e8e502e5b6
Change-Id: I5a1ff68e3dc89ef9cda07ac80c7d75dcca5e1d03
195 lines
7.3 KiB
ReStructuredText
195 lines
7.3 KiB
ReStructuredText
..
|
|
|
|
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
|
|
http://creativecommons.org/licenses/by/3.0/legalcode
|
|
|
|
..
|
|
|
|
======================================
|
|
Security Segregation (Placement Zones)
|
|
======================================
|
|
|
|
The goal of this use-case is to present the need for a (partly) segregation
|
|
of physical resources to support the well-known classic separation of DMZ
|
|
and MZ, which is still needed by several applications (VNFs) and requested
|
|
by telco security rules.
|
|
|
|
Glossary
|
|
========
|
|
|
|
**AZ**
|
|
Availability Zone (OpenStack terminology)
|
|
|
|
**DMZ**
|
|
Demilitarized Zone provides access to the public network,
|
|
but adds an additional security layer (e.g. virtual firewall). Designed for
|
|
security critical customer facing services (e.g. customer control center).
|
|
|
|
**EHD**
|
|
Exposed Host Domain provides direct access from the public network (e.g.
|
|
Internet).
|
|
Designed for services which require a high traffic volume (e.g. CDN) and are
|
|
not security critical.
|
|
|
|
**MZ**
|
|
Militarized Zone is a logical network without any access from the public
|
|
network. Designed for systems without direct customer connectivity (e.g.
|
|
databases containing sensitive data) and high security demands.
|
|
|
|
**PZ**
|
|
Placement Zone is a concept to classify different securiy areas based on
|
|
different security requirements. PZ are separated on a per host basis.
|
|
|
|
**SEC**
|
|
Secure Network Zone for all devices providing a security function including
|
|
devices providing connectivity between Placement Zones (e.g. virtual firewall
|
|
for DMZ-MZ traffic).
|
|
|
|
**VNF**
|
|
Virtual Network Function is an implementation of an functional building block
|
|
within a network infrastructure that can be deployed on a virtualization
|
|
infrastructure or rather an OpenStack based cloud platform (a non virtualized
|
|
network function is today often a physical appliance).
|
|
|
|
Problem description
|
|
===================
|
|
|
|
The main driver therefore is that a vulnerability
|
|
of a single system must not affect further critical systems or endanger
|
|
exposure of sensitive data. On the one side the benefits of virtualization
|
|
and automation techniques are mandatory for telcos but on the other side
|
|
telecommunication data and involved systems must be protected by the
|
|
highest level of security and comply to local regulatory laws (which are
|
|
often more strict in comparison with enterprise).
|
|
Placement Zones should act as multiple lines of defense against a security
|
|
breach. If a security breach happens in a placement zone, all other
|
|
placement zones and related VNFs must not be affected. This must be ensured
|
|
by the design.
|
|
This use case affects all of the main OpenStack modules.
|
|
|
|
Current Situation
|
|
-----------------
|
|
Today the DMZ and MZ concept is an essential part of the security design
|
|
of nearly every telco application deployment. Today this separation is
|
|
done by a consequent physical segregation including hosts, network and
|
|
management systems. This separation leads to high investment and
|
|
operational costs.
|
|
|
|
Enable the following
|
|
--------------------
|
|
Placement Zones should be used to reduce the risk that the whole cloud platform
|
|
is affected by a serious security breach.
|
|
|
|
If the hypervisor is breached, there is a risk to all of the VNFs on that
|
|
hypervisor. To reduce this risk, a physical separation of VMs not assigned to
|
|
the same security class is necessary. Placement Zones should be used to ensure
|
|
that only VMs following the same security classification will run on the same
|
|
group of physical hosts.
|
|
This should avoid a mix of VMs from different zones (e.g. DMZ and MZ),
|
|
coming up with different security requirements, running on the same group
|
|
of hosts. Therefore a host (respectively multiple hosts) must be classified
|
|
and assigned to only one placement zone. During the deployment process of a
|
|
VM it must be possible to assign it to one placement zone (or use the
|
|
default one), which automatically leads to a grouping of VMs.
|
|
|
|
The security separation within the network can be done on a logical layer
|
|
using the same physical elements but adding segregation through VLANs
|
|
(Virtual LAN), virtual firewalls and other overlay techniques.
|
|
|
|
The security separation for virtual machine storage can be done on a logical
|
|
layer. It must be ensured that a hypervisor belonging to a specific placement
|
|
zone can not access the storage of a different placement zone. Otherwise an
|
|
attacker could inject malicious code into the virtual disk of a VM.
|
|
|
|
Examples
|
|
--------
|
|
|
|
An application presentation layer (e.g. webserver) must be decoupled from
|
|
the systems containing sensitive data (e.g. database) through at least one
|
|
security enforcement device (e.g. virtual firewall) and a separation of
|
|
underlying infrastructure (hypervisor).
|
|
|
|
*Potential candidate for Group Based Policy with Service Function Chaining from
|
|
a network perspective? GBP would need updates for this concept.*
|
|
|
|
https://wiki.openstack.org/wiki/File:TelcoWG_Placementzones.png
|
|
|
|
|
|
Affected By
|
|
-----------
|
|
|
|
unknown
|
|
|
|
Requirements
|
|
============
|
|
|
|
* One OpenStack installation must be capable to manage different placement
|
|
zones. All resources (compute, network and storage) are assigned to one
|
|
placement zone. By default, all resources are assigned to the "default"
|
|
placement zone of OpenStack
|
|
* It must be possible to configure the allowed communication between
|
|
placement zones on the network layer
|
|
* SEC is a special placement zone - it provides the glue to connect the
|
|
placement zones on the network layer using VNFs. SEC VNFs may be attached to
|
|
resources of other placement zones
|
|
* Placement zone usage requires a permission (in SEC, tenants cannot start VMs,
|
|
this zone supports only the deployment of Xaas services FWaas, LBaas,...])
|
|
* If placement zones are required in a cloud, VMs must be assigned to one
|
|
placement zone
|
|
* All resources, which are needed to run a VM must belong to the same placement
|
|
zone
|
|
* Physical Hosts (compute nodes) must be able to assigned to only one placement
|
|
zone and re-assigning should possible due to changing utilization
|
|
|
|
* Several assignments must be restricted by the API
|
|
* If a host is reassigned it must evacuate all existing VM
|
|
|
|
* ...and the whole thing must be optional :-)
|
|
|
|
Related Use Cases
|
|
=================
|
|
|
|
none
|
|
|
|
Gaps
|
|
====
|
|
|
|
**Nova issues:**
|
|
|
|
* Usage of availability zone(AZ)/host aggregates to assign a vm to a placement
|
|
zone is feasable [Ref.1], but:
|
|
|
|
* By default a physical host can be assigned to multiple host aggregates
|
|
* It is up to the operator to ensure security using non OpenStack mechanisms
|
|
* Maybe Congress [Ref. 2] (Policy as a Service) could be a solution?
|
|
|
|
|
|
**Neutron issues:**
|
|
|
|
* AZs or PZs are not known to Neutron services
|
|
|
|
* It's up to the operator to ensure that the right networks are attached to VMs
|
|
|
|
**Cinder/Manila/Storage issues:**
|
|
|
|
* Storage can be segregated with volume-types
|
|
* AZs are not known to the storage services
|
|
|
|
* Must be ensured from the deployment tool that the right storage is accessible
|
|
|
|
**OpenStack regions** provide a segregation of all resources. The region concept
|
|
can be used to implement placement zones, but:
|
|
|
|
* Complex and resource consuming installation for the Openstack management
|
|
systems
|
|
* Tenants must deal with additional regions
|
|
* No L2 network sharing for VMs in the SEC placement zone required to glue the
|
|
zones together
|
|
* No real enforcement
|
|
* Complex operations
|
|
|
|
References
|
|
==========
|
|
|
|
* [1]: http://docs.openstack.org/openstack-ops/content/scaling.html
|
|
* [2]: https://wiki.openstack.org/wiki/Congress |