Thursday, October 29 • 4:30pm - 5:10pm
Inserting Advanced Network Security in OpenStack Clouds

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

OpenStack based private cloud environments deliver a variety of benefits to users with respect to flexibility, automation, and cost. The volume of traffic especially intra-vm (east/west) traffic, generated within the OpenStack clouds is enormous, continues to increase, and is not inspected or secured by current perimeter focused security appliances and solutions. Visibility into this network traffic and the ability to apply security controls including deep packet inspection where needed within the private cloud is of high importance to organizations considering next generation cloud architectures including OpenStack. As high profile security breaches continue to make headlines and elevate data center security to a board level concern for organizations implementing proper network security within OpenStack will become vital to the continued success of the OpenStack project.

Companies including both small scale startups and larger established security players have begun to tackle this challenge introducing concepts and products related to the micro-segmentation of networks that rely heavily on network virtualization platforms in some proprietary infrastructure contexts. In the OpenStack world, Neutron security groups and ACL controls provide a form of some of the micro-segmentation functionality available on other virtualization infrastructure platforms. Through its openness, OpenStack and its APIs have paved the way for the integration of third party software defined networking (SDN) controllers such as Midokura MidoNet that provide more complete micro-segmentation capabilities and enable the dynamic insertion distributed virtual advanced network security services such as network IPS, or next generation firewall.

This presentation will introduce the motivation for, challenges, and concepts involved in securing OpenStack private cloud network environments. We will start with a description of the problem space, namely east/west or intra-vm traffic within the data center. We will then discuss how to think about developing solution to this problem including high-level requirements. This will touch on topics including virtual security function orchestration, service insertion, and policy mapping. Finally, we will discuss a partnership and technology integration between Intel Security and Midokura that brings advanced network security service insertion to OpenStack environments. 

Time permitting a demonstration may be provided showing the joint solution deploying an open source SNORT appliance (IPS) and seamlessly inserting it into a MidoNet controlled network to protect workload VMs from being attacked by neighboring VMs on the same network.

avatar for Pino de Candia

Pino de Candia

CTO, Chief Architect, Midokura
As CTO, Pino is responsible for Midokura’s technical innovation and evolution of its flagship technology MidoNet.Pino de Candia joined Midokura as a Software Engineer in 2010. He built the early versions of MidoNet, led the Network Controller team as engineering lead and the Architecture... Read More →
avatar for Jacob Sendowski

Jacob Sendowski

Product Manager, Intel Security Group
Jacob Sendowski is a Product Manager in the Intel Security group focusing on security solutions for the Software Defined Data Center and private clouds. At Intel, he has held positions as a researcher within Intel Labs and an associate at Intel Capital. Jacob holds a Ph.D. in Electrical... Read More →

Thursday October 29, 2015 4:30pm - 5:10pm JST

Attendees (0)