Security for OpenStack-based SDN

OpenStack-based clouds provide the environment needed for elastic, on-demand multitenant applications. Networks are transitioning to new models more suited to the cloud with software-defined networking (SDN), network function virtualization (NFV), and virtual network infrastructure, and their relationships between networking, security orchestration, and policy enforcement.

OpenStack has been a major player in the Infrastructure-as-a-Service (IaaS) world, and OpenStack Neutron is a project that makes it easier for admins to connect devices to virtual networks in OpenStack. The OpenStack Neutron solution embraces the software-defined security framework providing out-of-the-box integration so advanced network security can be seamlessly applied in logical and dynamic environments.

OpenStack Neutron security groups enable admins to set up rules that govern which kinds of traffic are allowed to pass through the network. You can use them to choose the kinds of ingress and egress traffic you will accept flowing in and out of your system. In this way, you can reduce or eliminate a lot of the threats that could otherwise impact core business systems.

OpenStack is an IaaS service, which means it gives users the ability to set up virtualized networks in the cloud. OpenStack makes it possible for admins to accomplish what they would be able to do with hardware devices—except using software in the cloud.

OpenStack Neutron is the Networking-as-a-Service (NaaS) facet of OpenStack. It works by providing an application programming interface (API) that enables users to make their own networks in the cloud. They can adjust their topologies in a number of ways, define which devices need to connect and how, as well as set up their own customized network policies.

In a way, using OpenStack Neutron is similar to walking into a huge warehouse full of network components, and each one of them has a well-labeled configuration interface that is easy to understand. You can simply grab whatever components you want and connect them in a wide variety of configurations. You are not limited by space or wiring constraints. You have the freedom to create and experiment, then deploy a unique, highly customized solution. If you want to make any changes, no problem. You can simply click, drag, and type your way to a completely different network.

OpenStack Neutron works by using what is referred to as Neutron Ports. A Neutron Port is, similar to a physical port, a connection that allows you to attach a device to the network you are building.

For example, you can use a Neutron port to connect the network interface controller (NIC) of a virtual server. The NIC of a virtual server performs the same essential function as the NIC in a physical server or your laptop—it allows the device to interact with the network. OpenStack Neutron is its connection point.

An OpenStack Neutron security group can be assigned to a Neutron port in order to give you control over the traffic that flows in and out of it (ingress and egress). As a network admin, you first create your Neutron port. You then add a security group, equipping it with the rules you want the traffic to abide by. If you have to connect more than one virtual network interface controller (vNIC), you simply repeat these steps for each one.

The default setting of a security group is to block traffic if there are no rules present. This helps maintain a more secure interface. Once you set up rules, all traffic that conforms to the security group’s configuration is allowed to pass through.

OpenStack Neutron, along with OpenStack security groups, allows detailed control over the structure, function, and safety of your virtual, cloud-based network. This gives you the flexibility you need to create customized networks and control them without sacrificing security.