloud environments deliver a variety of benefits to users with respect to flexibility, automation, and cost. The volume of traffic especially intra-vm (east/west) traffic, generated within the OpenStack clouds is enormous, continues to increase, and is not inspected or secured by current perimeter focused security appliances and solutions. Visibility into this network traffic and the ability to apply security controls including deep packet inspection where needed within the private cloud is of high importance to organizations considering next generation cloud architectures including OpenStack. As high profile security breaches continue to make headlines and elevate data center security to a board level concern for organizations implementing proper network security within OpenStack will become vital to the continued success of the OpenStack project.

Companies including both small scale startups and larger established security players have begun to tackle this challenge introducing concepts and products related to the micro-segmentation of networks that rely heavily on network virtualization platforms in some proprietary infrastructure contexts. In the OpenStack world, Neutron security groups and ACL controls provide a form of some of the micro-segmentation functionality available on other virtualization infrastructure platforms. Through its openness, OpenStack and its APIs have paved the way for the integration of third party software defined networking (SDN) controllers such as Midokura MidoNet that provide more complete micro-segmentation capabilities and enable the dynamic insertion distributed virtual advanced network security services such as network IPS, or next generation firewall.

This presentation will introduce the motivation for, challenges, and concepts involved in securing OpenStack private cloud network environments. We will start with a description of the problem space, namely east/west or intra-vm traffic within the data center. We will then discuss how to think about developing solution to this problem including high-level requirements. This will touch on topics including virtual security function orchestration, service insertion, and policy mapping. Finally, we will discuss a partnership and technology integration between Intel Security and Midokura that brings advanced network security service insertion to OpenStack environments. 

Time permitting a demonstration may be provided showing the joint solution deploying an open source SNORT appliance (IPS) and seamlessly inserting it into a MidoNet controlled network to protect workload VMs from being attacked by neighboring VMs on the same network.