Neutron includes two methods of providing network-level security to instances: security groups and virtual firewalls. The security group functionality relies on iptables rules to filter traffic on the compute node hosting the instance. Virtual firewalls are provided by the advanced Neutron service known as Firewall as a Service, or FWaaS, which relies on iptables to filter traffic at the perimeter of the network in a Neutron router.
In this chapter, we will focus on security groups and cover some fundamental security features of Neutron, including:
- A brief introduction to iptables
- Creating and managing security groups
- Demonstrating how security groups leverage iptables
- Disabling port security
A security group is a collection of network access rules, known as security group rules, which limits the types of traffic an instance can send or receive. In the reference architecture, security group rules are converted to iptables rules that are applied on the compute nodes hosting the instances. Each tenant is provided with a default security group that can be modified by users within the tenant. Neutron provides an API to create, modify, apply, and delete security group rules.
There are multiple ways to apply security groups to instances. For example, one or more instances, usually of similar functionality or role, can be placed in a security group. Security group rules can reference IPv4 and IPv6 hosts and networks as well as security groups themselves. Referencing a particular security group in a rule, rather than a particular host or network, frees the user from having to specify individual addresses. Neutron constructs the filtering rules applied on the host automatically based on the information in the database.
Rules within a security group are applied at a port level on the compute node, as demonstrated in the following diagram:
Figure 6.1
In the preceding diagram, ports within the virtual switch belong to one of three security groups: WEB, DB, or APP. When a change is made to a security group, such as adding or removing rules, corresponding iptables rule changes are made automatically on the compute nodes.
Some users may use security groups to describe certain types of rules that should be applied to a particular instance port. For example, a security group can be used to categorize multiple hosts or subnets that are allowed access to a port. Multiple security groups can be applied to a port, and all rules defined in these groups are applied to the port. As all traffic is implicitly denied and security group rules define only the allowed traffic through a port, there is no chance of a rule in one security group applied to a port counteracting a rule in another security group applied to the same port.
The following example demonstrates the use of security groups to categorize traffic that is allowed access through a port:
Figure 6.2
When a port is created in Neutron, it is associated with a default security group unless a specific security group is specified. The default security group drops all ingress traffic and allows all egress traffic from instances. Rules can be added to or removed from the default security group to change its behavior. In addition, standard rules are applied to every instance that prohibits IP, DHCP, and MAC address spoofing. This behavior can be changed and will be discussed later in this chapter.
Once a security group is applied to a Neutron port, the corresponding security group rules are translated by Neutron into iptables rules that are then applied to the respective compute node hosting the instances.