Networking Concepts and Tools for the Cloud

© 2012 IBM Corporation

SmartCloud Enterprisewww.ibm.com/cloud/enterprise

Networking Concepts and Tools for the Cloud

Authors: Alex Amies, Chun Feng Wu, Guang Cai Wang

Date: 2012


GCG Regional Technical Exchange 2012

Networking Concepts and Tools for the Cloud

This presentation describes some important concepts of networking in the cloud, including Virtual Local Area Networks, Virtual Private Networks, and the different protocol layers. Following that, we will explain how to use tools including OpenSSH, OpenVPN, and proxy servers to set up different network topologies and solve connectivity problems, giving examples important to common cloud situations. We will discuss the relative advantages of each in different business scenarios.

The fundamental difference with cloud computing is that network resources can be provisioned very dynamically and responsibility for managing them often falls down to the individual project level.

22



Introduction

Networking is one of the fundamental enabling elements of cloud computing and also one of the hazards to users of cloud computing.

OSI Layer Example Protocols

IaaS PaaS SaaS

7 Application HTTP, FTP, NFS, SMTP, SSH

Consumer Consumer Provider

6 Presentation SSL, TLS Consumer Provider Provider

5 Session TCP Consumer Provider Provider

4 Transport TCP Consumer Provider Provider

3 Network IP, IPSec Consumer Provider Provider

2 Data Link Ethernet, Fibre channel

Provider Provider Provider

1 Physical Copper, optic fibre

Provider Provider Provider



Advantages of Network Tools for Different Business ScenariosThe diagram below depicts typical network topology for a composite web application. It contains Firewall configurations, VLAN set up, public/private ip configuration for load balancer, and access to business partner's intranet



Scenarios

1)Production (firewall) A proxy may also be used but usually for load balancing, rather than security purposes An administrator may access back end servers via SSH tunnel or a SOCKS proxy Firewall rules are needed to allow servers inside firewall to access Internet for security

updates, license activation, etc without making them visible to the Internet

2)Development (VPN) scenarios Reverse access into enterprise may be needed A light weight setup is required because a network expert may not be available to help VPN server on a laptop with DHCP may be used to allow access from the cloud

3)Enterprise level Site to site VPN for general access to the Enterprise Covered by articles in references section, including CohesiveFT



Network VirtualizationWhen dealing with systems of virtual machines and considering network security, we need to manage networks.



Firewalls

An individual fire wall is a fire wall that is installed on the same server as the resource it is protecting. This is an essential tool in cloud computing. Most modern operating systems, including all the images on the IBM SmartCloud Enterprise, are packaged with an individual firewall. On Linux virtual machines this is iptables and on Windows it is a Microsoft solution. On the IBM SmartCloud Enterprise, there is also a firewall between the hypervisor and the virtual machines that it manages.

A firewall rule specifies a set of criteria for a network packet and a target. When a network packet arrives each rule is checked. If the packet does not meet the criteria for the rule then the next rule is checked.



Firewall management on SUSEOn SUSE machines you can use the YAST administration utility to add firewall rules.



Custom Firewall Rule in YASTNavigate to Custom Rules and click Enter. Navigate to Add and click Enter. Enter 0/0 for the Source Network, which indicates any source computer, and 50030 for the port, which is the port we are interested in.



Managing Firewalls on Red Hat Enterprise Linux

On Red Hat images you can use the iptables command to manage firewall rules. The basic form of an iptables command is

# iptables [-t table] -[AD] chain rule-specification [options]

The actions associated with a firewall rule include ACCEPT, DROP, QUEUE, and RETURN. If you you don't want to accept a network packet then you should specify a DROP action. In the iptables command A appends a rule and D deletes one.

There are three firewal tables. The default table is named filter. This table contains three chains: input, forward, and output. The input chain is for packets coming in to the local sockets, the forward chain is for packets that are routed, and the output chain is for locally generated packets.

As an example, to allow network packets from any source on port 80, the default HTTP port, use the command.

# /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT



iptables for Red Hat Enterprise Linux

This adds a rule to the INPUT chain of the filter table for TCP packets on port 80 with an ACCEPT action. The -p parameter specifies the protocol, tcp in this case. The --dport 80 option is the destination port, 80 in this case. The -j (jump) option is the target, ACCEPT in this case. It can be a good practice to only leave firewall rules in place for as long as you need them. The command form is ideal for doing this. However, often, you will want to keep the rules permanently, including after the next time you restart the instance. To do this, edit the file /etc/sysconfig/iptables. A typical iptables file looks like this

*filter

:INPUT DROP [67:14849]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [346:34696]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

COMMIT

This specifies the rules for the filter table. All incoming packets from ports 67 to 14849 are dropped. No forwarding is allowed, all outgoing packets on ports 346 to 34696 are allowed, and incoming packets on port 22 (SSH) are allowed.



iptables commands on RHEL

After you have made the edits and saved the file, start or restart the iptables service with the command.

# /sbin/service iptables restart

If you have made changes with the iptables command, you can save them with the command

# /sbin/service iptables save

Check the status of the firewall with the command

# /sbin/service iptables status



Stand-alone FirewallsLinux firewalls can also be used to protect servers other than the server that the firewall resides on. Actually, this is a preferred configuration because it provides an additional level of isolation.



Secure Shell (SSH)

As seen in the sections above, SSH is a fundamental tool in cloud computing. It can be worth learning as a power user to solve numerous practical problems in cloud computing. SSH was designed as a secure replacement for telnet but now is also commonly used programmatically for many applications.

SmartCloud Enterprise and other clouds will help you generate and manage SSH keys but you can also create them yourself with openSSH.

To generate a new SSH key use the ssh-keygen command. For example,

> ssh-keygen -t rsa -P 'My Passphrase' -f ~/.ssh/mykey

This will generate an RSA type (-t flag) with the passphrase 'My Passphrase' (-P flag), place the private key in the file ~/.ssh/mykey (-f flag) and place the public key in the file ~/.ssh/mykey.pub. If you do not use a -f option then the private key will be written to ~/.ssh/identity.



OpenSSH Commands

The configuration file for SSH on the Linux systems on the IBM SmartCloud Enterprise is at /etc/ssh/ssh_config and /etc/ssh/sshd_config. The AllowedUsers setting in is one setting that you might change. The value of this parameter is space separated list of user name patterns. For example,

AllowUsers idcuser webadmin

To start the SSH server (sshd) use the command

# /etc/init.d/sshd start

to restart use the command

# /etc/init.d/sshd restart

You may want to include the user name in the SSH command in some cases, especially from scripts. To do that use the form

$ ssh -i .ssh/key-file idcuser@host

The @ symbol delineates the user name from the host name or IP address.



Port Forwarding

Port forwarding with SSH is a process where

1.the address and port of a packet is translated to a new destination

2.the packet is carried over an SSH connection where the destination is accessed

It allows a user to tunnel another protocol over an SSH connection. With openSSH this is done with sshd. This can be useful if the protocol being tunneled is not secure or the destination address and port combination is not visible from the origin. The client that uses the tunneled protocol must be able to specify a non-standard port for this to work. The concept is that you establish a SSH session to your server and then specify which port on the client machine to forward connections from.



Port forwarding for VNC



Port forwarding with OpenSSH

You may use OpenSSH on Linux or Windows via a Cygwin command line. With Cygwin, install the cygwin openssh package first, if your system does not already have it. Start a tunnel from your SSH client to the virtual machine on port 5901 with the command shown below.

$ ssh -i ~/.ssh/key_name -L 5901:localhost:5901 idcuser@${SCE_VM}

where the -i option specifies the key to use and the -L option specifies the tunnel. The port used (5901) must match the port used by the VNC server running on the virtual machine.



Port forwarding with Putty



Tunneling VNCConnect via 5901 on localhost



Virtual Private Networks

Virtual Private Networks (VPN's) rely on encryption to create an extension of a private network over the Internet. VPN's enable several network scenarios that are valuable to enterprises.

A traditional use of VPNs is to connect the local area networks of different offices of an enterprise into a wide area network. These types of connections are site-to-site. When VPN's were introduced for this purpose they replaced the use of leased lines, greatly reducing cost for the enterprises.

Another traditional use of a VPN is to allow employees to access an enterprise's private network remotely, for example, to work from home. In this scenario, the enterprise provides a VPN gateway that is accessible from the Internet and the employee installs a VPN client that she installs on her laptop to access applications, such as email. This is termed a mobile virtual private network because one of the end points (where the employee is located) does not have a fixed IP address.



Encryption with VPNs

When a client sends a packet through a VPN gateway an authentication header is added, the data is encrypted, and the data is placed in an Encapsulating Security Payload. The receiving VPN server decrypts the data and routes the packet to the destination according to information in the header.

The encryption provided by VPNs is at a low level so that all communication to the enterprise is encrypted . This can be at either OSI Layer 2 (Data Link layer) or Layer 3 (Network layer) and can include any of the methods below

IPSec

SSL / TLS

Datagram Transport Layer Security (Cisco)

Microsoft Point-to-Point encryption

SSH tunneling



Use of a VPN to Extend an Enterprise NetworkMany enterprises may want to use cloud computing to extend the capacity of their IT infrastructure. To support this scenario the VPN is configured via a gateway in the enterprise network to a private VLAN in the cloud.



Use of VPN Gateway in the Cloud to Access a VLAN



OpenVPN

OpenVPN is an open source VPN client and server solution that can manage point-to-point and site-to-site connections. It uses the openSSL encryption library.

The OpenVPN install image can be downloaded from the OpenVPN web site. It includes both client and server software and must be installed on both client and server machines. You can install using the RPM package on RHEL machines and using the apt-get command on SUSE or other Debian based systems. It is possible to install on other Linux systems from the tarball using make. There is a self-extracting installer for Windows and also client only install images that you can direct end-users to.



References

1)Alex Amies, Harm Sluiman, Qiang Guo Tong, and Guo Ning Liu 2012. Developing and Hosting Applications on the Cloud. IBM Press, ISBN-10: 0-13-306684-3, ISBN-13: 978-0-13-306684-5. http://www.ibmpressbooks.com/bookstore/product.asp?isbn=9780133066845

2)CohesiveFT, 2011. VPN-Cubed 2.0 product page, at www.cohesiveft.com/vpncubed/.

3)Frields, P., 2007. SSH Port Forwarding. Red Hat Magazine at magazine.redhat.com/2007/11/06/ssh-port-forwarding/.

4)Hatch, B., 2011. SSH Port Forwarding, Symatec at http://www.symantec.com/connect/articles/ssh-port-forwarding.

5)IBM 2011. IBM SmartCloud Enterprise: User Guide, Version 1.4.1, http://ibm.com/cloud/enterprise.

6)Koop, R. 2010. Deliver cloud network control to the user, IBM developerWorks at www.ibm.com/developerworks/cloud/library/cl-cloudvirtualnetwork/.

7)OpenSSH Project Team, OpenSSH Documentation, at www.openssh.com/manual.html.

8)OpenVPN. Documentation page at openvpn.net/index.php/open-source/documentation.html.

9)Red Hat, 2011. Red Hat Product Documentation, at http://docs.redhat.com.

10)Rokosz, V., 2011. Extend your corporate network with the IBM Cloud, IBM developerWorks at www.ibm.com/developerworks/cloud/library/cl-extendnetworkcloud/index.html.

11)Shewbert, J., 2006. Tunneling with SSH. IBM developerWorks at www.ibm.com/developerworks/aix/library/au-tunnelingssh/index.html.

12)Vernier D. and Jones, A., 2011. IBM SmartCloud Enterprise tip: Span virtual local area networks, IBM developerWorks at www.ibm.com/developerworks/cloud/library/cl-spanvlan/.



Copyright and Trademarks

© Copyright IBM Corp. 2012

IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.

Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both



28

Technology

Networking Concepts and Tools for the Cloud