Contenu connexe Similaire à Networking Concepts and Tools for the Cloud (20) Networking Concepts and Tools for the Cloud2. GCG Regional Technical Exchange 2012
Networking Concepts and Tools for the Cloud
This presentation describes some important concepts
of networking in the cloud, including Virtual Local
Area Networks, Virtual Private Networks, and the
different protocol layers. Following that, we will
explain how to use tools including OpenSSH,
OpenVPN, and proxy servers to set up different
network topologies and solve connectivity problems,
giving examples important to common cloud
situations. We will discuss the relative advantages of
each in different business scenarios.
The fundamental difference with cloud computing is
that network resources can be provisioned very
dynamically and responsibility for managing them
often falls down to the individual project level.
2 2
© 2012 IBM Corporation
3. GCG Regional Technical Exchange 2012
Introduction
Networking is one of the fundamental enabling elements of cloud computing and also one of
the hazards to users of cloud computing.
OSI Layer Example IaaS PaaS SaaS
Protocols
7 Application HTTP, FTP, Consumer Consumer Provider
NFS, SMTP,
SSH
6 Presentation SSL, TLS Consumer Provider Provider
5 Session TCP Consumer Provider Provider
4 Transport TCP Consumer Provider Provider
3 Network IP, IPSec Consumer Provider Provider
2 Data Link Ethernet, Fibre Provider Provider Provider
channel
1 Physical Copper, optic Provider Provider Provider
fibre
© 2012 IBM Corporation
4. GCG Regional Technical Exchange 2012
Advantages of Network Tools for Different Business Scenarios
The diagram below depicts typical network topology for a composite web application. It contains Firewall
configurations, VLAN set up, public/private ip configuration for load balancer, and access to business
partner's intranet
© 2012 IBM Corporation
5. GCG Regional Technical Exchange 2012
Scenarios
1)Production (firewall)
A proxy may also be used but usually for load balancing, rather than security purposes
An administrator may access back end servers via SSH tunnel or a SOCKS proxy
Firewall rules are needed to allow servers inside firewall to access Internet for security
updates, license activation, etc without making them visible to the Internet
2)Development (VPN) scenarios
Reverse access into enterprise may be needed
A light weight setup is required because a network expert may not be available to help
VPN server on a laptop with DHCP may be used to allow access from the cloud
3)Enterprise level
Site to site VPN for general access to the Enterprise
Covered by articles in references section, including CohesiveFT
© 2012 IBM Corporation
6. GCG Regional Technical Exchange 2012
Network Virtualization
When dealing with systems of virtual machines and considering network security, we need to manage
networks.
© 2012 IBM Corporation
7. GCG Regional Technical Exchange 2012
Firewalls
An individual fire wall is a fire wall that is installed on the same server as the resource it is
protecting. This is an essential tool in cloud computing. Most modern operating systems,
including all the images on the IBM SmartCloud Enterprise, are packaged with an individual
firewall. On Linux virtual machines this is iptables and on Windows it is a Microsoft solution.
On the IBM SmartCloud Enterprise, there is also a firewall between the hypervisor and the
virtual machines that it manages.
A firewall rule specifies a set of criteria for a network packet and a target. When a network
packet arrives each rule is checked. If the packet does not meet the criteria for the rule then
the next rule is checked.
© 2012 IBM Corporation
8. GCG Regional Technical Exchange 2012
Firewall management on SUSE
On SUSE machines you can use the YAST administration utility to add firewall rules.
© 2012 IBM Corporation
9. GCG Regional Technical Exchange 2012
Custom Firewall Rule in YAST
Navigate to Custom Rules and click Enter. Navigate to Add and click Enter. Enter 0/0 for the Source
Network, which indicates any source computer, and 50030 for the port, which is the port we are interested
in.
© 2012 IBM Corporation
10. GCG Regional Technical Exchange 2012
Managing Firewalls on Red Hat Enterprise Linux
On Red Hat images you can use the iptables command to manage firewall rules. The basic form of an
iptables command is
# iptables [-t table] -[AD] chain rule-specification [options]
The actions associated with a firewall rule include ACCEPT, DROP, QUEUE, and RETURN. If you you
don't want to accept a network packet then you should specify a DROP action. In the iptables command
A appends a rule and D deletes one.
There are three firewal tables. The default table is named filter. This table contains three chains: input,
forward, and output. The input chain is for packets coming in to the local sockets, the forward chain is for
packets that are routed, and the output chain is for locally generated packets.
As an example, to allow network packets from any source on port 80, the default HTTP port, use the
command.
# /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
© 2012 IBM Corporation
11. GCG Regional Technical Exchange 2012
iptables for Red Hat Enterprise Linux
This adds a rule to the INPUT chain of the filter table for TCP packets on port 80 with an ACCEPT action.
The -p parameter specifies the protocol, tcp in this case. The --dport 80 option is the destination port, 80
in this case. The -j (jump) option is the target, ACCEPT in this case. It can be a good practice to only
leave firewall rules in place for as long as you need them. The command form is ideal for doing this.
However, often, you will want to keep the rules permanently, including after the next time you restart the
instance. To do this, edit the file /etc/sysconfig/iptables. A typical iptables file looks like this
*filter
:INPUT DROP [67:14849]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [346:34696]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT
This specifies the rules for the filter table. All incoming packets from ports 67 to 14849 are dropped. No
forwarding is allowed, all outgoing packets on ports 346 to 34696 are allowed, and incoming packets on
port 22 (SSH) are allowed.
© 2012 IBM Corporation
12. GCG Regional Technical Exchange 2012
iptables commands on RHEL
After you have made the edits and saved the file, start or restart the iptables service with the command.
# /sbin/service iptables restart
If you have made changes with the iptables command, you can save them with the command
# /sbin/service iptables save
Check the status of the firewall with the command
# /sbin/service iptables status
© 2012 IBM Corporation
13. GCG Regional Technical Exchange 2012
Stand-alone Firewalls
Linux firewalls can also be used to protect servers other than the server that the firewall resides on.
Actually, this is a preferred configuration because it provides an additional level of isolation.
© 2012 IBM Corporation
14. GCG Regional Technical Exchange 2012
Secure Shell (SSH)
As seen in the sections above, SSH is a fundamental tool in cloud computing. It can be worth
learning as a power user to solve numerous practical problems in cloud computing. SSH
was designed as a secure replacement for telnet but now is also commonly used
programmatically for many applications.
SmartCloud Enterprise and other clouds will help you generate and manage SSH keys but you
can also create them yourself with openSSH.
To generate a new SSH key use the ssh-keygen command. For example,
> ssh-keygen -t rsa -P 'My Passphrase' -f ~/.ssh/mykey
This will generate an RSA type (-t flag) with the passphrase 'My Passphrase' (-P flag), place
the private key in the file ~/.ssh/mykey (-f flag) and place the public key in the file
~/.ssh/mykey.pub. If you do not use a -f option then the private key will be written to
~/.ssh/identity.
© 2012 IBM Corporation
15. GCG Regional Technical Exchange 2012
OpenSSH Commands
The configuration file for SSH on the Linux systems on the IBM SmartCloud Enterprise is at
/etc/ssh/ssh_config and /etc/ssh/sshd_config. The AllowedUsers setting in is one setting that you might
change. The value of this parameter is space separated list of user name patterns. For example,
AllowUsers idcuser webadmin
To start the SSH server (sshd) use the command
# /etc/init.d/sshd start
to restart use the command
# /etc/init.d/sshd restart
You may want to include the user name in the SSH command in some cases, especially from scripts. To
do that use the form
$ ssh -i .ssh/key-file idcuser@host
The @ symbol delineates the user name from the host name or IP address.
© 2012 IBM Corporation
16. GCG Regional Technical Exchange 2012
Port Forwarding
Port forwarding with SSH is a process where
1.the address and port of a packet is translated to a new destination
2.the packet is carried over an SSH connection where the destination is accessed
It allows a user to tunnel another protocol over an SSH connection. With openSSH this is
done with sshd. This can be useful if the protocol being tunneled is not secure or the
destination address and port combination is not visible from the origin. The client that uses
the tunneled protocol must be able to specify a non-standard port for this to work. The
concept is that you establish a SSH session to your server and then specify which port on
the client machine to forward connections from.
© 2012 IBM Corporation
18. GCG Regional Technical Exchange 2012
Port forwarding with OpenSSH
You may use OpenSSH on Linux or Windows via a Cygwin command line. With Cygwin,
install the cygwin openssh package first, if your system does not already have it. Start a
tunnel from your SSH client to the virtual machine on port 5901 with the command shown
below.
$ ssh -i ~/.ssh/key_name -L 5901:localhost:5901 idcuser@${SCE_VM}
where the -i option specifies the key to use and the -L option specifies the tunnel. The port
used (5901) must match the port used by the VNC server running on the virtual machine.
© 2012 IBM Corporation
21. GCG Regional Technical Exchange 2012
Virtual Private Networks
Virtual Private Networks (VPN's) rely on encryption to create an extension of a private network
over the Internet. VPN's enable several network scenarios that are valuable to enterprises.
A traditional use of VPNs is to connect the local area networks of different offices of an
enterprise into a wide area network. These types of connections are site-to-site. When
VPN's were introduced for this purpose they replaced the use of leased lines, greatly
reducing cost for the enterprises.
Another traditional use of a VPN is to allow employees to access an enterprise's private
network remotely, for example, to work from home. In this scenario, the enterprise provides
a VPN gateway that is accessible from the Internet and the employee installs a VPN client
that she installs on her laptop to access applications, such as email. This is termed a
mobile virtual private network because one of the end points (where the employee is
located) does not have a fixed IP address.
© 2012 IBM Corporation
22. GCG Regional Technical Exchange 2012
Encryption with VPNs
When a client sends a packet through a VPN gateway an authentication header is added, the
data is encrypted, and the data is placed in an Encapsulating Security Payload. The
receiving VPN server decrypts the data and routes the packet to the destination according to
information in the header.
The encryption provided by VPNs is at a low level so that all communication to the enterprise
is encrypted . This can be at either OSI Layer 2 (Data Link layer) or Layer 3 (Network layer)
and can include any of the methods below
IPSec
SSL / TLS
Datagram Transport Layer Security (Cisco)
Microsoft Point-to-Point encryption
SSH tunneling
© 2012 IBM Corporation
23. GCG Regional Technical Exchange 2012
Use of a VPN to Extend an Enterprise Network
Many enterprises may want to use cloud computing to extend the capacity of their IT infrastructure. To
support this scenario the VPN is configured via a gateway in the enterprise network to a private VLAN in
the cloud.
© 2012 IBM Corporation
24. GCG Regional Technical Exchange 2012
Use of VPN Gateway in the Cloud to Access a VLAN
© 2012 IBM Corporation
25. GCG Regional Technical Exchange 2012
OpenVPN
OpenVPN is an open source VPN client and server solution that can manage point-to-point
and site-to-site connections. It uses the openSSL encryption library.
The OpenVPN install image can be downloaded from the OpenVPN web site. It includes both
client and server software and must be installed on both client and server machines. You
can install using the RPM package on RHEL machines and using the apt-get command on
SUSE or other Debian based systems. It is possible to install on other Linux systems from
the tarball using make. There is a self-extracting installer for Windows and also client only
install images that you can direct end-users to.
© 2012 IBM Corporation
26. GCG Regional Technical Exchange 2012
References
Alex Amies, Harm Sluiman, Qiang Guo Tong, and Guo Ning Liu 2012. Developing and Hosting
Applications on the Cloud. IBM Press, ISBN-10: 0-13-306684-3, ISBN-13: 978-0-13-306684-5.
http://www.ibmpressbooks.com/bookstore/product.asp?isbn=9780133066845
CohesiveFT, 2011. VPN-Cubed 2.0 product page, at www.cohesiveft.com/vpncubed/.
3)Frields, P., 2007. SSH Port Forwarding. Red Hat Magazine at magazine.redhat.com/2007/11/06/ssh-
port-forwarding/.
Hatch, B., 2011. SSH Port Forwarding, Symatec at
http://www.symantec.com/connect/articles/ssh-port-forwarding.
IBM 2011. IBM SmartCloud Enterprise: User Guide, Version 1.4.1, http://ibm.com/cloud/enterprise.
Koop, R. 2010. Deliver cloud network control to the user, IBM developerWorks at
www.ibm.com/developerworks/cloud/library/cl-cloudvirtualnetwork/.
OpenSSH Project Team, OpenSSH Documentation, at www.openssh.com/manual.html.
8)OpenVPN. Documentation page at openvpn.net/index.php/open-source/documentation.html.
Red Hat, 2011. Red Hat Product Documentation, at http://docs.redhat.com.
Rokosz, V., 2011. Extend your corporate network with the IBM Cloud, IBM developerWorks at
www.ibm.com/developerworks/cloud/library/cl-extendnetworkcloud/index.html.
Shewbert, J., 2006. Tunneling with SSH. IBM developerWorks at
www.ibm.com/developerworks/aix/library/au-tunnelingssh/index.html.
Vernier D. and Jones, A., 2011. IBM SmartCloud Enterprise tip: Span virtual local area networks, IBM
developerWorks at www.ibm.com/developerworks/cloud/library/cl-spanvlan/.
© 2012 IBM Corporation
27. GCG Regional Technical Exchange 2012
Copyright and Trademarks
© Copyright IBM Corp. 2012
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International
Business Machines Corp., registered in many jurisdictions worldwide. Other product and
service names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the Web at “Copyright and trademark information” at
www.ibm.com/legal/copytrade.shtml.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both
© 2012 IBM Corporation