1. Quantum -
Firewall As A Service
Havana Design Summit, Portland, April 2013
Big Switch Networks (Sumit
Naiksatam, Kanzhe Jiang,
KC Wang, Mike Cohen)
Pay Pal (Vinay Bannai,
Anand Palanisamy)
VMware (Serge Maskalik,
Kai-Wei, Aaron Rosen,
Sachin Thakkar, Salvatore
Orlando)
Palo Alto Networks (Marc
Benoit)
Checkpoint (Tamir Zegman,
Bob Hinden)
Dell (Rajesh Mohan)
Red Hat (Gary Kotton) NTT (Nachi Ueno) Cisco (Sirdar Kandaswamy,
Dan Florea)
Design doc: https://docs.google.com/document/d/1PJaKvsX2MzMRlLGfR0fBkrMraHYF0flvl0sqyZ704tA/edit
Session Etherpad: https://etherpad.openstack.org/Quantum_Firewall_As_A_Service

2. Goal and Guiding Principles
● Offer rich security features of Firewalls to Quantum
users
● Tenant facing abstractions - users consume
services through a logical Firewall instance
● Will hide implementation and device management
details from the users
● No assumptions about virtual or physical Firewalls
● Adhere to established audit workflows, avoid
reinventing accepted definitions/conventions
● Model for a reasonable common denominator, allow
for extensions

3. Use Case

4. Web-Tier
Firewall and
Load Balancer
Mid-Tier
Firewall and
Load Balancer
Data-Tier
Firewall and
Load Balancer
Storage
North-South Traffic
East – West
Traffic

5. Use Cases
- Multi-tier
- Firewalls fronting load balancers
- Perimeter Firewall
- Security Groups
- Need a unified way to define security
- Auditing
- Logging
- Firewall state enforcement

6. Resource Model
Firewalls - A logical instance of a firewall
embodying a Firewall Policy
Firewall Policies - An ordered collection of
Firewall Rules
Firewall Rules - N-tuple that generically models
firewall rules

7. Entity Relationship
One Firewall -> One Firewall Policy
One Firewall Policy -> Many Firewall Rules
One Firewall Policy -> Many Firewalls (policies
can be reused)
One Firewall Rule -> Many Firewall Policies
(rules can be reused)
1

8. Workflow
Firewall Rules are defined and Firewall Policy
is composed
Firewall Policy is audited (audit process in not
modeled here)
Tenant creates Firewall instance using Firewall
Policy

9. Existing Firewalls

10. Resource Model

11. Firewall Rules - Attributes
Core attributes: id, name, description, source,
destination, action, service, action
Extension candidates: user, firewall service
profile, logging, zones
Source and destination can point to raw IP
addresses or grouping/dynamic/placeholder
objects

12. Firewall Policies - Attributes
Core attributes: id, name, description, firewall
rules, audited, shared
Firewall rules: an ordered list of firewall rules

13. Firewall Instances - Attributes
Core attributes: id, name, description, firewall
policy id, service type
Extension candidates: firewall rules blob

14. Dynamic and Grouping Objects
● Allow placeholders to be inserted into
firewall rules
● Avoids having to audit firewall policies for
dynamic tenant attributes
● Potentially avoids rules sprawl
● Commonly used for source and destination
fields

15. Firewall Insertion Types
Q-Router
+ Q-
Firewall
Quantum
Network
Quantum
Network
Q-Router - Quantum Logical Router Instance
Q-Firewall - Quantum Logical Firewall Instance
Bump-in-the-wire
insertion
Quantum
Network
Quantum
Network
Q-Firewall
L2 insertion
L3 insertion
Quantum
Network
Quantum
Network
Q-Firewall
Quantum
Network

16. Firewall Service attachment
● Service has one or more interfaces
(number of interfaces depend on the service
type)
● Each interface plugs into a Quantum port
● Plugging operations is performed by an
interface driver
(interface driver is specific to the Firewall
technology)

17. Firewall Service Instances
Base Service Definition:
- service type
- ingress/egress ports
Firewall Service
Service Type:
- one of [LB, FW, ...]
- service insertion type [L2,
L3, BITW, Tap]
- vendor
Firewall Instances
1
*

18. Havana Roadmap
● API, Resource and DB model
implementation: https://blueprints.launchpad.
net/quantum/+spec/quantum-fwaas
● Plugin integration
● Base firewall implementation/libraries
● CLI Support
● Horizon Support