Wedge Cloud Network Defense™ User Manual

Wedge Cloud Network Defense delivers the world’s highest-performance cloud security solution for service providers and enterprises which enables world-class security that is non-invasive and low-impact.

Wedge Cloud Network Defense receives user policy and endpoint identification from a number of sources depending on how it is deployed. Identity Management System, Telco OSS/BSS, or registration with Portal are some examples.

The system then uses that information to control the network flow to inspect desired user traffic through its network function virtualization for security (NFV-S) compute stack.

The network function virtualization for security is the foundation of Wedge Cloud Network Defense’s Elastic Security Service Orchestration. Working as a pooled resource, it dynamically applies specific policy-based security inspection to specific user device traffic in response to network load. It is powered by Wedge Networks’ patented WedgeOS which is an embedded operating system that enables the delivery of a variety of security functions as an agnostic, open and easily consumable service.

The Wedge Cloud Network Defense Cloud Conductor coordinates all the cloud operational aspects to dynamically monitor and maintain virtual instances and effectively apply platform resources.

Wedge Cloud Network Defense can be set up in a variety of ways. For more information, see the Deployment Guide.

Wedge Cloud Network Defense provides the following capabilities:

Cloud Conductor

Coordinates the cloud operational aspects like creating and monitoring the virtual instances required for Wedge Cloud Network Defense, configuring and communicating SDN and virtual instance environment details to Wedge Cloud Network Defense components, and interacting with underlying virtualization solution through the Cloud Controller.

Compute node

Physical hardware configured for a virtualization solution to provide the processing, memory, storage, and networking resources to run multiple virtual instances.

Elastic scaling

If CPU load increases in the primary pool and the high threshold is reached, an NFV-S instance is deployed into the scanning pool to help reduce the overall load. If CPU load decreases and the low threshold is reached, the NFV-S instance is terminated.

Network function virtualization for security (NFV-S)

WedgeOS embedded security services operating as a network function virtualized. The WedgeOS NFV instances are elastically provisioned that is based on inspection load so security can scale to meet demand.

Primary pool

The pool of VNFs that are active and ready to do scanning.

SDN Terminus

Provides control logic by communicating with networking devices residing in the data plane. This SDN control allows precise network traffic to be forwarded to NFV-S instances to provide security services for specific endpoints.

Service Conductor

Manages security policies for registered endpoints and identity management.

Software-defined networking (SDN)

A computer networking architecture that separates the network control plane from the forwarding plane so that each component can be programmable and optimized.

Standby pool

The pool of VNFs that are provisioned to help scan in case the primary pool receives a high amount of traffic that exceeds its threshold.

Virtual instance or virtual machine

An emulation of an operating system (OS) and any software installed on that OS, that runs as an isolated entity managed by a virtualization solution.

Virtual machine image

A virtual instance, which at a selected point of its operation is ‘imaged’ or ‘snapshot’ and stored, so that new virtual instances are started from this stored reference point. Examples include raw, qcow2 (QEMU copy-on-write version 2), ami (amazon machine image), and vmdk (virtual machine disk).

Virtualization solution or hypervisor

Technology that allows multiple virtual OS/software installations to run on a single hardware node, such that each virtual machine has private virtualized hardware (CPU, memory, disk, network interfaces, etc). Examples of virtualization solutions are VMWare, KVM, XEN, etc.

Virtualized network function (VNF)

A component of a network infrastructure that handles specific network functions such as intrusion prevention.

Ensure that your hardware meets the following requirements.

The Cloud Controller is based on OpenStack technology and provides the following:

The Cloud Conductor provides health monitoring of virtual instances, creates and destroys NFV-S instances based on the inspection load. It provides management of the NFV-S instances, SDN Terminus, and OpenFlow Switch configuration.

It coordinates cloud computing abilities. A single instance controls all cloud computing operations.

As illustrated in the diagram, the Cloud Conductor has the following components:

The Overview page provides real-time graphs on the resource usage of a pool of NFV-S instances or the scanning pool.

The Throughput page provides bandwidth usage for the Ingress, Egress, and Control networks.

The Infrastructure page provides a read-only view of the Quota Limits in the Cloud Controller (OpenStack), flavors that have been configured, and images that have been loaded.

The Configuration page provides a read-write view of the configuration options for the Instance Monitor and the Cloud Controller.

The CPU Usage graph shows the average CPU usage of all the active NFV-S instances in the primary scanning pool. This time series graph updates periodically as the CPU load changes over time in the primary pool. If CPU load increases and the high threshold is reached, a NFV-S instance is deployed into the standby pool to help reduce the overall load. If CPU load decreases and the low threshold is reached, a NFV-S instance is terminated and resources are returned to the virtualization solution.

The Instance Count graph shows the number of NFV-S instances in the primary scanning pool. The series graph updates periodically to show how instances are adding and removed from the primary scanning pool over time.

As illustrated in the diagram, the Service Conductor has the following components:

The SDN Terminus receives subscriber policy and endpoint identification from the Service Conductor. It receives NFV-S instance accounting from the Cloud Conductor. It controls the data plane to flow network traffic to appropriate NFV-S instance for security inspection.

It provides SDN-S control on the data plane. One instance is configured for each OpenFlow switch.

As illustrated in the diagram, the SDN Terminus has the following components:

The network function virtualization for security fetches policy and endpoint identification from the Service Conductor. It provides the security inspection and enforcement of data plane traffic and reports security events to WedgeIQ for dashboard display, reporting, analytics, and forensics.

The security functions are provided by the pool of managed security VNFs. Many VNFs are security applications that are running on the award winning WedgeOS™. Third-party VNFs can also be orchestrated to make their functions available to the NFV-S.

Wedge Cloud Network Defense comes with a reference self-service customer portal. Use the self-service Customer portal to register and enable security scanning services to protect endpoints that connects to the Wedge Cloud Network Defense.

Clients can register an account. For new accounts, an email is auto-generated and sent to the client with instructions on how to connect the endpoint device to Wedge Cloud Network Defense by using a VPN connection.

The following are the available services in the portal:

Additional configuration is required for DLP, WebFilter, and URL Access services.

Security Services

The following is a list of security services that can be provisioned by the customer portal. Contact Wedge support if you would like to have other security services included.

Anti-Virus Service: scans HTTP, FTP, and e-mail protocol traffic for known viruses and malware.

Anti-Spam Services: scans e-mail protocol traffic for spam.

Content Control Services

Data Loss Prevention (DLP): scans HTTP and e-mail protocol traffic for specified keyword patterns or custom keywords.

Keyword patterns available: Credit Card, SSN (USA), and SIN (Canada)

WebFilter: block HTTP protocol traffic based on website categories selected.

URL Access: configure URL pattern to match against HTTP protocol traffic. Enforce strict safe search with Google, Yahoo!, and Bing search engines.

The OpenStack dashboard can be accessed by using the URL http://[controller-ip]/horizon

Refer to install.properties in wedgecnd-controller package for authentication details to access dashboard. The account provides access to Project views and operations and Admin views and operations.

The Project can be considered access to the Tenant, whereas Admin is for OpenStack as a whole.

The cloud health overview can be viewed from Project > Compute > Overview.

This page provides the Limit Summary on how much of the quota is used by the Tenant based on various resources.

The Usage table lists the Instances that have been deployed for the Tenant and how much resources each instance is using.

The instance overview can be viewed from Project > Compute > Instances.

The Instance details are the Name, IP address, Image, Flavor, Status, and Uptime.

The Actions are Launch Instance, Reboot Instance, Terminate Instance, Create Snapshot, and more.

From the Projects > Compute > Instances page, click on the Instance name and the Instance Details page will load.

The instance details page is split up into Overview, Log, and Console tabs.

Overview tab shows instance meta-data, resources used by the instance and IP addresses of the various virtual networks it is connected to.

Log tab shows the console log when the instance booted.

The Console tab provides the means to console into the instance for remote management. For some browsers, you may have to click the link to only show the console for keyboard inputs to work.

To reboot or terminate an instance from the cloud, navigate to Project > Compute > Instances page.

If soft reboot action was unsuccessful, try Hard Reboot Instance under More.

During the operation of Wedge Cloud Network Defense, there will be a need to create a snapshot of a NFV instance and to have newer NFV instances that are created to boot based on this snapshot.

During the operation of Wedge Cloud Network Defense, as new compute nodes are added or removed to and from the cloud, the quota limits for the tenant will need to be adjusted accordingly.

The Instances represents the total number of instances (NFV, WedgeCC, WedgeSC, SDN Terminus) that can be launched to the cloud.

The Ports represent the total number of access ports or interfaces that can be created across all instances deployed to the cloud. Once quota limits have been adjusted, click Save.

The Cloud Conductor dashboard can be access by using the URL http://[cloud-conductor-ip]:3000/. This needs to be part of Control Network or have routing to Control Network to access dashboard.

The Overview page provides some basic actions to perform during cloud operation such as launching and terminating an NFV Instance.

The Infrastructure page provides an overview of the quota limits used based on total available.

The Configuration page provides the means to update OpenStack configuration in Wedge Cloud Conductor and adjust Instance Monitor parameters.

The Cloud Conductor dashboard provides the ability to launch a NFV instance to the scanning pool or standby pool.

Click Launch WedgeOS NFV, input a name and select the pool to launch the instance and click Launch.

The NFV instance will be created based on the specified Flavor and Image.

There are two actions that can be performed for NFV instances only:

The Quota Limits tab provides a read-only view of the limits currently used compared to max available for the limits exposed by OpenStack.

At this time, quota limits can only be adjusted through the OpenStack dashboard. Operators should monitor quota limits during peak times to observe if limits are being reached. Additional compute nodes could be required if quota limits are being reached on resources such as Instances, VCPU, or Memory.

Use the configuration page to update OpenStack parameters and Instance Monitor parameters which control the operation of the Cloud Conductor.

There are some conditions where the following OpenStack parameters will need to be adjusted:

There are some conditions where the following Instance Monitor parameters will need to be adjusted:

Once all parameters have been adjusted, click Save.

OpenSSH server is installed on all Wedge Cloud Network Defense instances and physical hardware for remote management.

Management of the Instances and physical nodes can be accessed using the Control Network created during installation time.

The Operator must have a connection to this control network to be able to remotely connect to the instances and physical nodes.

During the cloud controller installation, a SSH key is created and added to OpenStack nova-api. This key is then used to boot the WedgeCC, WedgeSC, and SDN Terminus instances. Once the instances are created, the SSH key will need to be used to access those instances via SSH.

The SSH key is not required to access the OpenFlow Switch node, Controller Node, Compute Nodes, or NFV-S instances.

To remotely access the WedgeCC, WedgeSC, and SDN Terminus instances, ssh from a terminal to the Cloud Controller node:

After SSH connection has been established to the controller node, find the private key file wedgecnd-key.pem in the home directory as this will be required to access one of the instances.

sudo is required as the wedgecnd-key.pem will be owned by root user.

The Wedge Cloud Network Defense components (Cloud Conductor, Service Conductor, and SDN Terminus) are all installed on Ubuntu Server linux distribution.

For each package, a debian file (.deb) is generated to facilitate the installation of the various cloud components and running additional scripts before/after install or upgrade. As the Wedge Cloud Network Defense components evolve over time, there will be a need to upgrade some of these packages (new features, bug fixes, etc…​)

To upgrade a debian package:

REST stands for Representational State Transfer. It uses HTTP protocol as the means of communication between client-server. It uses HTTP verbs (GET,POST,PUT,DELTE) as the action (CRUD operation) to perform for the request.

The content-type (the data payload) used is JSON or JavaScript Object Notation.

The following WedgeCND components have REST API for remote management:

You must have a REST client to be able to interface with REST API such as Google Chrome or a stand-alone application.

The wedgesc-rest-api web application is deployed onto Tomcat server. The base URL is http://[service-conductor-ip]:8080/wedgesc/rest.

REST API provides the follow resources:

The wedgecc-rest-api web application deployed onto Tomcat server. The base URL is http://[cloud-conductor-ip]:8080/wedgecc/rest.

REST API provides the following resources:

The wedge-terminus-rest-api web application is deployed onto Tomcat server. The base URL is http://[terminus-ip]:8080/wedgesc/rest.

REST API has one main resource which provides the following operations:

Compute nodes can be added dynamically to the cloud for additional processing abilities.

add_compute_node.sh –i <index of compute node> -s <index of switch>

The index corresponds to the # in the install.properties.

delete_compute_node.sh –i <index of compute node> -s <index of switch>

The index is the same value as the one specified above in the add operation.

Complete the following steps if you need to re-initialize a Wedge Cloud component to the starting state.

If the NFV-S instance has been configured with custom settings, some of the settings are not propagated to all instances by using Configuration Sync.

To allow elastic instances to mirror the settings, a snapshot should be created based on the running instance and used to replace the NFV-S image. Currently, the process requires redeploying the cloud in order to properly synchronize all NFV Orchestration components. Future enhancements will be able to avoid this process.

Ensure that the network cables between OpenFlow node to Controller node and compute nodes are connected to each other and can ping each other.

For OpenFlow switch, ensure that the network interfaces are properly identified and connected as shown in the diagrams.

Ensure that the management network can reach the Internet for package downloads during installation and signature updates during operation.

Nova is the compute service that facilitates the launching and termination of instances.

Keystone is the identity service that facilitates authentication within OpenStack.

A token is required to make OS API calls.

keystone-all

Glance is the image service which maintains a repository of VM images used to launch instances.

Neutron is the networking service that creates the 3 SDN for Ingress, Egress, and Control.

Ceilometer is the telemetry service that tracks resource usage of instances (cpu util, bw util).

When viewing or modifying configuration files, or looking through log files, enter root mode.

The configuration files for OpenStack components will be found in /etc/{component-name}

/etc/ceilometer /etc/nova

The log directory for OpenStack components will be found in /var/log/{component-name}.

Each directory could have multiple log files depending on how many services (processes) are running for that component.

To troubleshoot Wedge Cloud Network Defense components, SSH to controller node and use ssh key to remotely access instance.

The WedgeCC, WedgeSC, and Wedge SDN Terminus are all web applications that are deployed onto a Tomcat application server.

Tomcat log files can be found in:

catalina.out is the main standard out log file. Sometimes if an error has occurred the stack trace may be put to standard error log file, which will be in the format:

SSH to controller node and go through nova-* logs in /var/log/nova to see if any error messages or stack traces shown.

SSH to Cloud Conductor through the ssh key from controller and check catalina.out for any errors that may indicate why instance failed to deploy.

Check catalina.out on Cloud Conductor instance to see if CPU util is being stored correctly to the RRD file.

If log is showing an average cpu util of 0, then chances are there is an issue with the ceilometer service storing resource usage.

SSH to compute node and restart ceilometer-agent-compute service.

SSH to controller node and restart ceilometer-collector service

Continue to monitor catalina.out logs for a few minutes to see if cpu util changes to a non-zero value

Check wedgesc-rest-api by using REST client to make sure policy was stored correctly.

Check terminus-rest-api by using REST client to make sure policy was pushed to component.

Check if NFV scanning pool is registered for load balancer.

SSH to OpenFlow switch and dump flows.

© 2016 Wedge Networks, Inc.

http://www.wedgenetworks.com

support@wedgenetworks.com